When did Washington MHMDA take effect and who must comply?

MHMDA took effect March 31, 2024 for large businesses and June 30, 2024 for small businesses. The geofencing prohibition took effect July 25, 2023. MHMDA applies to any entity that conducts business in Washington state or targets products/services to Washington consumers and determines the purpose and means of collecting or processing consumer health data. There is no size threshold — unlike CCPA or CDPA, MHMDA applies regardless of how many consumers' data is processed.

What is 'consumer health data' under MHMDA and why does it matter for AI?

Consumer health data includes any personal information that identifies a consumer's past, present, or future physical or mental health status — including data inferred from non-health signals. This inference clause is the key AI provision: if your model uses location, purchase history, or behavioral data as inputs and generates health-related outputs about specific consumers, you are processing consumer health data under MHMDA even if no medical record or diagnosis is involved. Wellness AI, behavioral health apps, mental health chatbots, and ad-tech platforms building health profiles are all covered.

Does the HIPAA exemption protect our health AI from MHMDA?

Only for data you are already obligated to protect under HIPAA, and only if you are a covered entity or business associate. The exemption is data-specific, not entity-wide. Your wellness app, patient engagement AI, or consumer health platform with no HIPAA relationship is fully covered by MHMDA. Even HIPAA-covered hospitals may have MHMDA obligations for non-PHI data collected outside the HIPAA treatment context (e.g., website analytics, wellness programs, marketing AI).

Can we get blanket consent for health data processing at account signup?

No. MHMDA requires meaningful, purpose-specific consent that is separate from general terms of service or privacy notices. You need distinct consent for: collecting health data, using it for AI processing, sharing it with third parties (including AI vendors), and selling it (which requires a standalone written authorization). A single checkbox at signup covering all health data uses does not satisfy MHMDA's consent requirements.

What does the geofencing prohibition prohibit for AI location products?

MHMDA categorically prohibits geofencing around any healthcare facility — hospitals, clinics, reproductive health providers, mental health centers, addiction treatment centers — for the purpose of identifying, tracking, or collecting data from consumers seeking health services. This prohibition is absolute: there is no consent exception. You cannot obtain permission to geofence healthcare facilities. The prohibition covers the geofence itself, any inferences drawn from geofenced location visits, and sharing those inferences with any third party.

What must we do when a consumer withdraws MHMDA consent?

Within 30 days: cease processing the consumer's health data; delete it from your systems; instruct all third parties to whom you have shared the data to delete it. You cannot degrade the consumer's experience, restrict access to your service, or charge higher prices because they withdrew consent. For AI systems, this means cascading deletion to model training sets, inference logs, and AI vendor systems — not just removing the data from your primary database.

How does Tenet AI support MHMDA compliance for AI health data systems?

Tenet links each AI inference to the consent record that was active at the time of the decision. When a consumer withdraws consent, Tenet marks all associated inferences, halts future processing, and supports the downstream deletion pipeline by providing a structured record of which inferences used that consumer's health data. For access requests, Tenet's per-consumer decision log provides a complete list of health data processing events within the 45-day response window. The consent-at-inference-time audit trail is the most defensible MHMDA posture for AI teams.

Washington My Health My Data Act: AI Health Data Privacy, Consent, and Geofencing Prohibition

Q: What is the class action risk from MHMDA for AI products?

Significant. MHMDA provides a private right of action through Washington's Consumer Protection Act, with actual damages and treble damages for willful violations. The first class actions targeted health systems using Meta Pixel, which captured URL paths revealing which health conditions patients were researching. This pattern extends to any AI system that uses third-party analytics, tracking SDKs, or advertising pixels on health-adjacent platforms — the SDK transmits page visit data that constitutes consumer health data under MHMDA without consent.

Washington My Health My Data Act (MHMDA), effective March 31, 2024, is the broadest consumer health data privacy law in the United States. Unlike HIPAA, MHMDA covers any entity collecting consumer health data — including wellness apps, mental health chatbots, fitness AI, and behavioral analytics platforms with no HIPAA relationship. MHMDA defines consumer health data broadly to include data inferred from non-health signals (location, purchases, behavioral data). The geofencing prohibition categorically bans placing geofences around healthcare facilities. MHMDA provides a private right of action with treble damages under Washington's Consumer Protection Act — creating class action risk for AI products that process health data without consent.

MHMDA Scope: What Consumer Health Data Covers for AI

MHMDA defines consumer health data as any personal information linked to a consumer that identifies their past, present, or future physical or mental health. This covers: individual health conditions and diagnoses; social, psychological, and behavioral health interventions; surgeries and procedures; prescription medication use; bodily functions, vital signs, and symptoms from wearables; and — critically — data inferred from non-health signals to identify health status. The inference clause means that AI models using location, purchase history, or behavioral data to generate health-related predictions are processing consumer health data under MHMDA, even if the model inputs are not themselves medical records. This directly captures wellness AI, behavioral health platforms, and ad-tech that builds health profiles from consumer behavior.

HIPAA Exemption Is Narrow: Most Consumer Health AI Is Covered

MHMDA exempts PHI already governed by HIPAA notices — but only for that PHI, and only when held by a HIPAA-covered entity or business associate in that capacity. A HIPAA-covered hospital that collects patient data for treatment is exempt for that PHI — but the same hospital's wellness app or patient engagement AI using non-PHI data is covered. Any consumer-facing health app, wellness AI, or behavioral health platform with no HIPAA relationship is fully covered by MHMDA from the first day it collects health data from Washington residents. The HIPAA exemption does not apply to: employers running wellness programs; consumer fitness and wellness apps; digital therapeutics not operating as covered entities; or advertising platforms that build health profiles.

Consent Architecture Required for AI Health Data Systems

MHMDA requires meaningful, purpose-specific consent before collecting, using, or sharing consumer health data. Consent cannot be bundled in a general privacy policy or terms of service. Required consents: (1) collection consent before collecting health data for any purpose beyond the consumer's direct request; (2) sharing consent before sharing health data with third parties, even service providers; (3) inference consent before using non-health data to infer and share health status; (4) standalone written authorization before selling consumer health data. AI vendors are downstream third parties — sharing health data with an AI vendor for model training requires consumer consent even if the vendor signs a DPA.

Geofencing Prohibition: Categorical Ban Near Healthcare Facilities

MHMDA prohibits any regulated entity from implementing a geofence around a healthcare facility for the purpose of identifying, tracking, or collecting data from consumers seeking health services. This provision — effective July 25, 2023 — is absolute: there is no consent exception. You cannot ask consumers to consent to being geofenced around Planned Parenthood, addiction treatment centers, or mental health clinics. The prohibition covers the geofence itself, any inferences drawn from geofenced location signals, and sharing those inferences with advertisers or data brokers. This provision was a direct response to post-Dobbs data broker practices and is the first categorical restriction on location-based health data collection in US state law.

Private Right of Action and Class Action Risk Under CPA

Unlike Virginia CDPA or Texas TDPSA, MHMDA provides a private right of action through Washington's Consumer Protection Act (CPA). Consumers can sue for actual damages; willful violations enable treble (3×) damages. The AG also has independent enforcement authority with civil penalties up to $7,500 per violation. The first MHMDA class actions targeted health systems using Meta Pixel on patient portals — the pixel captured URL paths revealing which health conditions patients were researching (e.g., /appointments/oncology) and transmitted them to Meta without consent. This class action pattern is the dominant MHMDA enforcement risk for AI teams embedding third-party analytics or tracking SDKs on health-adjacent platforms.