State Privacy Laws vs Federal HIPAA Requirements

Q: Does HIPAA override all state health privacy laws?

No. HIPAA only preempts state laws that are contrary to HIPAA and less protective of patient privacy. State laws that provide greater privacy protections or grant patients extra rights are not preempted and must be followed in addition to HIPAA. This means healthcare groups often must comply with both federal and state rules simultaneously.

State Privacy Laws vs Federal HIPAA rules

Navigating state privacy laws alongside federal HIPAA rules is one of the most complex challenges facing healthcare groups that operate across multiple jurisdictions. While HIPAA establishes a national baseline for protecting health information, it does not occupy the field entirely. States retain broad authority to enact their own privacy protections, and many have done so with rules that exceed HIPAA in major ways.

For rule-keeping officers, attorneys, and healthcare administrators, the interaction between state and federal privacy law demands careful analysis. Applying the wrong standard in the wrong jurisdiction can expose an group to rule-based action, civil liability, and reputational harm. This guide examines how the federal preemption doctrine works, highlights key state laws that affect healthcare groups, and offers practical strategies for building a multi-state rule-keeping program.

The Federal Preemption Doctrine

How HIPAA Preemption Works

HIPAA includes a preemption term that governs its relationship with state law. Under 45 CFR 160.203, HIPAA preempts state laws that are contrary to the federal rules. However, this preemption is not absolute. A state law is not preempted if it is more stringent than the corresponding HIPAA rule in protecting patient privacy or providing patients with greater rights regarding their health information.

This “floor, not ceiling” approach means that HIPAA sets the minimum standard for privacy protection. States are free to impose rules that go further than HIPAA, and when they do, healthcare groups must comply with both the federal and the more restrictive state standard.

The “More Stringent” Standard

Determining whether a state law is “more stringent” requires analyzing the specific rule-based rule at issue. Under 45 CFR 160.202, a state law is more stringent than HIPAA if it meets any of the following criteria:

Prohibits or restricts a use or sharing that HIPAA would permit
Provides people with greater access to their own health information
Requires more detailed record-keeping or written records than HIPAA mandates
Provides people with greater rights to amend or correct their records
Narrows the scope of allowed uses and shares beyond what HIPAA allows
Requires more stringent breach notice than the HIPAA Breach notice Rule

When a state law is determined to be more stringent, groups must follow the state law in that jurisdiction while still meeting all other HIPAA rules. This creates a layered rule-keeping duty that can vary greatly from state to state.

Exceptions to Preemption

Several categories of state law are explicitly exempt from HIPAA preemption no matter what of whether they are more or less stringent:

State laws governing reporting of disease, injury, child abuse, birth, or death
Public health surveillance and review laws
Laws requiring health plan reporting for management, financial audits, or program tracking
State laws governing health plan rule including licensure and certification

These exceptions ensure that key state public health and rule-based functions continue to operate without interference from the federal privacy framework.

Key State Privacy Laws Affecting Healthcare

California: CCPA, CPRA, and CMIA

California has the most extensive state privacy framework in the nation. Healthcare groups operating in California must navigate multiple overlapping laws:

The data privacy of Medical Information Act (CMIA) predates HIPAA and imposes extra restrictions on the use and sharing of medical information. CMIA applies to healthcare providers, health insurers, and their contractors, with several terms that exceed HIPAA:

Written access rights rules that are more detailed than HIPAA’s access rights standard
Restrictions on marketing uses of health information that go beyond HIPAA’s marketing terms
Private right of action allowing patients to sue for unapproved shares, with statutory damages of $1,000 per breach plus actual damages
Criminal penalties for knowing and willful unapproved sharing

The California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), usually exempt health information managed by HIPAA. However, the exemption applies only to information that is actually protected by HIPAA. Consumer health data collected outside the HIPAA framework, such as health information gathered by wellness apps or direct-to-consumer health services, may fall under CCPA/CPRA protections instead.

New York: SHIELD Act

The New York Stop Hacks and Improve digital Data Security (SHIELD) Act greatly expanded New York’s data breach notice rules and imposed affirmative data security duties on businesses that hold private information of New York residents.

Key SHIELD Act terms relevant to healthcare groups include:

Expanded definition of private information that includes biometric data and username/email combined with a password
Broader breach notice triggers including unapproved access to data, not just getting
Mandatory security program rules including admin, tech, and physical protections
Penalties up to $5,000 per breach for failure to comply with security rules, with a cap of $250,000 for breach notice failures

The SHIELD Act’s security rules parallel HIPAA’s Security Rule in many respects but apply to a broader range of data types and impose some duties that exceed HIPAA’s terms.

Texas: HB 300 and the Texas Medical Records Privacy Act

Texas enacted House Bill 300 in 2012, creating one of the most aggressive state health privacy laws in the country. Key terms include:

Expanded definition of covered groups that goes beyond HIPAA’s categories to include any person who assembles, collects, or obtains PHI
Training rules mandating that employees with access to PHI complete privacy training within 90 days of hire and every two years thereafter
Enhanced penalties with civil penalties ranging from $5,000 to $250,000 per breach depending on severity
Consumer health privacy protections that apply to groups not covered by HIPAA, filling gaps in federal protection
Restrictions on digital sharing with specific rules for transmitting health information electronically
State AG enforcement with explicit authority for the Texas Attorney General to look into breaches and pursue penalties

Texas HB 300 is especially major because it extends privacy duties to groups that fall outside HIPAA’s covered group and business associate framework, creating a broader protective net for patient health information.

Massachusetts: 201 CMR 17.00

Massachusetts 201 CMR 17.00 establishes complete data protection rules for any group that owns or licenses personal information of Massachusetts residents. While not specific to healthcare, the rule imposes rules that affect healthcare groups operating in the state:

Written Information Security Program (WISP) rule with specific mandated elements
data scrambling rules for personal information transmitted wirelessly or stored on portable devices
Access control rules including unique user IDs, secure login checks, and restrictions on access to records
Monitoring rules for unapproved access or use of personal information
Vendor management duties including contractual rules for third-party service providers

Massachusetts 201 CMR 17.00 is notable for its prescriptive tech rules, which in some areas exceed the flexibility that HIPAA’s Security Rule provides through its “addressable” setup specs.

Breach notice Variations by State

The Patchwork of State rules

Every U.S. state and territory has enacted its own breach notice law, creating a complex patchwork that healthcare groups must navigate when a data breach occurs. While the HIPAA Breach notice Rule provides a federal baseline, state laws often impose extra or different rules.

Key areas where state breach notice laws vary:

Definition of personal information that triggers notice duties
Definition of breach including whether unapproved access alone is enough or whether getting is required
notice timeframes ranging from “most expedient time possible” to specific day counts (30, 45, 60, or 72 hours in some states)
notice recipients including people, state regulators, consumer reporting agencies, and in some states the state Attorney General
Content rules for notice letters, with some states mandating specific information elements
Substitute notice methods available when direct notice is impractical
Safe harbor terms for encrypted data, with variations in what qualifies as enough data scrambling

States with Notably Stringent rules

Several states stand out for breach notice rules that greatly exceed the federal HIPAA standard:

Colorado requires notice within 30 days of breach discovery, considerably shorter than HIPAA’s 60-day window
Florida requires notice within 30 days and mandates notice to the state Attorney General for breaches affecting 500 or more people
New York requires notice to the Attorney General, Department of State, and Division of State Police when a breach exceeds certain thresholds
Oregon requires notice within 45 days and mandates notice to the Attorney General for any breach, no matter what of size

Healthcare groups must track the breach notice rules for every state in which they have patients or hold personal information. A breach affecting patients in multiple states can trigger dozens of different notice duties simultaneously.

Multi-State Compliance Strategies

Building a Unified Compliance Framework

groups operating in multiple states need a systematic approach to managing overlapping and potentially conflicting privacy rules. The most effective strategy is to build a rule-keeping framework that meets the most stringent relevant standard across all jurisdictions.

Step 1: Identify all relevant jurisdictions. Map every state in which your group provides services, stores data, has employees, or has patients. Each jurisdiction may impose its own privacy and breach notice rules.

Step 2: Conduct a comparative analysis. For each major rule-keeping area (consent, access rights, breach notice, data security, patient rights), compare the HIPAA rule with the relevant state rules in each jurisdiction. Identify where state law is more stringent.

Step 3: Adopt the highest standard. Where practical, implement policies and steps that meet the most stringent rule across all relevant jurisdictions. This approach simplifies rule-keeping by reducing the need for jurisdiction-specific variations.

Step 4: keep jurisdiction-specific steps. For rules that are truly jurisdiction-specific and cannot be generalized (such as specific breach notice recipients or state-mandated forms), keep written down steps that address each state’s unique rules.

Step 5: Monitor legislative changes. State privacy laws are evolving rapidly. Assign duty for tracking new legislation and rule-based changes in every relevant jurisdiction, and update your rule-keeping program as needed.

Practical Compliance Tips

keep a state law matrix writing down the key privacy and breach notice rules for each state where you operate
Train team members on the strictest relevant standards rather than the minimum HIPAA rules
set up relationships with local counsel in states with especially complex rules
Include state-specific terms in Business Associate Agreements to ensure vendors comply with relevant state rules, not just HIPAA
Document your preemption analysis showing how you determined which standard applies in each jurisdiction

For extra context on federal HIPAA rules that form the baseline for this analysis, see our guides on HIPAA Privacy Rule rules and what is HIPAA.

State vs Federal HIPAA FAQ

Does HIPAA override all state health privacy laws?

No. HIPAA only preempts state laws that are contrary to HIPAA and less protective of patient privacy. State laws that provide greater privacy protections or grant patients extra rights are not preempted and must be followed in addition to HIPAA. This means healthcare groups often must comply with both federal and state rules simultaneously.

How do I determine which standard applies in a specific situation?

Conduct a term-by-term analysis comparing the HIPAA rule with the relevant state law. If the state law is more stringent (prohibits something HIPAA permits, gives patients more rights, or requires more protections), follow the state law. If the state law is less protective than HIPAA, follow HIPAA. When in doubt, consult with legal counsel experienced in health privacy law.

Do state laws apply to business associates?

It depends on the state. HIPAA applies to business associates through the federal framework, but many state laws also impose duties on groups that handle health or personal information, even if those groups are not HIPAA-covered groups or business associates. Texas HB 300, for example, applies to any person who assembles, collects, or obtains PHI, no matter what of HIPAA status.

What happens if I comply with HIPAA but violate a more stringent state law?

You may face state-level enforcement action, civil penalties, and potentially private lawsuits under state law. HIPAA rule-keeping does not provide a defense against state law claims when the state law imposes a higher standard. Some states allow people to sue directly for breaches, creating liability exposure beyond what OCR enforcement alone would produce.

Are there states considering new health privacy laws?

Yes. The state privacy law space is evolving rapidly. Multiple states are considering or have recently enacted complete privacy laws that affect healthcare data. groups should track legislative developments in every state where they operate and update their rule-keeping programs as new laws take effect.

State vs Federal Law Takeaways

The intersection of state privacy laws and federal HIPAA rules creates a layered rule-keeping challenge that demands careful analysis and ongoing vigilance. Healthcare groups that operate across state lines cannot simply rely on HIPAA rule-keeping alone. They must identify, track, and comply with the more stringent state rules that apply in each jurisdiction where they serve patients or handle health information.

One Guy Consulting specializes in helping healthcare groups navigate multi-jurisdictional rule-keeping duties. From running state law reviews to building unified rule-keeping frameworks that satisfy both HIPAA and relevant state rules, our team ensures your group meets its duties in every jurisdiction. Contact us today to strengthen your rule-keeping program across all the states where you operate.