Washington My Health My Data Act Explained for Marketers
Washington State House Bill 1155, signed into law on April 27, 2023, did something no federal health privacy law has done: it gave consumers the right to sue companies that mishandle their health data. The My Health My Data Act (MHMDA) took effect on March 31, 2024, for regulated entities and June 30, 2024, for small businesses. It applies to any entity that conducts business in Washington or targets Washington consumers, regardless of whether that entity is a HIPAA-covered entity, a tech startup, or a marketing platform.
For healthcare marketing teams accustomed to operating within HIPAA's boundaries, MHMDA represents a fundamental shift. HIPAA is enforced by the federal government through OCR complaints and investigations. MHMDA is enforced through Washington's Consumer Protection Act, which means individual consumers can bring lawsuits, and class action attorneys are watching. The combination of broad definitions, strict consent requirements, and a private right of action makes this the most consequential state health privacy law for marketing teams to understand.
The Statute's Definition of Consumer Health Data
MHMDA defines "consumer health data" as personal information that is linked or reasonably linkable to a consumer and identifies the consumer's past, present, or future physical or mental health status. The definition is deliberately broad and includes categories that would not qualify as PHI under HIPAA.
Health conditions, treatments, and diagnoses. Any data related to a consumer's diseases, disorders, symptoms, treatments, medications, or medical procedures qualifies. This overlaps with HIPAA's definition of health information but extends to entities outside HIPAA's covered entity and business associate framework.
Bodily functions, vital signs, and biometric data. Heart rate data from a wearable, sleep patterns from an app, or biometric scans used for authentication all fall under the definition. Marketing teams that integrate with wellness platforms or health-adjacent apps should evaluate whether the data they receive qualifies.
Reproductive and sexual health data. MHMDA explicitly protects reproductive health information, including pregnancy status, contraception, fertility treatments, and gender-affirming care. This provision was a primary motivator for the law's passage in the wake of the Dobbs decision.
Precise location data linked to healthcare. Any location data that could reasonably indicate a consumer's attempt to acquire or receive health services is consumer health data. This includes geolocation signals near hospitals, clinics, pharmacies, or mental health facilities. A marketing campaign using geofencing near a healthcare facility could trigger MHMDA obligations.
Data about attempts to obtain health services. This is one of MHMDA's most expansive provisions. A consumer who searches for "therapist near me" on your website, fills out a "request a consultation" form, or browses specific condition pages is generating data about their attempt to obtain health services. Under MHMDA, that browsing behavior constitutes consumer health data when it can be linked to the individual.
Consent Requirements That Go Beyond Cookie Banners
MHMDA imposes consent standards that are meaningfully stricter than both HIPAA and most state consumer privacy laws.
Collection requires prior consent. Before collecting consumer health data, a regulated entity must obtain the consumer's affirmative consent. This consent must be separate from general terms of service or privacy policy acceptance. A blanket "I agree to the Terms of Service" checkbox does not satisfy MHMDA's consent requirements for health data.
Sharing requires separate consent. If a regulated entity wants to share consumer health data with a third party, it must obtain additional, specific consent for that sharing. The consent must identify the categories of data being shared, the specific third parties or categories of third parties receiving the data, and the purpose of the sharing. Generic disclosures like "we may share data with our partners" are insufficient.
Sale requires its own consent. The sale of consumer health data requires yet another layer of consent, separate from collection and sharing consent. The law defines "sale" broadly, consistent with other state privacy laws, to include exchanges of data for monetary or other valuable consideration.
Consent must be revocable. Consumers must be able to withdraw consent at any time, and the entity must honor the withdrawal within 15 days.
For marketing teams, these requirements mean that standard analytics implementations, which collect browsing data automatically when a page loads, may need to be restructured. If your website collects data that qualifies as consumer health data under MHMDA (which includes browsing behavior on health-related pages when linked to an individual), you need affirmative consent before that collection begins. This is not an opt-out regime. It is opt-in.
Who the Law Applies To (and It Is Broader Than You Think)
MHMDA applies to any legal entity that: (1) conducts business in Washington or produces or provides products or services targeted to Washington consumers, AND (2) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling consumer health data.
The law explicitly exempts certain entities and data types. HIPAA-covered entities and business associates are exempt for data that is already regulated under HIPAA. Government agencies, tribal entities, and data governed by certain federal laws (HIPAA, FERPA, Gramm-Leach-Bliley) are also exempt.
The HIPAA exemption has an important nuance: it applies to data regulated under HIPAA, not to all data held by HIPAA-covered entities. If a hospital collects consumer health data through its marketing website in ways that fall outside HIPAA's definition of PHI (because, for example, the visitor is not a patient and has no treatment relationship), that data may still be subject to MHMDA.
This means healthcare marketing teams cannot assume their HIPAA compliance program covers MHMDA obligations. The two laws regulate different data, through different mechanisms, with different enforcement structures.
How MHMDA Intersects with Real Enforcement Patterns
MHMDA is a new law, and case law is still developing. But the enforcement patterns from federal actions illustrate the types of data practices that MHMDA is designed to address.
Easy Healthcare, the company behind the Premom fertility-tracking app, paid $100,000 to settle FTC charges that it shared menstrual cycle dates, pregnancy status, and hormone results with Google and other analytics firms through SDKs. Despite its privacy policy stating it would only share non-identifiable data, the app transmitted health data that could be linked to individual users. The FTC permanently banned Easy Healthcare from sharing user health data for advertising. Source
Under MHMDA, this same conduct would expose the company to private lawsuits from every affected Washington consumer. The FTC enforcement required federal agency investigation and action. MHMDA allows individual consumers and class action attorneys to bring claims directly.
BetterHelp's $7.8 million FTC settlement involved sharing email addresses, IP addresses, and mental health intake questionnaire responses with Facebook, Snapchat, Criteo, and Pinterest via tracking pixels. BetterHelp also used the fact that users had previously been in therapy to build Facebook lookalike audiences. Source
Every element of BetterHelp's conduct, collecting mental health data, sharing it with advertising platforms without specific consent, and using it to build advertising audiences, would violate MHMDA's consent requirements. The law requires separate consent for collection, sharing, and sale, with specific identification of the third parties receiving data and the purposes of sharing.
Building MHMDA-Compliant Marketing Infrastructure
Compliance with MHMDA requires structural changes, not just policy updates.
Implement consent before collection. Your analytics, tracking, and data collection must not fire until affirmative consent is obtained. For website visitors, this means no scripts that collect consumer health data should execute before the visitor explicitly opts in through a consent mechanism that is separate from general terms of service. Server-side consent gating ensures this happens reliably. Client-side consent banners that rely on JavaScript timing can allow data collection before consent is registered.
Map your data to MHMDA's definitions. Audit every data point your marketing stack collects. Any data that links an identifier (IP address, email, cookie ID, device fingerprint) to health-related information (page URLs about conditions, form submissions about health interests, location data near healthcare facilities) is potentially consumer health data under MHMDA. This mapping determines which data flows need consent and which vendors need updated agreements.
Update vendor agreements. MHMDA requires that data processors handling consumer health data on your behalf enter into contracts that restrict their use of the data. Your existing data processing agreements may not cover MHMDA's specific requirements, including restrictions on combining consumer health data with data from other sources, obligations to delete data upon request, and prohibitions on selling the data.
Build deletion capabilities. MHMDA grants consumers the right to request deletion of their consumer health data. You must be able to honor these requests within 30 days across all systems where the data resides, including your marketing platforms, analytics tools, and any third parties with whom you shared the data.
Use server-side architecture. The most effective way to control what data is collected and where it goes is to route all data through your servers before it reaches any vendor. Server-side architecture lets you apply consent checks, strip identifiers, and restrict data sharing at the infrastructure level. When the browser never communicates directly with third-party platforms, you maintain full control over your MHMDA compliance.
FAQ
Does MHMDA apply to healthcare organizations outside Washington?
Yes, if they conduct business in Washington or target Washington consumers. A healthcare website accessible to Washington residents that collects consumer health data from those residents is subject to MHMDA. The law's jurisdiction is based on where the consumer is located, not where the organization is headquartered.
How does MHMDA differ from HIPAA for healthcare marketers?
MHMDA applies to entities beyond HIPAA-covered entities and business associates. It defines health data more broadly than HIPAA's PHI definition (including location data near healthcare facilities and data about attempts to obtain health services). It requires affirmative opt-in consent for data collection, not just for marketing uses. And it creates a private right of action, meaning consumers can sue directly. HIPAA is enforced exclusively by OCR at the federal level.
What does the private right of action mean in practice?
It means individual consumers and class action attorneys can file lawsuits against organizations that violate MHMDA. Unlike HIPAA, which requires an OCR investigation, MHMDA allows direct legal action. This significantly increases enforcement risk because class action attorneys have economic incentives to identify violations and pursue claims on behalf of large consumer groups.
Does the HIPAA exemption in MHMDA protect my organization?
Only for data that is already regulated under HIPAA. If your organization is a HIPAA-covered entity, your PHI is exempt from MHMDA. But consumer health data you collect through marketing activities that falls outside HIPAA's definition of PHI (such as website browsing behavior from non-patients or location data) may still be subject to MHMDA.
Can I use the same consent mechanism for both HIPAA and MHMDA?
Not likely. HIPAA authorization has specific content requirements defined by the Privacy Rule. MHMDA consent requires separate, affirmative consent for collection, sharing, and sale, with specific disclosures about third-party recipients and purposes. The two consent frameworks have different legal requirements and should be implemented as distinct consent flows, even if they are presented through the same consent management interface.
Washington's My Health My Data Act is the leading edge of a national trend toward stricter health data regulation at the state level. Marketing teams that build for MHMDA compliance today are positioned for the laws that other states will enact tomorrow. If your organization needs to implement consent-gated, server-side marketing infrastructure that meets MHMDA requirements, Ours Privacy provides the architecture designed for this regulatory environment.
Related reading:
State Health Privacy Laws: A Map of What Applies Where
FTC Health Breach Notification Rule: Plain English Summary
Cookie Consent vs HIPAA Authorization: They're Not the Same Thing
HIPAA and Marketing: What the Privacy Rule Actually Says
Continue Learning
Explore more HIPAA compliance resources for healthcare marketers.
Tool Compliance Reviews
Find out which marketing tools are HIPAA compliant and which ones put your organization at risk.
Server-Side TrackingServer-Side Tracking Guides
Replace risky client-side pixels with secure, compliant data collection that protects patient privacy.
Advertising Platform Guides
Step-by-step guides for running compliant healthcare campaigns on Google, Meta, TikTok, and more.
GlossaryHealthcare Marketing Glossary
Clear definitions for healthcare marketing, privacy, and compliance terms explained for marketing teams.