Federal HIPAA vs. State Privacy Laws
HIPAA sets the federal floor for health information privacy. But state laws often go further. When state law is more protective than HIPAA, the state law controls. Understanding preemption is essential for multi-state compliance.
Federal HIPAA
The Health Insurance Portability and Accountability Act and its implementing regulations set the baseline national standard for protecting health information. HIPAA generally preempts state law, with important exceptions.
State Privacy Laws
State laws that provide greater privacy protections than HIPAA are NOT preempted. States can (and do) impose stricter breach notification timelines, broader definitions of protected information, and additional patient rights.
The HIPAA Preemption Rule
Under 45 C.F.R. § 160.203, HIPAA preempts (overrides) state law except when the state law:
Is MORE STRINGENT than HIPAA with respect to privacy of individually identifiable health information
Relates to the reporting of disease, injury, child abuse, birth, death, or public health surveillance
Requires a health plan to report or provide access to information for management audits, financial audits, program monitoring, or licensure/certification
Addresses controlled substances
Has been granted an exception by the HHS Secretary
Key takeaway: “More stringent” is defined in 45 C.F.R. § 160.202. A state law is more stringent if it provides individuals with greater access to their information, places greater restrictions on uses and disclosures, provides broader rights with respect to deficiencies, narrows the scope of exceptions, or provides greater privacy protections overall. When in doubt, follow whichever law gives the patient more protection.
Common Areas of Conflict
| Area | Federal HIPAA | State Laws (Common Patterns) |
|---|---|---|
| Breach Notification Timeline | 60 days from discovery of the breach (45 C.F.R. § 164.404). No shorter federal deadline. | Many states require faster notification. Examples: Florida (30 days), Ohio (45 days), California (expeditious, without unreasonable delay). Some states now require notification within 30 days or less. |
| Breach Notification Recipients | Affected individuals, HHS, and media (if 500+ in one jurisdiction). 45 C.F.R. §§ 164.404-408. | Many states also require notification to the state attorney general or a state agency. Some require notification to consumer reporting agencies for large breaches. |
| Definition of Protected Information | PHI is individually identifiable health information held by a covered entity or business associate. 18 specified identifiers. | Some states define protected health information more broadly. California's CMIA covers medical information held by any provider, not just HIPAA covered entities. Some state breach laws cover additional data elements. |
| Minor Consent and Access | HIPAA defers to state law on minors. If state law gives a minor the right to consent to treatment, the minor controls access to that information (45 C.F.R. § 164.502(g)). | States vary widely. Many states allow minors to consent to mental health, substance abuse, reproductive health, or STI treatment without parental involvement. In those cases, the minor (not the parent) controls PHI access. |
| Reproductive Health | HIPAA Privacy Rule was amended in 2024 to prohibit use or disclosure of PHI related to lawful reproductive healthcare for investigation or liability. 45 C.F.R. § 164.502(a)(5)(iii). | States vary dramatically post-Dobbs. Some states have enacted strong reproductive health privacy protections. Others have laws that could compel disclosure. The interaction between HIPAA's 2024 amendment and state laws is still developing. |
| Mental Health Records | Psychotherapy notes receive heightened protection under HIPAA. Authorization required for most uses and disclosures (45 C.F.R. § 164.508(a)(2)). General mental health information follows standard PHI rules. | Many states impose stricter protections on all mental health information (not just psychotherapy notes). Some states require specific patient consent before any mental health disclosure, even for treatment purposes. |
| Substance Abuse Records | 42 C.F.R. Part 2 (separate federal regulation, not HIPAA) governs substance use disorder records from federally assisted programs. More restrictive than HIPAA. Being aligned with HIPAA under recent regulatory changes. | Many states have additional protections for substance abuse treatment records. Some require court orders for disclosure even when 42 C.F.R. Part 2 would permit it. |
| Genetic Information | GINA (Genetic Information Nondiscrimination Act) prohibits health insurers from using genetic information for underwriting. HIPAA includes genetic information in its definition of PHI. | Many states have genetic privacy laws that go beyond GINA. Some prohibit employers, life insurers, or disability insurers from using genetic information. Some require explicit consent before genetic testing. |
| Right of Access | Individuals have the right to access their PHI within 30 days (one 30-day extension permitted). Reasonable cost-based fees allowed. 45 C.F.R. § 164.524. | Some states provide shorter access timelines. Some states limit or prohibit fees. California requires access within 15 days for electronic records. Some states provide broader access rights than HIPAA. |
| Private Right of Action | HIPAA does NOT provide a private right of action. Individuals cannot sue under HIPAA directly. Enforcement is through OCR and state AGs. | Many state laws DO provide a private right of action for health information privacy violations. This means individuals can sue directly under state law, even if they cannot sue under HIPAA. |
How to Determine Which Law Applies
Identify all applicable laws
For every state where you operate, treat patients, or have business associates, identify the relevant state health information privacy laws. This includes breach notification statutes, medical records laws, mental health privacy laws, and any consumer privacy laws that cover health data.
Compare each state provision against HIPAA
For each relevant area (breach notification, patient access, consent requirements, etc.), compare the state requirement against the HIPAA requirement. Use the 'more stringent' definition from 45 C.F.R. § 160.202.
Follow whichever is more protective
If the state law provides greater protection to the individual, the state law controls. If HIPAA is more protective, HIPAA controls. Apply this analysis provision by provision, not law by law. One state law may be more stringent in some areas and less stringent in others.
Document your analysis
Maintain a state-by-state compliance matrix that maps each key requirement to the controlling law. Update annually or whenever state laws change. This documentation demonstrates diligence to regulators.
When in doubt, apply the stricter standard
If the analysis is ambiguous, apply the more protective standard. Over-compliance with privacy protections does not create legal risk. Under-compliance does.
State Laws Vary Widely
This comparison covers general patterns across state laws. Actual requirements differ significantly by state. California (CMIA, CCPA/CPRA), New York (SHIELD Act), Texas (HB 300), and Massachusetts (201 CMR 17.00) are among the states with the most expansive health privacy protections. Organizations operating in multiple states must conduct a state-specific analysis. There is no shortcut to multi-state compliance.