Washington’s Health Data Privacy Law (My Health My Data Act): What Healthcare Organizations Need to Know

Consumer Health Data Definition

Washington’s My Health My Data Act (MHMDA) uses a deliberately broad definition of “consumer health data.” It covers any information that is linked or reasonably linkable to a consumer and identifies, relates to, or could infer the person’s past, present, or future physical or mental health status.

Examples you are likely to handle include:

• Diagnoses, conditions, treatments, medications, and lab results.
• Genetic and biometric identifiers used for health purposes (for example, facial recognition used for patient check-in).
• Reproductive, sexual, and behavioral health information, wellness and fitness app data, and symptom trackers.
• Health-related browsing, search queries, or purchase histories (e.g., buying prenatal vitamins or mobility aids).
• Precise location that could indicate a visit to, or attempt to obtain, health services or supplies.
• Inferences drawn from non-health data that reveal or suggest a health status or interest.

Important carve-outs exist. De-Identified Data Exemptions apply when data is processed so it cannot reasonably be linked to an individual and reasonable safeguards prevent reidentification. HIPAA Data Coverage is also excluded: protected health information (PHI) handled by a HIPAA covered entity or business associate under HIPAA is out of scope, though the same organization may still hold non-PHI consumer health data that remains covered by the Act.

Applicability and Scope

The law applies to entities that conduct business in Washington or target products or services to Washington consumers and collect, process, share, or sell consumer health data. It reaches hospitals, clinics, labs, telehealth providers, pharmacies, digital health and wellness apps, and the service providers that support them (analytics, advertising, hosting, and other processors).

HIPAA alignment is partial, not complete. PHI handled under HIPAA may be exempt, but tracking technologies on your public website, mobile apps, patient acquisition campaigns, or loyalty programs can involve covered consumer health data outside HIPAA Data Coverage. Nonprofits are in scope, and there is no revenue threshold for coverage.

Consumer Rights and Protections

MHMDA grants robust Data Subject Access and control over consumer health data. You must enable consumers to:

• Confirm whether you collect or process their consumer health data and access it in a portable, usable format.
• Receive a list of third parties and affiliates with whom their consumer health data has been shared.
• Delete consumer health data and require you to direct processors and, where feasible, other recipients to delete it as well.
• Withdraw consent, halting future collection or sharing for the withdrawn purposes.

Core duties accompany these rights: purpose limitation and data minimization (collect only what is necessary to provide the requested service), a documented retention schedule with timely deletion, reasonable administrative, technical, and physical safeguards, and written contracts with processors that restrict use and impose security obligations.

Privacy Policy Requirements

You must publish and maintain a clear, standalone Consumer Health Data Privacy Policy. At minimum, it should state:

• The categories of consumer health data you collect and the specific purposes for each category.
• The sources of the data and your processing activities (collection, use, sharing, and sale).
• The third parties and affiliates with whom you share consumer health data and the purposes for such disclosures.
• How consumers can exercise their rights (Data Subject Access, deletion, and withdrawal of consent) and how you will authenticate them.
• Your retention schedule and the criteria used to determine deletion timelines.
• Your contact method for privacy inquiries and the policy’s effective date and update process.

Keep this policy separate from your HIPAA Notice of Privacy Practices and your general website privacy notice. It should not rely on vague categories or bundled permissions; precision and purpose-specific disclosures are essential.

Consent and Opt-In Procedures

The Act requires opt-in, purpose-specific Affirmative Consent before you collect or share consumer health data beyond what is necessary to provide a product or service the consumer requested. Consent must be freely given, specific, informed, unambiguous, and captured by a clear, affirmative act—no prechecked boxes, nudges, or dark patterns.

Selling consumer health data is subject to a higher bar. A separate, written authorization is required, specifying at least the data to be sold, the name(s) of purchasers, the purpose of the sale, the consumer’s right to revoke, and an expiration. This authorization cannot be bundled with other agreements.

• Request consent at the point of collection, describing each purpose plainly and separately.
• Provide an easy, always-available way to withdraw consent that is as simple as giving it.
• Maintain auditable records of consents, withdrawals, and sales authorizations.

Geofencing Restrictions

The law establishes a strict Geofencing Prohibition around entities that provide in-person health care services. You may not use a virtual boundary to identify or track consumers seeking health services, collect consumer health data from them, or send notifications, messages, or ads based on their presence in that location. This prohibition took effect on July 23, 2023 and applies regardless of consent.

Practically, this means you cannot set a geofence around clinics, pharmacies, or hospitals to harvest device identifiers, build audiences, or deliver condition-specific ads. Review any location-based marketing, proximity beacons, or SDKs to ensure they do not engage in prohibited collection or targeting.

Enforcement and Penalties

MHMDA is enforceable under the Washington Consumer Protection Act. Both the Attorney General and private plaintiffs can bring actions. Remedies may include injunctive relief, actual damages, attorneys’ fees, and, in private suits, treble damages up to $25,000 at the court’s discretion. Violations involving unauthorized sale or prohibited geofencing can present heightened and immediate risk.

To reduce exposure, healthcare organizations should prioritize: a data inventory and mapping of consumer health data, a purpose-based Consumer Health Data Privacy Policy, consent and opt-in workflows, processor contracts and audits, data minimization and retention governance, and technical controls that disable prohibited collection or geofencing.

In short, the Act extends privacy expectations beyond HIPAA, requiring you to justify each use of consumer health data, obtain granular opt-in where needed, and avoid sensitive location-based targeting altogether.

FAQs

What types of health data are protected under the My Health My Data Act?

The Act protects any information linked or reasonably linkable to a person that reveals or infers physical or mental health status. That includes diagnoses and treatments, genetic and biometric data used for health purposes, wellness and symptom-tracking app data, health-related browsing or purchases, precise location suggesting a visit to a health facility, and inferences about health conditions. De-Identified Data Exemptions apply, and PHI under HIPAA Data Coverage is excluded.

When does the law take effect for different sized organizations?

The geofencing prohibition has been in force since July 23, 2023. Most other obligations took effect on March 31, 2024 for regulated entities, and on June 30, 2024 for small businesses (a defined category with a later compliance date).

What are the specific consent requirements under the Act?

You need purpose-specific Affirmative Consent to collect or share consumer health data beyond what is necessary to provide a requested service. For any sale of consumer health data, you must obtain a separate, written authorization that identifies the data, the purchaser(s), the purpose, an expiration, and the right to revoke. Consent cannot be bundled, coerced, or implied by inactivity, and consumers must be able to withdraw consent as easily as they gave it.

How are violations enforced and penalized under this law?

Enforcement proceeds through the Washington Consumer Protection Act by the Attorney General and private plaintiffs. Available remedies include injunctive relief, actual damages, attorneys’ fees, and, in private actions, treble damages up to $25,000. Activities like unauthorized data sales or violating the Geofencing Prohibition can trigger significant risk and immediate scrutiny.