Federal HIPAA sets the floor for health privacy protection — not the ceiling. State privacy laws can grant stronger rights, and many do. The result is a patchwork: a Washington resident, a California resident, and a Texas resident have meaningfully different protections over the same medical data.
The state-law landscape in 2026
A handful of states have passed health-data-specific laws that go meaningfully beyond HIPAA:
- California: The Confidentiality of Medical Information Act (CMIA) provides $1,000 statutory damages per violation, prohibits marketing without written consent, and grants 15-day records access.
- Washington: My Health My Data Act (MHMDA) gives consumers opt-in consent rights over health data collected by non-HIPAA-covered entities.
- New York: NYHIPA (pending implementation) grants consent-revocation rights.
Comprehensive consumer-privacy laws in California (CCPA/CPRA), Virginia (CDPA), Colorado (CPA), and a dozen others give additional rights when health data crosses out of HIPAA’s coverage into the consumer-data space.
Full state-by-state guide at /privacy-guide/state-vs-federal-privacy-laws.