MHMD · Washington My Health, My Data Act
MHMD: broader than HIPAA, and every WA resident can sue.
Washington's My Health, My Data Act (RCW 19.373) covers far more than HIPAA. Fitness data, symptom searches, appointment booking, period tracking, and any data that could be used to infer health status all qualify. Unlike most privacy laws, MHMD includes a private right of action — individual lawsuits, not just AG referrals.
Need help fixing the issues?
Book a 20-min call with our compliance team to walk through your results.
About MHMD
Washington's My Health, My Data Act (effective March 31, 2024) defines "consumer health data" expansively: health conditions, diagnoses, medications, medical history, reproductive and sexual health data, gender-affirming care, biometric and genetic data, precise geolocation near healthcare facilities, and any data that could be used to infer a health status. This scope goes far beyond HIPAA, which applies only to covered entities. MHMD applies to any company that collects data from Washington State residents — regardless of where the company is based. The key enforcement risk is a private right of action: any Washington resident can file a lawsuit individually without the state attorney general's involvement. Penalties include injunctive relief plus attorneys' fees, and the AG can separately seek up to $7,500 per violation. Obligations include: explicit affirmative consent before collecting consumer health data; the right to withdraw consent and delete data; no sale of consumer health data without separate consent; and geofence restrictions around healthcare facilities.
Also check
The scan above evaluates all four regimes at once. Switch the framing for a different audience: