Washington My Health My Data Act (MHMDA): Summary, Key Requirements, and Compliance Guide

Consumer Rights Under MHMDA

Data Subject Rights at a glance

• Right to know and access: You can confirm whether a business is collecting, sharing, or selling your consumer health data and access that data, including a list of all third parties and affiliates that received it and a contact method for them.
• Right to delete: You can request Health Data Deletion, requiring the business to erase your data across its systems and instruct affiliates, processors, contractors, and other third parties to do the same.
• Right to withdraw consent: You may revoke previously granted permissions; businesses may not unlawfully discriminate against you for exercising your rights.
• Right to appeal: If a request is denied, you can appeal and must receive a written outcome.

Timelines and process

• Businesses must respond to requests without undue delay and within 45 days, with one possible 45‑day extension when reasonably necessary.
• Requests are free up to twice per year; businesses may authenticate requests using reasonable methods.
• If deletion affects archived or backup systems, final removal may be delayed but must be completed within six months of authenticating your request.

Consent and Data Collection Obligations

Affirmative Consent and purpose limitation

MHMDA is an opt‑in regime: except when strictly necessary to provide a product or service you requested, businesses must obtain Affirmative Consent before collecting consumer health data and a separate, distinct Affirmative Consent before sharing it. Consent requests must clearly disclose data categories, purposes, recipients, and how you can withdraw consent, and they cannot rely on deceptive designs or bundled terms.

Privacy notice and transparency

Covered entities must publish a consumer health data privacy policy linked from the homepage. The policy must describe categories and sources of consumer health data, purposes of use, categories shared, the specific affiliates and categories of third parties receiving data, and how you can exercise your rights. Collecting or using new categories or purposes later requires updated disclosures and new Affirmative Consent.

Data Deletion Requirements

Scope of deletion

Upon a verified request, a business must delete consumer health data from all parts of its network, including active systems, and notify all affiliates, processors, contractors, and other third parties to delete the data as well. This propagation duty is central to the law’s Health Data Deletion standard.

Backups and legal holds

• If data resides in archived or backup systems, deletion may be delayed solely for restoration logistics but must be completed within six months of authentication.
• Data subject to legal obligations may be retained only to the extent required by law; retained data may not be used for any other purpose.

Geofencing Restrictions in Healthcare

Geofencing Limitations

It is unlawful to implement a geofence around an entity that provides in‑person health care services when used to identify or track people seeking care, collect consumer health data, or send notifications, messages, or ads about health data or services. A “geofence” means a virtual boundary set using location technologies (for example GPS, cell towers, Wi‑Fi, or RFID) and is defined as 2,000 feet or less from the perimeter of the physical location. These restrictions have been in force since July 23, 2023.

Private Right of Action Provisions

Enforcement and litigation exposure

Any violation of MHMDA is deemed an unfair or deceptive act and an unfair method of competition under the Washington Consumer Protection Act. This creates a Private Right of Action: consumers can seek injunctive relief, actual damages, and attorneys’ fees, and courts may award treble damages up to $25,000 at their discretion. The Washington Attorney General may also enforce violations, increasing exposure for organizations that process consumer health data.

What plaintiffs must show

As with other Consumer Protection Act claims, private plaintiffs generally must demonstrate an injury to business or property and causation. The per‑se designation reduces debate over whether the conduct affects the public interest, heightening the risk of individual and class actions.

Scope of Application

Who is covered

• Regulated entities: Any legal entity that conducts business in Washington or targets products or services to Washington consumers and determines purposes and means of collecting, processing, sharing, or selling consumer health data.
• Small businesses: Entities meeting at least one threshold—process consumer health data of fewer than 100,000 consumers in a calendar year, or derive less than 50% of gross revenue from collecting/processing/selling/sharing consumer health data and handle fewer than 25,000 consumers’ data.
• Exclusions: Government agencies, tribal nations, and their contracted service providers when processing on the government’s behalf.

Consumer Health Data Definition

Consumer health data is broadly defined as personal information linked or reasonably linkable to a consumer that identifies the consumer’s past, present, or future physical or mental health status. It includes traditional medical details (conditions, treatments, diagnoses, procedures, medication use), biometric and genetic data, reproductive and gender‑affirming care information, data identifying someone seeking health care services, and inferences derived from non‑health data.

It also includes precise location information that could reasonably indicate an attempt to obtain health services or supplies, defined as location data accurate within a 1,750‑foot radius. “Sharing” covers disclosures to third parties and affiliates; “sale” means exchange for monetary or other valuable consideration and requires a signed, stand‑alone authorization that expires one year from signature.

Data‑level exemptions

The Act carves out specific data types rather than entire entities—for example, HIPAA‑regulated protected health information, 42 C.F.R. Part 2 substance‑use data, certain research data, GLBA‑governed data, FCRA data, FERPA education records, and specified insurance and exchange data. Mixed datasets intermingled with exempt information may also be excluded when indistinguishable.

Steps to Implement Compliance

Practical roadmap

1. Run a Compliance Gap Analysis: Map all data flows to identify where consumer health data is collected, inferred, shared, or sold, and benchmark current practices against MHMDA controls.
2. Classify data: Distinguish consumer health data from other personal data; flag inferences and precise location elements that could reveal health‑seeking behavior.
3. Update your privacy policy: Add a Washington consumer health data privacy policy linked on the homepage, listing categories, sources, purposes, categories shared, specific affiliates, and instructions for exercising rights.
4. Design consent architecture: Implement separate, granular Affirmative Consent prompts for collection and for sharing; log purpose‑specific consent; enable easy withdrawal without dark patterns.
5. Limit collection and use: Process only what is necessary to provide the requested product or service or what you have explicit consent to process; document purposes and retention.
6. Stand up a rights program: Offer secure request channels, authenticate reasonably, track deadlines (45 days + one 45‑day extension), support up to two free requests annually, and provide an appeal mechanism.
7. Build a deletion engine: Orchestrate end‑to‑end Health Data Deletion across systems; automatically notify affiliates, processors, contractors, and other third parties; ensure backup deletions complete within six months of authentication.
8. Harden security and access controls: Restrict access on a need‑to‑know basis and implement administrative, technical, and physical safeguards appropriate to the data’s sensitivity and volume.
9. Refactor vendor management: Amend processor agreements with binding instructions and assistance duties; prevent third parties and affiliates from using data beyond specified purposes; treat “sharing” with affiliates as subject to consent.
10. Control “sale” of consumer health data: If selling, obtain a stand‑alone, signed authorization that includes required disclosures and a one‑year expiration; retain authorizations for six years.
11. Eliminate restricted geofencing: Prohibit geofences around in‑person health care facilities used to track, collect, or target messaging related to health; audit adtech partners accordingly.
12. Train and monitor: Educate teams, test consent and request flows, and schedule periodic reviews to keep your program aligned with evolving practices and enforcement trends.

Conclusion

MHMDA imposes an opt‑in framework, expansive transparency, strong Data Subject Rights, rigorous Health Data Deletion, and strict Geofencing Limitations, all backed by a potent Private Right of Action. A disciplined Compliance Gap Analysis and the operational steps above position you to meet obligations confidently while maintaining consumer trust.

FAQs.

What types of entities are covered by the MHMDA?

The law applies to “regulated entities” that do business in Washington or target Washington consumers and determine the purposes and means of processing consumer health data. It also applies to “small businesses” that meet volume or revenue thresholds. Government agencies, tribal nations, and contractors processing on behalf of a government agency are excluded.

How does MHMDA define consumer health data?

Consumer health data means personal information linked or reasonably linkable to a consumer that identifies past, present, or future physical or mental health status, including conditions, treatments, procedures, medication use, biometric and genetic data, reproductive and gender‑affirming care, data identifying someone seeking health care, and inferences derived from non‑health data. It also covers precise location information that could reasonably indicate attempts to obtain health services.

What are the deadlines for compliance?

• Geofencing prohibition: In force since July 23, 2023.
• Most substantive obligations (for regulated entities): Effective March 31, 2024.
• Small businesses: Effective June 30, 2024.

How can consumers exercise their rights under the MHMDA?

Submit a request through the secure method described in the business’s consumer health data privacy policy. The business must authenticate your request, respond within 45 days (with one possible 45‑day extension), and provide results free of charge up to two times per year. If denied, you may appeal and must receive a written explanation and information on contacting the Washington Attorney General.