Legal Guide 15 min read

State-by-State Privacy Laws: What You Need to Know

A comprehensive guide to health privacy laws across all 50 states and how they affect your data protection rights.

Jennifer Walsh
·
June 15, 2024

Federal HIPAA sets the floor for health privacy protection — not the ceiling. State privacy laws can grant stronger rights, and many do. The result is a patchwork: a Washington resident, a California resident, and a Texas resident have meaningfully different protections over the same medical data.

The state-law landscape in 2026

A handful of states have passed health-data-specific laws that go meaningfully beyond HIPAA:

  • California: The Confidentiality of Medical Information Act (CMIA) provides $1,000 statutory damages per violation, prohibits marketing without written consent, and grants 15-day records access.
  • Washington: My Health My Data Act (MHMDA) gives consumers opt-in consent rights over health data collected by non-HIPAA-covered entities.
  • New York: NYHIPA (pending implementation) grants consent-revocation rights.

Comprehensive consumer-privacy laws in California (CCPA/CPRA), Virginia (CDPA), Colorado (CPA), and a dozen others give additional rights when health data crosses out of HIPAA’s coverage into the consumer-data space.

Full state-by-state guide at /privacy-guide/state-vs-federal-privacy-laws.

Stop the flow of your health data.

HealthConsent® automates HIPAA restrictions and HIE opt-outs across 7M+ providers, insurers, and prescription networks.

Protect My Data