Washington's My Health My Data Act (MHMDA) is a state privacy law focused specifically on consumer health data that falls outside HIPAA. Signed in 2023 and effective in 2024, it is notable for its broad definitions and, unusually, a private right of action.
Why MHMDA exists
HIPAA protects health information held by covered entities and business associates, but a great deal of health-related data is collected by apps, websites, advertisers, and other businesses that HIPAA does not reach. Washington enacted MHMDA to extend privacy protections to this broader category of "consumer health data."
What it covers
MHMDA applies to "regulated entities" - generally legal entities that conduct business in Washington or target Washington consumers and that determine the purposes and means of collecting, processing, or sharing consumer health data. "Consumer health data" is defined broadly to include personal information linked to a consumer that identifies their past, present, or future physical or mental health status, which can include things like health conditions, diagnoses, treatments, precise location information that could indicate an attempt to access health services, and more.
Importantly, the law's protections extend to consumers who are Washington residents and to individuals whose data is collected in Washington.
Key obligations
- Consent and authorization. Collecting or sharing consumer health data generally requires consent, and selling it requires a separate, specific valid authorization.
- Privacy policy. Regulated entities must publish a consumer health data privacy policy describing the data collected, the purposes, and how consumers can exercise rights.
- Consumer rights. Consumers have rights to access their consumer health data, to know with whom it has been shared, to withdraw consent, and to have data deleted.
- Geofencing ban. The law prohibits implementing a geofence around facilities that provide health care services to track, collect data from, or send messages to consumers related to their consumer health data.
How it differs from HIPAA
| HIPAA | MHMDA | |
|---|---|---|
| Who is regulated | Covered entities and business associates | Broad set of businesses handling consumer health data |
| Scope of data | PHI | Consumer health data (broadly defined) |
| Enforcement by individuals | No private right of action | Includes a private right of action under the state Consumer Protection Act |
The private right of action
One of MHMDA's most significant features is that violations are enforceable as violations of Washington's Consumer Protection Act. In addition to enforcement by the Washington Attorney General, this gives individuals a private right of action - a notable departure from HIPAA and from many other state privacy laws, which rely on regulator enforcement alone.
What organizations should do
If your organization handles health-related data about Washington consumers and is not fully covered by HIPAA for that data, you may be within MHMDA's scope even if you never thought of yourself as a health company. Practical steps include mapping the consumer health data you collect, reviewing consent flows, publishing a compliant privacy policy, and obtaining qualified legal advice. Because of the private right of action, the stakes for getting it wrong can be higher than under regulator-only regimes.
How MHMDA interacts with HIPAA
MHMDA is designed to complement, not duplicate, HIPAA. The law includes exemptions intended to avoid double-regulating information already governed by HIPAA, so PHI held by a covered entity or business associate in that capacity is generally addressed by HIPAA rather than MHMDA. The practical effect is that many organizations face a mixed picture: some of the health-related data they handle is HIPAA-regulated PHI, while other data, such as information collected through a consumer app, website, or advertising technology, may fall under MHMDA instead. Mapping which framework governs which data flow is therefore a key early step, because the obligations differ. Where there is doubt about how an exemption applies to a particular data set, Washington counsel can help draw the line.
The role of consent and authorization
MHMDA draws a meaningful distinction between consent and authorization. In general terms, collecting or sharing consumer health data beyond what is necessary to provide a requested product or service requires the consumer's consent, while selling consumer health data requires a separate, specific valid authorization with its own required elements. These are not interchangeable, and a single broad checkbox is unlikely to satisfy both. Organizations should examine where consent is needed, where a distinct authorization is required, and how consumers can later withdraw permission.