Washington's My Health My Data Act covers health-related website tracking and has a private right of action.
The Washington My Health My Data Act (SB 1155, effective March 2024 for large businesses and June 2024 for small businesses) is one of the most expansive health data privacy laws in the US. It covers "consumer health data" broadly, applies to entities regardless of HIPAA coverage, and includes a private right of action that enables class-action litigation.
Full Name
Washington My Health My Data Act
Jurisdiction
Washington State
Penalties
The MHMDA authorizes the Washington AG to bring enforcement actions and seek civil penalties. Critically, it also provides a private right of action that allows individual consumers to sue for actual damages, statutory damages up to $25,000 per violation, and attorneys' fees. This private right of action makes the MHMDA a significant class-action risk for companies that have not addressed health data tracking on their websites.
What It Is
Overview of MHMDA
The MHMDA regulates the collection, sharing, and sale of consumer health data by any regulated entity that conducts business in Washington or targets Washington consumers. "Consumer health data" is defined broadly to include any personal information that identifies a consumer's physical or mental health conditions, medications, health care services sought or received, reproductive health, and data that can reasonably be associated with a consumer's health status. Website-level data such as URL paths on health-condition-specific pages, search queries, and inferential data derived from page visits may meet this definition.
Who It Covers
Scope and private right of action
Any legal entity that (1) conducts business in Washington or produces products or services targeted to consumers in Washington, and (2) collects, shares, or sells consumer health data. Unlike HIPAA, the MHMDA is not limited to covered entities. Any commercial entity handling health-related data about Washington residents is potentially in scope, including marketing technology companies, analytics vendors, and general-purpose websites with health-related content.
Exposure Triggers
What creates MHMDA exposure for websites
The MHMDA's broad definition of consumer health data and its application to inferential data means that website analytics and advertising technologies on health-adjacent content may be in scope.
Health-condition-specific page tracking
Advertising pixels and analytics tools that collect URL-level data on pages about specific health conditions, medications, or procedures may be collecting "consumer health data" under the MHMDA definition if that data can be linked to an individual Washington consumer.
Search query capture on health-related sites
Search tracking scripts that capture query strings on health information sites, hospital sites, or wellness platforms may capture health-related queries that fall within the MHMDA's definition of consumer health data.
Geolocation tracking near health facilities
The MHMDA covers geolocation data derived from a consumer's visit to a health care facility. Mobile analytics tools that track precise location may be in scope when that location information indicates health-related activity.
Demand Letter Response
MHMDA enforcement and private right of action
Because the MHMDA includes a private right of action, litigation risk is not limited to AG enforcement. Plaintiffs' attorneys who have developed HIPAA pixel, VPPA, and CIPA practices are evaluating MHMDA claims. A demand letter under the MHMDA will identify a specific tracking technology on a health-related page and allege that it collected and shared consumer health data without the required consent. The consent requirements under the MHMDA are significant: they require affirmative, informed consent for the collection, sharing, or sale of consumer health data, separate from general terms of service.
Evidence Support
MHMDA technical compliance documentation
MHMDA compliance requires documenting which technologies are active on health-related pages, what data they collect, and whether the required consent was obtained before collection.
Health-page script inventory
Lokker identifies every third-party script active on pages that contain health-related content or are health-condition-specific, and documents what data each script collects and transmits.
Consent mechanism validation
Consent Validator tests whether analytics and advertising pixels are blocked until affirmative consent is obtained on health-related pages, consistent with the MHMDA's consent requirements.
Frequently Asked Questions
Common questions about MHMDA
Is the MHMDA only relevant to healthcare companies?
No. The MHMDA applies to any company that handles consumer health data about Washington residents, including general-purpose websites with health-related content, wellness apps, insurance comparison sites, and marketing technology companies that process health-adjacent behavioral data.
How does MHMDA differ from HIPAA?
HIPAA applies only to covered entities (healthcare providers, health plans, and clearinghouses) and their business associates. The MHMDA applies to any entity handling consumer health data about Washington residents, regardless of HIPAA coverage status. A tech company that is not a HIPAA covered entity may still be subject to the MHMDA.
Defense Counsel Network
Received a MHMDA demand letter or are under investigation?
Lokker works alongside defense counsel who handle MHMDA-related website privacy cases. We provide the technical evidence documentation your attorneys need and can make the right introduction to law firms that specialize in this area. Contact us now.