Washington MHMDA Engineering Protocols

What is MHMDA?

The My Health My Data Act (MHMDA), codified at RCW 19.373, is a Washington State consumer health privacy law signed by Governor Jay Inslee in April 2023. It closes gaps left by HIPAA by protecting health data collected by non-covered entities (including apps, websites, wearables, and HealthTech platforms) that HIPAA does not regulate.

Effective Dates & Scope

• Geofencing prohibition: July 23, 2023
• Regulated entities (non-small businesses): March 31, 2024
• Small businesses: June 30, 2024

Small businesses are defined as those processing fewer than 100,000 consumers' health data annually, or those deriving less than 50% of revenue from such data and controlling fewer than 25,000 consumers' records.

Consumer Health Data Definition

MHMDA defines "consumer health data" broadly. It includes:

• Traditional health information (conditions, treatments, medications)
• Bodily functions and biometric information
• Data identifying someone seeking health care services
• Precise location information that could indicate health status
• Inferred or extrapolated health data derived from non-health information (e.g., purchase history, browsing behavior)

This last category is critical for HealthTech: if your system infers health status from behavioral or transactional data, that inferred data is likely in scope.

Engineering Protocols: Technical Requirements

1. Consent & Authorization Workflows

MHMDA requires opt-in consent for collecting and sharing consumer health data. For selling health data, a detailed signed authorization is required. Engineering implications:

• Consent capture: Implement auditable consent records with timestamps, scope (what data, for what purpose), and revocation capability. Store consent state in a system that supports real-time revocation checks.
• Propagation: When consent is revoked, downstream systems (data lakes, analytics, third-party integrations) must stop processing within the timeframe required by the law.

2. Right-to-Deletion ("Hard Deletion")

MHMDA grants consumers the right to delete their consumer health data. Unlike "soft delete" (flagging records), true deletion must remove or irreversibly de-identify data across:

• Primary databases and replicas
• Backup systems and disaster recovery
• Data warehouses and analytics pipelines
• Third-party processors and subprocessors

3. Standalone Privacy Policy

MHMDA requires a standalone consumer health data privacy policy, separate from a general privacy policy. It must disclose collection, use, sharing, and sale of consumer health data, plus consumer rights and how to exercise them.

4. Geofencing Prohibition

MHMDA prohibits using geofencing to identify or track consumers seeking health care services within a defined radius of a healthcare facility. This affects location-based marketing and analytics around clinics, hospitals, and pharmacies.

5. Security Practices

Regulated entities must implement reasonable security practices to protect consumer health data. Align with industry standards (e.g., NIST, CIS) and document controls for audit readiness.

Who Is Affected?

Any business that collects, shares, or sells consumer health data and conducts business in Washington or targets Washington residents. This includes:

• Health and fitness apps
• Period and fertility trackers
• Mental health platforms
• Wearables and connected devices
• Health data platforms and interoperability vendors
• Marketing and analytics firms processing health-related data

Enforcement

The Washington Attorney General and consumers can bring enforcement actions. Violations constitute per se violations of the state's Consumer Protection Act (RCW 19.86). Penalties and statutory damages apply.

Need MHMDA Engineering Support?

I audit consent workflows, right-to-deletion pipelines, and consumer health data handling for HealthTech companies. CIPT-aligned privacy engineering and 15 years of clinical data experience.