Washington My Health My Data Act and When a Separate Notice Is Required

Washington's My Health My Data Act centers on consumer health data, and it defines that term far more broadly than traditional medical records, reaching wellness, reproductive health, symptom, treatment, and diagnosis information along with anything used to infer a health condition. Many businesses that never thought of themselves as handling health data fall inside it, so the first step is testing your data against the definition rather than your industry label.

The Act applies to any regulated entity or small business that does business in Washington or targets Washington consumers and decides how and why consumer health data is collected, processed, shared, or sold, and it sets no revenue or headcount threshold to screen anyone out. Regulated entities have been covered since March 31, 2024, and smaller businesses since June 30, 2024, so a symptom checker, a fertility app, a supplement seller, a telehealth tool, or even a retailer that infers a health condition from purchases can owe a Washington notice.

When the Act applies, RCW 19.373.020 requires a separate consumer health data privacy policy, not a paragraph folded into the general one, and it has to disclose the categories of health data collected, the purposes, the categories of sources, the categories shared, the third parties and named affiliates that receive it, and how a consumer exercises rights. The same section requires a prominent link to that policy on the homepage, so a covered business needs a distinct notice, a distinct link, and a clean boundary around the data the notice governs.

RCW 19.373.040 grants Washington consumers the right to confirm and access their health data, to withdraw consent where consent is the basis for collecting or sharing it, to have it deleted, and to appeal a denial, so a business that publishes the notice also needs a request path and an appeal path that carry those rights in practice. The notice has to track what the business does, because a vague data map produces a vague notice, and the mismatch shows on the page.

The Act goes beyond disclosure, because it bans geofencing around in person health care services when the geofence is used to track a consumer, collect their health data, or send targeted messages, and it allows the sale of consumer health data only under a separate, valid authorization. The homepage notice is only one part of compliance, so the review should also cover tracking, sharing, sales, and any feature that touches a physical health care location or a sensitive health inference.

A Washington review starts by testing your data against the consumer health data definition, then moves to building the separate notice and placing the homepage link. Get the data map right first, because the notice can only be as accurate as the business's understanding of which health categories it collects, who receives them, and how a consumer acts on the rights the law grants.