What Is the My Health My Data Act?
Washington's My Health My Data Act (MHMDA), enacted as ESHB 1155 and signed April 27, 2023, is the strictest consumer health data law in the United States. It applies to any organization that collects or processes health data of Washington residents — regardless of where the organization is located. It imposes opt-in consent requirements, prohibits certain data sharing without affirmative authorization, includes a private right of action (allowing individuals to sue), and covers data categories that HIPAA does not reach. For any Medicare program serving Washington residents, MHMDA compliance is required even if no HIPAA obligations exist.
MHMDA was signed by Governor Jay Inslee on April 27, 2023 and took effect July 23, 2023 for larger organizations, with a March 31, 2024 effective date for small businesses. It is codified at RCW chapter 70.372.
The law emerged from a specific concern: that health-related data collected outside the traditional healthcare system — by apps, websites, wearables, and wellness platforms — was being collected, sold, and used in ways that individuals could not control and that HIPAA did not address. Washington legislators noted that reproductive health data, mental health searches, location data near clinics, and fitness data were being commercially exploited with no meaningful consent framework.
Who is a "regulated entity"?
A regulated entity under MHMDA is a legal entity that: (1) conducts business in Washington state or produces products or services that are targeted to Washington consumers, and (2) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling consumer health data. The definition encompasses a wide range of organizations, including non-healthcare companies that happen to collect health-related data.
Key exemptions
HIPAA-covered entities are exempt from MHMDA — but only to the extent the data in question is protected health information under HIPAA. A covered entity's non-PHI data collection (e.g., a hospital's marketing website that tracks user behavior) is still subject to MHMDA. Employee health data covered by HIPAA is also exempt. These exemptions are narrower than they first appear.
The "Consumer Health Data" Definition
MHMDA defines "consumer health data" extremely broadly: personal information that is linked or linkable to a consumer and that identifies the consumer's physical or mental health status. This deliberately goes beyond HIPAA's PHI definition. It covers health conditions and diagnoses, medications, reproductive and sexual health, mental health, healthcare-seeking behavior such as web searches for clinics, precise geolocation near healthcare facilities, and data used to infer any health condition. For Medicare programs, this includes Medicare eligibility data, health status used for plan qualification, and any SMS data that identifies an individual as seeking Medicare-covered healthcare.
What the definition covers
- Health conditions, status, diagnoses, and treatments
- Prescription medications and surgical procedures
- Reproductive and sexual health, including fertility and pregnancy
- Mental health and substance use treatment
- Precise geolocation data from healthcare facilities, pharmacies, or clinics
- Health-related web searches and app usage patterns
- Biometric or genetic data
- Any data used to infer or derive a health condition
Why this matters for Medicare programs
Medicare eligibility status is, by definition, age-related data that frequently correlates with health status. More directly: data collected during a Medicare eligibility intake — including age, current insurance status, employer group health plan status, and the reason an individual is seeking Medicare information — can qualify as consumer health data under MHMDA's expansive definition. Organizations running Medicare outreach programs should assume that data collected in the eligibility and enrollment funnel is within MHMDA's scope when Washington residents are involved.
MHMDA prohibits implementing a geofence within 2,000 feet of a healthcare facility for the purpose of identifying or tracking consumers seeking healthcare, or collecting consumer health data from those consumers. This prohibition applies to advertising pixels, location tracking in apps, and any technology that uses proximity to healthcare facilities as a targeting criterion. Digital Medicare advertising that uses location-based targeting near clinics or hospitals is directly affected.
Opt-In Consent Requirements
MHMDA requires affirmative opt-in consent — not opt-out — before collecting or sharing consumer health data for any purpose beyond the immediate healthcare transaction. This is a materially higher standard than the opt-out mechanisms permitted under HIPAA's treatment, payment, and operations carve-outs. For Medicare SMS programs serving Washington residents, a valid MHMDA consent must be obtained before health-related data collection begins — prior to intake questions about Medicare eligibility, health status, or employer group health plan coverage.
What "opt-in" means under MHMDA
A valid MHMDA consent must be: (1) freely given (not a condition of receiving a service), (2) specific (identifying the categories of data being collected and the purposes), (3) informed (plain-language disclosure of how data will be used), and (4) unambiguous (affirmative action — a pre-ticked checkbox or continued use of a website does not satisfy the requirement). The consent must specifically name any third parties with whom the data will be shared.
Sharing restrictions
Even with consent for collection, MHMDA imposes additional requirements before consumer health data can be shared with third parties. Regulated entities must execute a written contract — analogous to a HIPAA Business Associate Agreement — with any processor that handles consumer health data on their behalf. The contract must restrict the processor's use of the data to the specific purposes authorized and must require the processor to delete the data when the contract ends.
Sale of consumer health data
MHMDA requires a separate, standalone authorization before consumer health data can be sold. The authorization cannot be bundled into a general terms-of-service agreement and must be specific to the sale. Many lead generation and data brokerage practices that are standard in the Medicare marketing industry would require restructuring under this prohibition.
The Private Right of Action
MHMDA is unusual among US state privacy laws in that it includes a private right of action — individual Washington residents can sue regulated entities for violations. This is separate from enforcement authority held by the Washington Attorney General. The combination means MHMDA violations carry both regulatory risk (AG investigation, civil penalties) and civil litigation risk (class actions by individuals). California's CPRA, for comparison, has a limited private right of action only for data breaches; MHMDA's private right covers all violations.
Remedies available to private plaintiffs
Under MHMDA's private right of action, plaintiffs may seek: actual damages, statutory damages (specified in the Act), injunctive relief, and attorneys' fees. The availability of attorneys' fees is a practical driver of class action risk — it makes MHMDA an attractive vehicle for plaintiffs' firms in a way that laws without fee-shifting are not.
Class action exposure
Washington courts have experience with consumer health data class actions arising under state law. The Washington Consumer Protection Act (CPA) is frequently paired with health data claims. MHMDA's broad data definition and opt-in consent requirement create multiple potential violation theories that can support class certification — particularly for organizations that collected health-related data from Washington residents at scale without MHMDA-compliant consent prior to the law's effective date.
Extraterritorial Reach
MHMDA applies to any regulated entity that collects health data of Washington consumers — there is no requirement that the organization have a physical presence in Washington. A Medicare program operating from Texas that collects health-related data via SMS from Washington residents is subject to MHMDA. This extraterritorial design is explicit and mirrors Washington's approach to its Consumer Protection Act, which has been applied against out-of-state companies routinely.
The practical implication for nationally-marketed Medicare programs: MHMDA compliance is required for any consumer touchpoint that may reach Washington residents. This includes SMS lead intake, web-based eligibility tools, and any other digital channel that collects health-related data. You cannot geographically restrict MHMDA compliance to programs "intended" for Washington residents — if Washington residents use the program, MHMDA applies.
Practical approaches
- Treat MHMDA as a baseline consent standard for all programs, not just Washington-targeted ones
- Ensure consent language specifically addresses health data collection before the first intake question
- Audit third-party data processors to confirm they have executed MHMDA-compliant data processing agreements
- If using lead purchase or aggregation, verify that the upstream source collected MHMDA-compliant consent for Washington residents
MHMDA vs. HIPAA: Key Differences
HIPAA covers protected health information held by covered entities and their business associates. MHMDA covers a broader category of consumer health data held by any regulated entity — including non-healthcare companies. HIPAA preempts state law only where state law is less protective; more protective state laws (like MHMDA) still apply. The two frameworks must be satisfied independently. Organizations that are HIPAA-compliant are not automatically MHMDA-compliant.
| Dimension | HIPAA | MHMDA |
|---|---|---|
| Who it covers | Covered entities (healthcare providers, health plans, clearinghouses) and their BAs | Any organization that collects health data of WA residents (broad) |
| Data covered | Protected health information (PHI) — identifiable health information created by covered entities | Consumer health data — any personal data linked to health status (broader than PHI) |
| Consent standard | Authorization required only for uses beyond treatment, payment, and operations (opt-out for marketing) | Opt-in before any health data collection beyond immediate transaction |
| Private right of action | No — only OCR enforcement and state AG suits | Yes — individuals can sue directly |
| Geographic scope | US-based covered entities and BAs | Any entity collecting WA consumer health data, regardless of location |
| Geofencing | No specific restriction | Prohibited within 2,000 feet of healthcare facilities |
| Data sale | Prohibited without authorization for PHI; allowed in limited non-PHI contexts | Requires separate standalone authorization beyond general consent |
Medicare SMS Programs and MHMDA
An SMS-based Medicare eligibility intake that asks questions about an individual's health coverage status, employer group health plan, age, or Medicare eligibility is collecting data that falls within MHMDA's consumer health data definition when that individual is a Washington resident. Before collecting that data via text, the program must have obtained MHMDA-compliant opt-in consent. This means the consent must be obtained before the first intake question — not at the end of the flow, and not embedded in a terms-of-service agreement that the user nominally accepted weeks earlier.
Consent flow for SMS intake
For SMS-based programs, a compliant MHMDA consent approach typically involves: (1) an initial message that clearly identifies the organization and the type of data to be collected, (2) a plain-language disclosure of the purpose and any third parties who will receive the data, and (3) an explicit opt-in response from the consumer before data collection begins. Auto-responders that proceed to collect data after a "STOP/START" opt-in to marketing messages alone are not sufficient — the consent must be specific to health data collection.
Lead purchasing and MHMDA
Organizations that purchase Medicare leads from third-party aggregators must verify that the aggregator collected MHMDA-compliant consent for any Washington residents in the dataset. Downstream use of non-compliant consent does not insulate the purchaser from liability under MHMDA. Lead purchase agreements should include representations and warranties about MHMDA compliance for Washington consumer health data.
Primary Sources
leg.wa.gov → ESHB 1155 Session Law (PDF)
app.leg.wa.gov → RCW 70.372
atg.wa.gov → MHMDA Guidance
ecfr.gov → 45 CFR § 160.203