Your health data extends far beyond your medical records. Period tracking apps, fitness wearables, mental health platforms, and even location data revealing which clinics you visit all paint an intimate picture of your wellbeing. While HIPAA protects traditional medical records, it leaves vast categories of health-related data unguarded. Washington state's My Health My Data Act (MHMDA) was designed to close that gap, and its reach extends well beyond the state's borders.
What Is the My Health My Data Act?
The Washington My Health My Data Act (codified as RCW 19.373) is a state privacy law that took effect on March 31, 2024, with small business provisions following on June 30, 2024. It is one of the most expansive health data privacy laws in the United States, created in direct response to growing concerns about unregulated health data collection and the U.S. Supreme Court's 2022 decision in Dobbs v. Jackson Women's Health Organization, which heightened fears about how reproductive health data could be weaponized.
Unlike most state privacy laws, the MHMDA does not contain applicability thresholds based on a company's revenue or the number of consumers it serves. This means businesses of nearly any size that collect, share, or sell consumer health data connected to Washington may be subject to the law.
What Health Data Does the MHMDA Protect?
The MHMDA defines "consumer health data" far more broadly than most people expect. It covers personal information that is linked or reasonably linkable to a consumer and identifies the consumer's past, present, or future physical or mental health status. Specifically, this includes:
- Health conditions, diagnoses, and treatments: Any data about diseases, diagnoses, medications, medical interventions, or ongoing conditions.
- Reproductive and sexual health data: Information related to contraception, pregnancy, fertility treatments, or abortion services.
- Mental health information: Data from therapy apps, behavioral health platforms, or any service capturing psychological or emotional wellbeing.
- Biometric data: Fingerprints, facial recognition data, voice prints, and other biological identifiers.
- Bodily functions and vital signs: Heart rate, sleep patterns, blood pressure, menstrual cycle data, and similar measurements collected by wearables and health apps.
- Precise location data: Geolocation information that could reveal visits to healthcare facilities, pharmacies, or clinics.
- Data identifying healthcare-seeking consumers: Any information that identifies someone as seeking or receiving healthcare services.
- Inferred or derived health data: Health information that is extrapolated from non-health data, such as purchasing patterns or search history.
Broader Than You Think
The MHMDA's definition of health data captures information that most consumers would never consider "health data." For example, if your fitness app tracks your location and that data could identify visits to a medical facility, it falls under the Act's protections. Even purchasing data that allows a company to infer a health condition is covered. This sweeping scope is what makes the MHMDA one of the most significant health privacy laws in the country.
How the MHMDA Differs from HIPAA
HIPAA and the MHMDA serve fundamentally different purposes and cover different ground. Understanding these differences is critical to knowing where your health data is actually protected.
Scope of Coverage
HIPAA only applies to "covered entities" -- healthcare providers, health plans, and healthcare clearinghouses -- and their business associates. The MHMDA applies to virtually any business or entity that collects, processes, shares, or sells consumer health data linked to Washington consumers, regardless of whether that entity is a traditional healthcare provider. This means app developers, advertisers, data brokers, retailers, and tech companies all fall within its reach.
Consent Requirements
HIPAA permits many core uses of health data -- such as treatment, payment, and healthcare operations -- without requiring patient consent. The MHMDA takes a fundamentally different approach: it requires opt-in consent for the collection and processing of consumer health data, separate consent to share that data with third parties, and a signed written authorization before any health data can be sold.
Geographic Reach
While the MHMDA is a Washington state law, its definition of "consumer" is unusually broad. It protects not only Washington residents but also any individual whose consumer health data is collected while they are in Washington. This extraterritorial reach means businesses across the country -- and potentially worldwide -- may need to comply.
Enforcement
HIPAA is enforced exclusively by federal regulators, primarily through the Office for Civil Rights. The MHMDA, by contrast, is enforceable by the Washington Attorney General and also provides a private right of action, meaning individual consumers can sue businesses directly for violations -- a provision that very few state privacy laws include.
Your Rights Under the MHMDA
The MHMDA grants Washington consumers robust rights over their health data:
Right to Know and Access
You can confirm whether a business is collecting, sharing, or selling your consumer health data. You can also request access to that data, including a list of all third parties and affiliates who have received it.
Right to Delete
You can request that a business delete your consumer health data. The business must erase your data across its systems and instruct its affiliates, processors, contractors, and third-party recipients to do the same.
Right to Withdraw Consent
You may revoke any previously granted consent for the collection, sharing, or processing of your health data at any time. Businesses are prohibited from discriminating against you for exercising this right.
Right to Appeal
If a business denies your request, you have the right to appeal. The business must provide a written outcome of that appeal. Businesses are required to respond to all requests without undue delay and within 45 days, with one possible 45-day extension when reasonably necessary.
Skip the manual work
PrivacyOn removes your personal information from 100+ data broker sites and keeps it removed — automatically.
Start your free scan★★★★★ 4.8/5 · Trusted by thousands of families
Geofencing Restrictions
One of the MHMDA's most distinctive provisions is its ban on geofencing around healthcare facilities. This provision, which took effect even earlier than the rest of the law on July 23, 2023, makes it unlawful for any person to implement a geofence around an entity that provides in-person healthcare services if that geofence is used to:
- Identify or track consumers seeking healthcare services
- Collect consumer health data
- Send notifications, messages, or advertisements related to health data or healthcare services
Real Enforcement, Real Consequences
The MHMDA is not a paper tiger. Violations are treated as violations of the Washington Consumer Protection Act, exposing businesses to civil penalties of up to $7,500 per violation through Attorney General enforcement. Individual consumers can sue for actual damages, court costs, and attorney's fees, and courts may award treble (triple) damages capped at $25,000. The first class action lawsuit under the MHMDA was filed in February 2025, signaling that enforcement activity is well underway.
Who Must Comply?
The MHMDA applies to two categories of entities:
- Regulated entities: Any legal entity that conducts business in Washington, or produces or provides products or services targeted to consumers in Washington, and that alone or jointly with others determines the purpose and means of collecting, processing, sharing, or selling consumer health data. These entities were required to comply by March 31, 2024.
- Small businesses: Entities that process the health data of fewer than 100,000 consumers in a calendar year, or that collect health data of fewer than 25,000 consumers and derive less than 50% of their revenue from consumer health data. Small businesses were given until June 30, 2024 to comply.
Notably, the MHMDA does include some exemptions. Data already governed by HIPAA, the Gramm-Leach-Bliley Act, or certain other federal privacy frameworks may be excluded from the Act's requirements. However, these exemptions are narrowly drawn, and businesses should not assume that partial HIPAA coverage exempts them from the MHMDA entirely.
How to Protect Your Health Data
While the MHMDA provides powerful legal protections, proactive steps remain essential to safeguarding your health data:
- Audit your health apps: Review every app that has access to health-related data on your phone, including fitness trackers, period trackers, mental health apps, and nutrition platforms. Remove any you no longer use.
- Review and revoke permissions: Check what data each app is collecting and sharing. Disable location access, biometric data collection, and advertising identifiers wherever possible.
- Exercise your MHMDA rights: If you are a Washington consumer, submit access and deletion requests to companies you believe hold your health data. The law requires them to respond within 45 days.
- Remove your data from brokers: Health-related data brokers operate largely outside HIPAA's reach. PrivacyOn monitors and removes your personal information from 100+ data broker sites, including those that aggregate and sell health-related data. With dark web monitoring and family plans covering up to 5 people starting at $8.33/mo, it provides ongoing protection for the health data that laws alone cannot fully secure.
- Read privacy policies: Before downloading any health-related app, check whether it shares data with third parties, sells data, or retains data after account deletion.
- Use strong authentication: Enable two-factor authentication on all health-related accounts to prevent unauthorized access to your sensitive data.
The Bottom Line
The Washington My Health My Data Act represents a significant step forward in consumer health privacy protection. By extending safeguards well beyond HIPAA's traditional boundaries -- covering app data, location data, biometric data, and even inferred health information -- it acknowledges the reality of how health data is collected and used in the modern digital landscape. Whether you live in Washington or simply use services that interact with Washington consumers, understanding the MHMDA is essential to knowing your rights and protecting your most sensitive personal information.