Navigating the New Frontier of Privacy: A Global Organization's Guide to Washington's My Health My Data Act (MHMDA)

A Formiti Data International Expert Briefing

For global organizations, the patchwork of data privacy regulation is a constant operational challenge. Just as you've operationalized GDPR and CCPA, a new, more stringent law has emerged from Washington State, and its impact is being felt globally. The My Health My Data Act (MHMDA) is a seismic shift in U.S. privacy, creating new compliance burdens, a broad new definition of sensitive data, and—most critically—an unprecedented risk of private lawsuits.

The first class-action lawsuits under MHMDA have already been filed, signaling that the grace period is over. This act is not a "wait and see" regulation. It demands immediate, strategic action. This article, prepared by the global compliance experts at Formiti Data International, provides a comprehensive guide for organizations on the planning, resources, and strategies required to meet MHMDA's stringent demands, including the strong case for outsourcing your compliance framework.

?️ Section 1: What is the My Health My Data Act (MHMDA)?

The MHMDA is a state-level law designed to fill the gaps left by federal regulations like HIPAA. It governs "consumer health data," but it defines this term so broadly that it captures countless businesses that have never considered themselves "health" companies.

Who Does MHMDA Apply To? It applies to any organization that:

  • Conducts business in Washington State, or
  • Provides products or services targeted to consumers in Washington (regardless of your company's physical location).

For global organizations with a U.S. customer base, this means you are almost certainly in scope.

What is "Consumer Health Data"? This is the most critical element. MHMDA's definition is not limited to HIPAA's Protected Health Information (PHI). It includes any personal information that is "linked or reasonably linkable" to a consumer and identifies their past, present, or future physical or mental health status.

This includes data that is inferred or derived, such as:

  • Visits to a pharmacy website or app.
  • Searches for a specific medical condition or medication.
  • Data from a fitness tracker, diet app, or sleep monitor.
  • Location data that could reveal a visit to a health clinic.
  • Purchases of vitamins, test kits, or other health-related products.

A retailer selling vitamins or a tech company with a wellness app is now in the same regulatory boat as a hospital, with even stricter consent rules.

⚖️ Section 2: MHMDA's Core Requirements: A New Gold Standard of Privacy

MHMDA's requirements are, in many ways, stricter than both GDPR and CCPA. Understanding them is key to a successful compliance plan.

  • A Standalone Privacy Policy: You cannot just add a section to your existing policy. MHMDA mandates a separate and distinct link on your homepage for a "Consumer Health Data Privacy Policy."
  • Strict, Dual Opt-In Consent: This is a major operational hurdle. You must obtain separate and distinct opt-in consent from a consumer before you can:
    • Collect or use their health data.
    • Share their health data. A single "I agree" checkbox in your terms of service is non-compliant.
  • "Valid Authorization" to Sell: The law makes "selling" consumer health data almost impossible. It requires a formal, signed "Valid Authorization" with specific details, including the seller, buyer, and data being sold, which expires after one year.
  • Absolute Consumer Rights: Consumers have the right to access their data and, significantly, the right to deletion. This right extends to all data, including data held in archives and backups, and you must pass the deletion request to all third parties you shared it with.
  • Geofencing Prohibition: The act explicitly bans geofencing around any location that provides in-person healthcare services for the purpose of tracking visits, collecting data, or sending related messages.

The Billion-Dollar Risk: The Private Right of Action

This is what makes MHMDA the new apex predator of privacy laws. Unlike most U.S. privacy laws (including CCPA, for the most part), MHMDA grants individual consumers the right to sue a company directly for violations.

This opens the door to a flood of individual and, more importantly, class-action lawsuits. A single compliance failure—like an incorrect consent banner or a faulty data-deletion process—could now result in catastrophic financial and reputational damage.

?️ Section 3: A Strategic Roadmap for MHMDA Compliance

For a global organization, retrofitting MHMDA compliance is a complex project. It requires a clear, phased approach.

Phase 1: Discover & Map (The "De-tangling") Your first and hardest challenge is identifying what MHMDA-covered data you have. This requires a deep data discovery and mapping exercise.

  • Key Question: Can our marketing analytics infer a health status from a user's browsing? Is that data segregated from non-sensitive data?
  • Action: Conduct a comprehensive Data Mapping and Records of Processing Activities (RoPA) exercise focused specifically on MHMDA's broad definitions.

Phase 2: Gap Analysis & Framework Design Once you know what you have, compare your current practices (e.g., GDPR/CCPA) against MHMDA's stricter rules.

  • Key Question: Does our GDPR consent banner meet MHMDA's "dual opt-in" rule? (Almost certainly not.)
  • Action: Perform a Gap Analysis. This will highlight the urgent needs: a new consent management flow, a new standalone policy, and an updated Data Subject Request (DSR) workflow.

Phase 3: Implementation & Operationalization This is the technical build.

Action:

  • Technology: Implement or update your Consent Management Platform (CMP).
  • Legal: Draft and publish the standalone MHMDA privacy policy.
  • Operations: Update your DSR portal to handle deletion from backups and manage third-party notifications.
  • IT: Implement geofencing blocks if your app uses location data.

Phase 4: Monitor, Train, & Maintain Compliance is not "set it and forget it."

  • Action: Conduct regular audits of your consent records, train your marketing and product teams on the new restrictions, and monitor for new legal interpretations.

? Section 4: The Strong Case for Outsourcing Your Framework & DPO

The plan in Section 3 highlights a critical resource problem. Do you have the internal budget, expertise, and time to execute this flawlessly? For most global organizations, the answer is no.

The Internal Challenge:

  • The Expertise Gap: MHMDA is new and nuanced. A generalist "privacy counsel" or an IT team is not equipped to interpret its complexities, especially with the threat of lawsuits.
  • The Cost: Hiring a full-time, U.S.-based privacy expert with MHMDA-specific knowledge is incredibly expensive, and you still only get the knowledge of one person.
  • The Conflict of Interest: An internal Data Protection Officer (DPO) or compliance manager is often pressured by the business (e.g., the marketing team) to find "workarounds." This creates a massive risk.

The Solution: The Outsourced Framework & DPO Model Outsourcing your compliance framework and DPO role to a specialist firm like Formiti Data International is no longer just a cost-saving measure; it is a strategic risk-management imperative.

  • Instant, World-Class Expertise: Instead of one new hire, you gain access to an entire team of experts (legal, privacy, and operations) who live and breathe this. They have seen the challenges, built the frameworks, and know the pitfalls.
  • Cost-Effectiveness & Scalability: A fractional or outsourced DPO service provides world-class expertise for a fraction of the cost of a single senior-level hire. This scales with your needs, so you are not over-paying for a resource you only need part-time.
  • Guaranteed Independence: An external DPO has one job: ensure compliance and protect the organization. They can provide the objective, unvarnished advice your board needs to hear, free from internal business pressures.
  • A Holistic, Global Framework: A key failing of internal teams is tackling laws one by one. This creates a messy, inefficient "patchwork" of compliance. An expert partner like Formiti builds a single, harmonized global privacy framework that accounts for GDPR, MHMDA, CCPA, and all other regulations, ensuring you are efficient, consistent, and protected.

? Section 5: Why Formiti Data International is Your Trusted Partner

Formiti Data International was founded to make global data compliance straightforward, scalable, and stress-free. We don't just "advise"—we build, operate, and manage your compliance.

What sets us apart is our unique Three-Team Structure, which is deployed for every client, ensuring no detail is missed:

  • The Legal Team: Interprets the letter of the law (like MHMDA's private right of action) and ensures your policies are legally sound.
  • The Privacy Team: The architects and builders who conduct the data mapping, perform the gap analysis, and implement the technical controls and DSR workflows.
  • The Operations Team: The project management powerhouse that ensures your compliance program runs smoothly, stays on track, and provides complete, transparent reporting to your stakeholders.

We don't just hand you a 50-page report and wish you luck. We provide the Outsourced DPO to act as your dedicated compliance lead and the project teams to build the framework from the ground up. We manage the complexity so you can focus on your business.

❓ Section 6: MHMDA Quick-Fire Q&A

Q: We are GDPR compliant. Are we automatically MHMDA compliant?

A: No. MHMDA is stricter in key areas, such as the standalone privacy policy, the ban on geofencing, and the dual opt-in consent for collection vs. sharing.

Q: What is the single biggest risk of MHMDA non-compliance?

A: The private right of action. This allows individuals (and their lawyers) to sue your company directly for damages, leading to a very high risk of expensive, reputation-damaging class-action lawsuits.

Q: Does MHMDA apply to my company if we have no office in Washington?

A: Yes. If you process the "consumer health data" of any Washington resident—for example, through your website, e-commerce store, or mobile app—you are in scope.

Q: What is the effective date of the MHMDA?

A: The law is already in effect. The main provisions took effect on March 31, 2024, for large organizations and June 30, 2024, for smaller businesses. The time to act was yesterday.

? Your Next Step: Secure Your Compliance

The My Health My Data Act is a complex, high-stakes law that cannot be ignored. The risk of inaction—measured in multi-million dollar class-action lawsuits—is too great.

Don't wait to find out your compliance has gaps. The expert global team at Formiti Data International is ready to help you navigate MHMDA with a clear, cost-effective, and comprehensive plan.

Contact us today for a complimentary, no-obligation MHMDA scoping consultation to assess your organization's risk profile.