Washington My Health My Data Act: What Businesses Collecting Health Data (or AI Health Inferences) Must Do

In effect Primary law: My Health My Data Act · RCW ch. 19.373

Washington's My Health My Data Act (MHMDA) is one of the most consequential privacy laws in the country for businesses that touch health-related data — and it reaches far beyond traditional medical records. It covers 'consumer health data' broadly, including biometric data and health inferences drawn by algorithms, so an AI product that infers health conditions from behavior can be in scope even if it never sees a medical record. It has been in effect since March 31, 2024, and — unusually — it carries a private right of action through Washington's Consumer Protection Act.

What the law requires

Get consent to collect or share consumer health data. Regulated entities must obtain consent before collecting or sharing consumer health data, with separate valid authorization required to sell it.
Honor deletion rights. Consumers can request deletion of their consumer health data, and you must comply.
Don't geofence health facilities. It is unlawful to implement a geofence around an in-person health-service location to identify, track, or send notifications to consumers about their health data.
Maintain a consumer health data privacy policy. Provide a clear privacy policy describing what consumer health data you collect, the purposes, and how consumers can exercise their rights.

Who must comply

Regulated entities (and small businesses, on a slightly later timeline) that conduct business in Washington or target Washington consumers and that determine the purpose and means of collecting consumer health data. Because 'consumer health data' includes biometric data and algorithmic health inferences, the law reaches well beyond healthcare companies — wellness apps, ad-tech, and AI products that infer health signals can all be covered.

Penalties & enforcement

MHMDA is enforceable under Washington's Consumer Protection Act, which means a private right of action: consumers can sue for actual damages (trebled up to $25,000), injunctive relief, and attorneys' fees, and the Washington Attorney General can pursue civil penalties. The private right of action is what makes MHMDA exposure especially significant.

How to comply: a practical checklist

Map all 'consumer health data' you collect — including biometric data and any AI-derived health inferences, not just medical records.
Build consent capture before collection or sharing, and a separate authorization flow before any sale of consumer health data.
Stand up a deletion-request workflow that honors consumer deletion rights.
Audit your apps and ad-tech for any geofencing around health-service locations and remove it.
Publish a dedicated consumer health data privacy policy.
Because there's a private right of action, document your compliance carefully — and if you collect biometrics, also satisfy Washington's separate Biometric Identifiers Act (RCW 19.375).

Get an alert the moment this changes

AI law moves fast — effective dates shift, rules get repealed and replaced, new bills pass. Create a free AI Laws USA account, watch the laws on this page, and get an email the moment one of them moves, takes effect, or is challenged. Free for the public, journalists, and students.

Create a free account & set alerts → See team plans

The laws this guide is built on

Every claim above traces to one of these verified entries in our index. Each links to its full record and its official source. Status labels reflect the live dataset as of 2026-06-17.

In effect Limited protection

My Health My Data Act

Washington · Effective 2024-03-31 · RCW ch. 19.373

A sweeping health-data privacy law covering 'consumer health data' far beyond HIPAA — including biometric data, health inferences drawn by algorithms, and reproductive health information. Companies need consent to collect or share such data, must honor deletion requests, and cannot geofence health facilities. Consumers can sue under Washington's Consumer Protection Act.

View full entry → · Official source ↗
In effect Limited protection

WA Biometric Identifiers Act (2017)

WA · Effective 2017-07-23 · RCW Ch. 19.375 (HB 1493, 2017)

Washington's 2017 HB 1493 was the third state biometric privacy law (after IL BIPA and TX CUBI). It requires notice and consent before 'enrolling' a biometric identifier in a database for a commercial purpose, but excludes photographs and audio recordings — a significant carve-out that distinguishes it from BIPA. Enforced by the Washington AG; no private right of action.

View full entry → · Official source ↗

Browse all Washington AI laws in the directory → · See the privacy topic → · Washington jurisdiction overview →

Frequently asked questions

Does the My Health My Data Act only cover medical records?

No — it covers 'consumer health data' broadly, including biometric data and health inferences drawn by algorithms, so it reaches well beyond HIPAA-covered data. See the full entry and RCW 19.373.

Can consumers sue under MHMDA?

Yes. MHMDA is enforceable through Washington's Consumer Protection Act, which provides a private right of action — actual damages (trebled up to $25,000), injunctive relief, and attorneys' fees — plus AG civil penalties.

Does MHMDA apply to AI products?

It can. Because 'consumer health data' includes algorithmic health inferences, an AI product that infers health conditions from user behavior can be in scope even without touching a medical record.

What's the geofencing rule?

It's unlawful to set up a geofence around an in-person health-service location to identify or track consumers or send them messages related to their health data.

How does MHMDA relate to Washington's biometric law?

They overlap. MHMDA treats biometric data as consumer health data; Washington's separate Biometric Identifiers Act (RCW 19.375) independently governs commercial use of biometric identifiers.