Washington My Health My Data Act (MHMDA)

The Washington My Health My Data Act (MHMDA), RCW Chapter 70.372, is one of the most significant U.S. privacy laws of 2023. It took effect for regulated entities on March 31, 2024, and for small businesses on June 30, 2024. Unlike HIPAA, which applies only to covered entities and their business associates, MHMDA applies to any regulated entity — defined as any legal entity that (a) conducts business in Washington or targets Washington residents and (b) collects, shares, or sells "consumer health data." Its definition of consumer health data is extraordinarily broad: any personal information that identifies a consumer's past, present, or future physical or mental health status, including body weight, sleep patterns, reproductive health, biometric data, diagnoses, health-related purchases, location data that could reveal health facility visits, and health conditions inferred from other data.

MHMDA imposes strict engineering obligations. First, a requirement for express, written, and separate consent before collecting or sharing consumer health data — no bundled consent in a general privacy policy. Second, a geofencing prohibition: entities may not implement a geofence within 2,000 feet of a health care facility for the purpose of identifying, tracking, or collecting health data from consumers or sending them health-related communications. This bars any geofencing or proximity-based advertising near hospitals, clinics, pharmacies, and mental health facilities — requiring geofence systems to maintain exclusion zones mapped against facility registries. Third, MHMDA includes a private right of action — unusual among state privacy laws — making it enforceable by individual consumers, not just the AG.

The MHMDA's consent requirements impose distinct technical complexity. Consent must be "written or electronic," and the consent request must separately describe each category of health data to be collected, identify each recipient of shared data, state the purpose, and provide a mechanism to revoke consent with effect within 30 days. Consent cannot be obtained through dark patterns — defined as "user interface designs or choice architectures that have the substantial effect of subverting or impairing user autonomy, decision-making, or choice." Engineers building consent flows must document UI design rationale demonstrating the absence of dark patterns. Data must be deleted within 30 days of a valid deletion request. Given the private right of action, non-compliance carries litigation risk requiring robust consent logging and revocation audit trails.

We build MHMDA-compliant consent flows with granular, per-category authorization screens backed by immutable consent logs, and implement 30-day revocation pipelines that cascade through health data processing systems. Our geofencing compliance tooling maintains exclusion zone registries sourced from CMS facility databases, and our UI review process includes dark-pattern assessment checkpoints before consent flow deployment.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.