Washington's My Health My Data Act: Healthcare Practice Implications
8 min read · Last reviewed May 23, 2026
Washington's My Health My Data Act (RCW 19.373) phased in across three dates: the geofence prohibition (codified at RCW 19.373.080) took effect July 23, 2023; sections 4 through 9 of the act (the substantive consumer-data framework, codified primarily at RCW 19.373.020 through 19.373.070) took effect March 31, 2024 for most regulated entities and June 30, 2024 for small businesses. The single biggest divergence from HIPAA is the combination of broad consumer health data scope (covering inferences and non-treatment health data that HIPAA does not reach) plus a private right of action through the Washington Consumer Protection Act — a structural enforcement model HIPAA does not allow.
What Washington's My Health My Data Act actually requires
The statute applies to a "regulated entity" — any legal entity that conducts business in Washington or produces products or services targeted to Washington consumers and that determines, alone or with others, the purpose and means of collecting, processing, sharing, or selling consumer health data. Unlike Virginia CDPA, there is no volume threshold — every regulated entity is in scope.
The core definition at RCW 19.373.010(8) of "consumer health data" sweeps in: any personal information linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status. Examples include individual health conditions, treatment, diseases, or diagnosis; social, psychological, behavioral, and medical interventions; health-related surgeries or procedures; use or purchase of prescribed medication; bodily functions, vital signs, symptoms, or measurements; diagnoses or diagnostic testing, treatment, or medication; gender-affirming care information; reproductive or sexual health information; biometric data; genetic data; precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services; data that identifies a consumer seeking healthcare; and any inference derived from any of the above.
Core obligations under the substantive MHMDA framework at RCW 19.373.020 (consumer health data privacy policy), RCW 19.373.030 (consent before collection of consumer health data not necessary to provide a requested product or service), RCW 19.373.040 (separate authorization for any sale of consumer health data), RCW 19.373.050 (consumer rights to access, withdraw consent, and delete), RCW 19.373.060 (security practices and restricted employee access), and RCW 19.373.070 (written processor contracts).
The HIPAA carve-out at RCW 19.373.100 exempts PHI processed in the same manner as PHI by a HIPAA-covered entity or business associate, plus information used for public health activities, clinical trials, FDA-regulated activities, and several other federal frameworks. The exemption is for the data, not the entity.
Where Washington MHMDA is stricter than HIPAA
Where MHMDA bites is the inference layer and the geofence ban. HIPAA covers PHI in the hands of a covered entity. MHMDA covers any consumer health data, including inferences derived from non-health data, in the hands of any regulated entity. A practice that uses third-party analytics on its website to infer patient interest in a service is generating consumer health data under MHMDA even though no HIPAA disclosure has occurred.
The geofence prohibition at RCW 19.373.080 is unique. No person — regulated entity or otherwise — may implement a geofence around any entity providing in-person healthcare services within 2,000 feet of the perimeter, where the geofence is used to (a) identify or track consumers seeking healthcare services, (b) collect consumer health data, or (c) send notifications, messages, or advertisements related to consumer health data. The prohibition applies to all entities, has no small-business carve-out, and took effect July 23, 2023.
| Topic | HIPAA | Washington MHMDA | Stricter | |---|---|---|---| | Data scope | PHI held by covered entity or BA | Consumer health data including inferences, broader than PHI | Washington | | Geofence/location tracking | Not specifically addressed | Bans geofencing within 2,000 ft of healthcare facility | Washington | | Consent for collection | Not required for TPO uses | Required for any collection beyond what is necessary for requested service | Washington | | Sale of data | Marketing authorization rule under 45 CFR 164.508(a)(3) | Separate signed authorization required for any sale (§ 19.373.040) | Washington | | Right to delete | None | Yes (§ 19.373.050) | Washington | | Right to withdraw consent | Authorization revocation under 45 CFR 164.508(b)(5) | Right to withdraw consent at any time (§ 19.373.030) | Comparable | | Private right of action | None | Yes, via CPA RCW 19.86.090 — treble damages to $25,000, fees, injunction | Washington | | Per-violation penalty | Up to $73,011 per violation, $2,190,294 annual cap per identical violation (2026 HHS-adjusted HIPAA; 45 CFR Part 102) | CPA penalty up to $7,500 + private treble damages | Different structures | | Right to cure | None | None | Tie |
The plaintiffs' bar treatment of MHMDA is the structural risk. Because § 19.373.090 makes any MHMDA violation per se a Washington Consumer Protection Act violation, individual consumers can sue, and Washington's CPA has a long-developed body of class action practice. Expect MHMDA class actions in 2026 and beyond on pixel-tracking, geofencing, and analytics integrations comparable to the Illinois BIPA wave.
Where HIPAA is stricter than Washington MHMDA
HIPAA's Security Rule at 45 CFR Part 164, Subpart C imposes administrative, physical, and technical safeguards that MHMDA does not match. MHMDA at RCW 19.373.060 requires regulated entities to establish, implement, and maintain administrative, technical, and physical data security practices, but the language is general. HIPAA's risk analysis at 164.308(a)(1)(ii)(A) is more prescriptive.
HIPAA's per-violation penalty ceiling under 45 CFR 160.404 is structurally higher than the Washington CPA's $7,500 civil penalty cap, though MHMDA's private right of action with treble damages can outpace HIPAA in aggregate.
HIPAA's prescriptive breach notification under 45 CFR 164.400-414 has no MHMDA analog. Washington's general data breach statute at RCW 19.255 runs separately and uses a 30-day notification window — itself shorter than HIPAA's 60-day floor, but not specifically health-focused.
Breach notification timeline
MHMDA is not primarily a breach notification statute. The Washington data breach notification statute at RCW 19.255.010 controls and requires notice to affected Washington residents within 30 days of discovery, with notice to the Attorney General if more than 500 Washington residents are affected.
For PHI breaches, HIPAA's 45 CFR 164.404(b) 60-day timeline is the longer outer bound, but the Washington 30-day timeline is the operative deadline for any breach involving Washington residents' personal information. Where the breach involves both PHI and consumer health data outside HIPAA, run both timelines in parallel and meet the shorter one.
Penalties + private right of action
RCW 19.373.090 makes a violation of MHMDA an unfair or deceptive act under the Washington Consumer Protection Act. The Washington AG enforces under RCW 19.86 with civil penalties up to $7,500 per violation, restitution, and injunctive relief.
The private right of action runs through RCW 19.86.090: an individual may sue for actual damages, treble damages up to $25,000, attorneys' fees and costs, and injunctive relief. The treble-damages cap is per consumer per violation; class actions can scale rapidly.
This is the model that makes MHMDA materially more dangerous than Virginia CDPA. CDPA has no private right of action. MHMDA does. A medical practice that uses a marketing pixel triggering location-based health inferences exposes itself to plaintiffs' class action treatment that no HIPAA violation would create.
HIPAA enforcement under 45 CFR 160.404 runs concurrently. HHS OCR and the Washington AG (under HITECH § 13410(e)) can both pursue HIPAA penalties, but only MHMDA opens the private litigation door.
Compliance checklist for in-state practices
For Washington practices, the minimum operational set:
- Audit every marketing pixel, analytics vendor, and ad tracker on the practice website. Any tool that uses location, demographic, or behavioral data to infer health status creates consumer health data under MHMDA.
- Eliminate any geofencing within 2,000 feet of any healthcare facility for purposes of identifying, tracking, or sending notifications. This is a bright-line ban under RCW 19.373.080.
- Publish a consumer health data privacy policy that meets RCW 19.373.020: categories of data collected, sources, purposes, categories of third parties, how to exercise consumer rights, effective date.
- Stand up a consent flow under RCW 19.373.030 for any collection of consumer health data beyond what is necessary to provide the requested service. Document the consent.
- For any sale of consumer health data, obtain a separate signed authorization under RCW 19.373.040. Most practices should simply not sell consumer health data; the authorization mechanism is heavy.
- Execute written processor contracts under RCW 19.373.070 with any vendor handling consumer health data that is not a HIPAA business associate. The contract must specify processing purposes, instructions, and security requirements.
- Confirm the practice's data breach response procedure meets both the HIPAA 60-day timeline and the Washington 30-day timeline at RCW 19.255.010.
- Train workforce on MHMDA's geofence ban, consumer rights, and the per-se CPA violation risk for marketing-data missteps.
The MHMDA delta over a vanilla HIPAA program is substantial. The compliance binder covers HIPAA's backbone; Washington practices need an MHMDA layer on top, with marketing data and analytics as the highest-risk area.
Cross-references: Virginia CDPA for medical practices is the structurally similar statute without the private right of action — useful for comparing the enforcement risk delta. Illinois BIPA and GIPA shows the only other state with a robust private right of action regime against healthcare data uses.
Step 1 · Get the binder
Get the d3rx compliance binder for your practice
Pre-filled to address the gaps this guide covers — Washington's My Health My Data Act: Healthcare Practice Implications. We will email you the section preview and your binder intake link.
No PHI required. We use your email to send the binder preview and intake link only.
Frequently asked
Does WA MHMDA's geofence ban apply to our marketing pixel?
If the pixel triggers a geofence around an in-person healthcare facility, yes. RCW 19.373.080 prohibits implementing a geofence within 2,000 feet of any entity providing in-person healthcare services to identify or track consumers, collect consumer health data, or send notifications, messages, or advertisements related to consumer health data. The 2,000-foot ring around any provider location is a bright line, and it took effect first under the statute — on July 23, 2023, ahead of the rest of the MHMDA framework. Programmatic ad targeting that uses geofencing tied to healthcare locations is the most likely trigger for a small practice.
We are a HIPAA-covered entity. Does MHMDA apply at all?
Partly. RCW 19.373.100 exempts PHI collected and processed by a HIPAA-covered entity or business associate (the data, not the entity). But MHMDA's definition of consumer health data is much broader than PHI — it includes inferences derived from non-health data, gender-affirming care data, reproductive health data, mental health treatment information, and biometric data, whether or not under HIPAA. Any data the practice holds outside the HIPAA framework — marketing intake, wellness app integrations, website analytics — falls within MHMDA if it bears on health status.
What is the actual private right of action under MHMDA?
RCW 19.373.110 makes a violation of MHMDA an unfair or deceptive act under the Washington Consumer Protection Act (RCW 19.86). Affected consumers can sue under RCW 19.86.090 for actual damages, treble damages up to $25,000, attorneys' fees, and injunctive relief. The CPA private right of action is the lever — MHMDA itself does not create new statutory damages, but it makes any MHMDA violation per se a CPA violation, which has a robust plaintiffs' bar in Washington.
When did MHMDA take effect for small practices?
The geofence prohibition at RCW 19.373.080 took effect first, on July 23, 2023. The bulk of the MHMDA framework (sections 4 through 9 of the act, codified primarily at RCW 19.373.020 through 19.373.070) took effect on March 31, 2024 for most regulated entities and June 30, 2024 for small businesses. A small business under § 19.373.010 is one that collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers per year and derives less than 50 percent of gross revenue from consumer health data. The geofence ban has no small-business carve-out and applies to all entities.
Do we need separate consent for sharing data with our analytics vendor?
Likely yes. RCW 19.373.030 requires consent for collection of consumer health data beyond what is necessary to provide a requested product or service, and § 19.373.040 requires a separate, distinct authorization for any sale of consumer health data. Routing patient interaction data through a third-party analytics vendor that is not a HIPAA business associate, and not bound by an MHMDA-compliant processor contract, likely triggers the consent and authorization requirements.
Turn this into a review-ready binder
The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.
Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- RCW 19.373https://app.leg.wa.gov/RCW/default.aspx?cite=19.373
- RCW 19.373.010(8)https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.010
- RCW 19.373.020https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.020
- RCW 19.373.030https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.030
- RCW 19.373.040https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.040
- RCW 19.373.050https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.050
- RCW 19.373.060https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.060
- RCW 19.373.070https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.070
- RCW 19.373.100https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.100
- RCW 19.373.080https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.080
- 45 CFR Part 164, Subpart Chttps://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C
- 164.308(a)(1)(ii)(A)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308
- 45 CFR 160.404https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-D/section-160.404
- 45 CFR 164.400-414https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D
- RCW 19.255https://app.leg.wa.gov/RCW/default.aspx?cite=19.255
- RCW 19.255.010https://app.leg.wa.gov/RCW/default.aspx?cite=19.255.010
- 45 CFR 164.404(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404
- RCW 19.373.090https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.090
Sources verified as of May 23, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
Related across the archive
- ComplianceIllinois Healthcare Compliance: BIPA, GIPA + State Medical Records RulesIllinois BIPA (740 ILCS 14/) and GIPA (410 ILCS 513/) vs HIPAA for medical practices: where the state statutes bite harder, private right of action, and penalty math.
- ComplianceOhio Healthcare Compliance: Data Protection Act + State SpecificsOhio Data Protection Act (Ohio Rev. Code § 1354) vs HIPAA: the affirmative defense framework, named cybersecurity frameworks, and what Ohio breach notification adds.
- CompliancePennsylvania Healthcare Compliance: Breach Notification + Practice OperationsPennsylvania Breach of Personal Information Notification Act (73 Pa. C.S. § 2301) vs HIPAA: the concurrent AG notice rule, medical record retention, and where state law bites a PA practice.
- SRAHIPAA Security Rule vs Privacy Rule: A Plain-English MapWhat the Security Rule at 45 CFR Part 164 Subpart C does, what the Privacy Rule at Subpart E does, where they overlap, and which rule the SRA actually answers to.
- GlossaryePHI (Electronic Protected Health Information)PHI that is created, received, maintained, or transmitted in electronic form.
- RegulationHIPAA Privacy Rule Administrative Requirements (45 CFR 164.530)Designated privacy official, workforce training, safeguards, complaint process, sanctions, mitigation, anti-retaliation, anti-waiver, documentation, and policies and procedures.
- BillingWhat to Do When a Payer Says You're UnderbillingGot a letter saying you're underbilling? Here's what it actually means, whether you should worry, and what action to take.
- StateAlaska healthcare compliance overlayAlaska has no state-specific medical-information privacy statute beyond HIPAA, and no health-data-only breach rule.