State Health Privacy Laws vs HIPAA: Which States Protect You More
Many states protect your health data more than federal HIPAA β faster records access, a private right to sue, and extra protection for mental-health and app data. See how all 50 states compare.
Important Notes
β’ If a state is not listed with specific additions, it generally follows the HIPAA baseline with no significant extra patient rights in this domain
β’ All states must follow HIPAA, so this table emphasizes where state law confers greater privacy options to patients
β’ This comparison focuses on how some states bolster patient control over health information through stricter consent laws, special protections, shorter timelines, or private rights of action
New here? Start with the big picture.
See how state law overrides HIPAA when it is stricter, read CMIA vs HIPAA for a deep dive on California's stronger standard, or review the 8 patient rights under HIPAA that apply nationwide.
Quick jump to your state:
Comprehensive State Health Data Privacy Guides Available
Deep-dive guides for states with the strongest health data privacy protections
Mental Health Privacy Laws by State
Mental-health and substance-use records get extra protection beyond standard HIPAA in many states. These are among the strongest:
California
The Lanterman-Petris-Short Act (Welfare & Institutions Code Β§5328) and the CMIA tightly restrict disclosure of mental-health information and require specific authorization for psychotherapy records.
New York
Mental Hygiene Law Β§33.13 makes clinical mental-health records confidential and limits disclosure to narrow, enumerated circumstances.
Illinois
The Mental Health and Developmental Disabilities Confidentiality Act (740 ILCS 110) is among the strictest in the nation, requiring written consent for most disclosures of mental-health records.
Texas
Health & Safety Code Chapter 611 protects the confidentiality of mental-health records and sets out specific patient access and disclosure rules.
Federal overlay: 42 CFR Part 2 adds protection for substance-use-disorder treatment records, and HIPAA requires a separate written authorization to release psychotherapy notes (45 CFR Β§164.508(a)(2)) β see the 8 patient rights under HIPAA.
State-by-State Privacy Rights Breakdown
50 states with detailed privacy information
Alabama
Alaska
General: Otherwise, Alaska follows HIPAA's baseline. No state-mandated shorter timeline for record access (HIPAA's 30-day rule recognized). Breach notification follows general state law (similar to HIPAA's requirements).
Arizona
Psychotherapy Notes: Arizona specifically defines and protects "privileged psychiatric/psychological communications," generally requiring patient consent or a court order for disclosure, giving patients added privacy for mental health info.
Timeline: Arizona law implicitly defers to HIPAA's access timeline; no stricter state deadline (providers must act within 30 days per HIPAA).
Arkansas
California
Faster Access: Under California's Patient Access to Health Records Act, providers must allow patients to inspect records within 5 working days of a request and must provide copies within 15 days β significantly faster than the former federal 30-day standard. (This 15-day rule remains, though the new HIPAA 15-day requirement now matches it.)
Sensitive Info: California requires specific consent for sensitive information. For example, HIV test results generally may not be disclosed without a separate written authorization from the patient (except to the patient or treating providers). Information shared with a psychotherapist in private counseling is highly protected; disclosures usually need patient authorization (beyond HIPAA's psychotherapy note rule, California Welfare & Institutions Code also protects mental health records).
"Opt-out" Rights: California consumers have additional rights under laws like the Shine the Light law and the California Consumer Privacy Act (CCPA/CPRA), but note: CCPA exempts HIPAA-covered PHI. However, for health data outside HIPAA, Californians can opt out of sale of personal info. Within the HIPAA realm, CMIA's protections and the ability to opt out of certain sharing (by simply refusing to authorize disclosures) are key.
Breach Notification: California has stringent breach laws. Providers must notify patients and the California Department of Public Health of any unlawful or unauthorized access or disclosure of medical info without unreasonable delay (no later than 15 business days in many cases), which can be sooner than HIPAA's 60-day outer limit.
Colorado
Access Rights: Colorado regulation requires most health facilities to provide copies of medical records within 10 days of a signed request (or 10 business days, effectively), which is faster than federal law. Current patients can inspect their records within 24 hours of request (excluding weekends/holidays) at hospitals.
Mental Health: Colorado law protects behavioral health records; while it allows sharing for treatment, it requires patient consent or a court order for release of psychotherapy notes or records to third parties not involved in treatment.
Breach Notice: Colorado's consumer data protection law requires notice of breaches of personal information (including health data) to individuals within 30 days, which may apply in addition to HIPAA.
Connecticut
Access Law: Connecticut law stipulates providers must furnish copies of medical records within 30 days of a written request (matching HIPAA's original timeline) and caps copy fees by statute (e.g., $0.45/page). There's no shorter state deadline than the new federal 15-day rule, so the federal requirement now prevails as the most protective.
Minors' Rights: Connecticut allows minors to consent to certain services (like HIV testing, reproductive healthcare) and keeps those records confidential from parents without the minor's authorization, aligning with state consent laws β thus minors have a right to privacy for those records.
Delaware
Florida
Access: Florida law requires healthcare providers to furnish copies of medical records in a timely manner (generally within 30 days, similar to HIPAA; hospitals have a 30-day rule under Fla. Stat. Β§395.3025). Some Florida providers adhere to even shorter turnaround due to state guidelines, but the law doesn't mandate less than 30 days.
Minor's Privacy: Florida allows minors to consent to some services (e.g., STI treatment, pregnancy-related care) and protects those records from automatic parental access, giving minors a privacy right over that PHI.
Data Privacy Law: (Note: Florida's 2023 Digital Bill of Rights law largely exempts HIPAA data. So, rights like opting out of sale under that law apply to non-HIPAA data and are not relevant for PHI held by HIPAA-covered entities.)
Georgia
Hawaii
Minors: Hawaii allows certain minors to consent to treatment (e.g., for family planning) and keeps those records confidential from parents absent minor's consent.
Breach: Hawaii's breach law requires notice to individuals and the state if a breach involves personal info (including medical data). No unique timeline beyond the general 60 days.
Idaho
Illinois
Genetic Info: Illinois' Genetic Information Privacy Act requires written consent for disclosure of genetic testing information to anyone, with limited exceptions, granting patients strong say over their genetic data (beyond HIPAA's protections).
HIV/AIDS: Illinois' AIDS Confidentiality Act similarly mandates specific informed consent for releasing HIV-related information, giving patients an opt-in control for that sensitive data.
Access: Illinois has a Medical Patient Rights Act ensuring the right to access one's records, but timeline is default 30 days (HIPAA level). However, Illinois caps copy fees and forbids charging patients a handling fee for record requests (aligned with HIPAA's no-retrieval-fee rule).
Private Right of Action: Violations of the Illinois mental health or HIV confidentiality statutes can give patients the right to sue for damages, adding a state enforcement mechanism for their privacy rights.
Indiana
Iowa
Kansas
Kentucky
Louisiana
Authorization Requirement: Louisiana's patient records statute (La. R.S. 40:1165.1) mandates patient consent for release of records except for certain purposes (treatment, payment, as required by law, etc.), similar to HIPAA. It reinforces that outside of those exceptions, your authorization is needed β giving you control.
Mental Health: Louisiana requires patient consent or a specific legal authorization for disclosures of mental health records.
Breach: Louisiana has a stringent breach law (requiring notice in the "most expedient time possible and without unreasonable delay" and within 60 days at most). Combined with HIPAA, Louisiana patients are ensured timely notification.
Maine
Mental Health: Maine has strict confidentiality laws for mental health information; disclosures often require patient consent or a specific exception. For instance, psychotherapy communications can't be released without consent except by court order.
HIV: Maine requires written consent to disclose HIV test results except for certain allowed purposes, giving patients control over that information.
Other: Maine's law also states that a patient may not be charged a fee just for the provider to search for records (aligning with HIPAA's prohibition on retrieval fees). And if a provider denies access (which is rare), Maine regulations allow patients avenues to challenge that.
Maryland
Access: Maryland mandates that providers respond to record requests within a reasonable time (generally interpreted similarly to HIPAA's 30 days). It also caps copy charges and requires that if a record is needed for a Social Security claim or appeal, it must be provided free of charge β an extra right for patients dealing with disability claims.
Health Information Exchange: Maryland's statewide HIE (CRISP) operates on an opt-out model. Patients have the right to opt out of HIE data sharing by submitting a request, which will prevent providers from accessing their info through the exchange.
Minor Consent: Maryland allows minors to consent to certain treatments (e.g., reproductive health, mental health age >16) and those records cannot be disclosed to parents without the minor's consent, granting minors privacy rights over those PHI instances.
Massachusetts
Patient Consent: MA recognizes a general patient right of confidentiality. By regulation, hospitals must keep patient records confidential and can release them only with patient consent or as required/permitted by law (which aligns to HIPAA, but the state framing emphasizes patient permission).
Access: Massachusetts regulations require hospitals and doctors to provide copies of medical records within 30 days of request (no shorter state timeline, so now the 15-day federal rule is stronger). State law also explicitly allows patients to add a written addendum to their medical records to dispute information, up to 250 words, if they feel something is incomplete or incorrect β a right akin to but slightly different from HIPAA's amendment rule.
HIV & Genetic: Massachusetts law demands specific written consent for HIV test disclosures and has a statute limiting the use of genetic test results by insurers and others, indirectly giving patients more privacy for genetic info.
Michigan
Consent Requirements: Michigan has robust confidentiality provisions for specific cases β e.g., mental health records require patient consent or a court order for release (Mental Health Code Β§ 330.1748). HIV test information requires consent for disclosure except to a few entities. So patients do hold additional consent rights for those categories.
Breach: Michigan's Identity Theft Protection Act includes health information in its breach notification rules, requiring notice to residents if certain personal data (including health insurance or medical info combined with name) is breached. Timing is without unreasonable delay (consistent with HIPAA, no stricter timeline explicitly).
Minnesota
Access: Minnesota requires providers to "promptly furnish" records. State law interpreted "promptly" as generally within 30 days, matching HIPAA, but expected sooner if possible. Minnesota also forbids charging patients fees for copies if the request is to review current medical care (ensuring cost isn't a barrier to recent info).
Mental Health: Minnesota's consent requirement extended to mental health records, with some exceptions for care coordination under the latest amendments.
Minor Privacy: Minnesota's minor consent laws give minors rights to confidential care (for example, minors can consent to STD treatment at 17 and those records won't be shared without minor consent).
Overall: Minnesota's law was an example often cited as "more stringent than HIPAA," giving patients greater theoretical control over disclosures. After amendments, it's closer to HIPAA for routine care, but still one of the stronger patient consent states historically.
Mississippi
Missouri
Montana
Nebraska
Accounting of Disclosures: Nebraska law (Neb. Rev. Stat. Β§ 71-8403) provides patients the right to an accounting of disclosures of their medical records made by a provider in the last 6 years, very similar to HIPAA β not an enhancement, but it codifies the right at state level (few states do that).
General: Otherwise, NE's Patient Record Act mirrors HIPAA (consent needed for non-authorized disclosures, etc.). Nebraska has an HIE (NeHII now CyncHealth) which patients can opt out of, thus Nebraskans can stop providers from sharing through the HIE if they object.
Nevada
General PHI: Nevada's existing laws require healthcare providers to keep patient information confidential and only release with patient consent or as law permits (Nev. Rev. Stat. 629.041). For example, a Nevada provider needs a patient's written authorization to disclose records to a third party not involved in care, reinforcing patient consent rights.
Access: By statute, copies of records must be provided within 30 days of a request (aligns with HIPAA). Nevada also mandates specific per-page copy fees.
Mental Health: Nevada law has extra confidentiality for mental health and substance abuse records (often requiring patient consent and, for certain communications with psychologists, privileged status).
New Hampshire
General: NH's Patient Bill of Rights (RSA 151:21) ensures patients confidentiality and the right to approve or refuse release of information, similar to HIPAA's consent principle. It's more of a policy statement but gives patients grounds to expect consent will be obtained.
Access: NH law requires records to be made available within a reasonable time. There's no codified shorter period than HIPAA, but healthcare facilities typically comply with HIPAA's 30-day rule as baseline.
Mental Health: NH has a law that mental health records may only be disclosed with patient consent or by court order, except to other treating providers β stronger than HIPAA in requiring consent for many non-emergency releases.
New Jersey
Access: NJ regulations require doctors to provide copies of records within 30 days of a written request (similar to HIPAA), and hospitals to let patients have copies of discharge summaries etc. within 30 days. A recent NJ bill (NJ P.L.2022, c.64) also clarified that patients must be able to access their medical imaging studies promptly.
Miscellaneous: NJ law allows patients to submit a statement of disagreement (up to 500 words) if a provider denies amending a record, which must be kept with the record β paralleling HIPAA's right. Breach-wise, NJ requires notice to the state for certain large breaches, but timing to individuals matches HIPAA.
New Mexico
New York
Mental Health: New York's Mental Hygiene Law and related regulations mandate confidentiality of mental health records; disclosures outside the treating team often require patient consent or a court order. Psychotherapy notes and communications with social workers, psychologists, etc. are privileged under state law. Patients thus have a right to keep therapy records private from insurers or others (insurers, for example, often get only minimal info per NY law).
General Consent: NY law (Hospital Code) historically required hospitals to obtain a patient's written consent to release medical information, except for treatment, payment, and hospital operations β functionally similar to HIPAA but instilled as a patient right at state level.
Access: New York gives patients access rights under Public Health Law Β§ 18, which closely tracks HIPAA but actually allows providers up to 10 days to decide on granting access and up to 30 days to provide records once approved (so HIPAA's 15-day now is stricter). If access is denied, NY has an appeals process via a Medical Record Access Review Committee, giving patients a state forum to challenge denials (e.g., if a doctor thinks viewing records would harm the patient, the patient can appeal that decision).
Health Data Exchanges: New York operates health information exchanges (RHIOs) on an opt-in consent model β a provider cannot access your records from other participants unless you have signed a "SHIN-NY" consent form permitting that exchange. Patients thereby have the right to decide if their data can be queried by other providers through the state HIE network.
Breach: NY's Stop Hacks and Improve Electronic Data Security (SHIELD) Act includes health information in its breach notification requirements (notice to individuals and state AG in case of breach of private info). Timing is without unreasonable delay, consistent with HIPAA, but the additional state oversight via the Attorney General is a factor.
North Carolina
North Dakota
Ohio
Access: Ohio law (ORC Β§3701.74) ensures patients can get copies of medical records; it sets maximum fees but not a shorter deadline than HIPAA. Typically, providers follow the 30-day rule.
Breach: Ohio has a breach law aligned with standard practice (notice without unreasonable delay, etc.).
Private Right of Action: While HIPAA violations themselves don't allow lawsuits, Ohio courts have allowed patients to sue under common law for unauthorized disclosure (breach of confidentiality is recognized in some case law), effectively giving Ohio patients a possible remedy if their doctor improperly reveals PHI.
Oklahoma
Oregon
Genetic Info: Oregon has a Genetic Privacy Act that treats genetic information as the property of the individual tested, requiring written authorization for its disclosure (except for diagnostic/therapeutic purposes). This gives patients a kind of ownership right over genetic data beyond HIPAA.
Psychotherapy Notes: Oregon mandates patient consent for release of psychotherapy notes (in line with HIPAA's strict standard, but state law cements it).
Access: Oregon regulations require records to be furnished "in a reasonable time." State administrative rules for hospitals suggest prompt turnaround, but no exact day count (so HIPAA's 15-day now sets the bar). Oregon caps copy fees and requires no charge for records needed to support disability claims, ensuring some rights around costs.
Breach: Oregon's Consumer Info Protection Act includes health info; if a breach happens, notice must be given to individuals and the state AG if >250 Oregonians affected, adding oversight.
Pennsylvania
General Medical Info: Pennsylvania doesn't have a singular HIPAA-equivalent statute, but patient privacy is enforced through professional licensure rules and common law. Patients have the right to access their records (28 Pa. Code Β§115.29 β hospitals must provide a copy of records upon request within a reasonable time). PA's timeframe is not stricter than HIPAA and often 30 days is used.
Breach: PA uses a standard breach notification law (unreasonable delay, notify if personal data compromised; medical info if combined with identifiers triggers notice). Pennsylvania also has a unique law (Act 153 of 2020) that requires timely notification to patients specifically for breaches of "unsecured protected health information" by entities like state agencies β essentially reinforcing HITECH for state-regulated entities.
Rhode Island
Access: Rhode Island guarantees patients the right to see and copy their medical records. State law requires providers to permit inspection of records during business hours within 10 days of a request, and to provide copies within 30 days. So RI patients benefit from quick inspection and standard copy times. Fees for copies are limited by regulation.
Mental Health & HIV: RI requires patient consent for most mental health record disclosures and follows a similar consent model for HIV information.
Enforcement: Rhode Island's law gives patients the right to file a complaint with the state Department of Health for violations, and providers can face penalties. Patients can't directly sue under the statute, but they might use common law. Overall, RI's law strongly reinforces patient consent rights for info sharing beyond treatment needs, making it one of the strict states in terms of requiring patient permission.
South Carolina
South Dakota
Tennessee
Access: Tennessee law echoes HIPAA in requiring providers to furnish records to patients; no shorter deadline is specified (so 30 days, now 15 under new HIPAA, applies).
Mental Health: Tennessee's laws on mental health records generally require patient consent for release of psychotherapy notes and communications, similar to HIPAA but reinforced by state code.
Drug Testing: TN has specific consent requirements for releasing drug/alcohol test results, giving patients rights over who can see those.
General: Aside from the ability to sue, TN's substantive rules align with HIPAA (consent needed for non-TPO disclosures, etc.). Breach notification in TN is aligned with standard practice (notice expediently, state AG notification if many affected).
Texas
Consent for Electronic Disclosure: Texas law requires patient authorization for any electronic disclosure of PHI outside of the covered entity, except for disclosures authorized or required by other law. In practice, this means if a Texas provider wants to email or transmit your PHI to a third party for reasons other than treatment, billing, healthcare operations, or emergencies, they need your consent. This is stricter than HIPAA and gives patients a right to prevent electronic sharing of their data. (Treatment, payment, operations are exempted from needing consent, similar to HIPAA allowances.)
Standard Authorization Form: Texas, by law, had the Attorney General create a standard PHI disclosure authorization form that must be accepted by all providers. Patients can use this single form to authorize release of their records, rather than dealing with different forms for different providers β a user-friendly feature unique to TX. If you want to request your records be sent somewhere, using the state form should be universally accepted in Texas.
Faster Access: Under HB 300, if a Texas provider has an EHR system, patients have the right to get electronic copies of their records within 15 business days of a written request. This effectively codified a 15-day rule (similar to what the new federal rule has done). Texas also prohibits charging a retrieval fee for records (matching HIPAA).
Training and Notice: Texas mandates that covered entities train employees on state and federal privacy law and that they provide patients with a notice of electronic disclosures upon request.
Marketing: Texas explicitly gives patients the right to opt out of any mailing that constitutes marketing; any marketing mail must include an opt-out notice. And PHI cannot be used for telephone marketing or sales calls without your written authorization β reinforcing your right not to be solicited using your medical info.
Enforcement: Texas allows the state to enforce penalties for privacy violations. While Texas patients can't directly sue under TMRPA (enforcement is via Texas AG or regulatory boards), the law's stringent requirements back up your rights with hefty potential fines for violators. So in summary, Texas patients enjoy HIPAA's rights plus faster access, a say in electronic sharing, and clear opt-out rights for marketing.
Utah
Vermont
General: VT law has a patients' bill of rights ensuring privacy and the right to approve release of records (consistent with HIPAA). Access to records is required by state regulation (generally within 30 days).
Mental Health: Vermont law makes mental health treatment information confidential, only to be released with patient consent or as authorized by law. For minors, VT gives those 12 and older rights to consent to some mental health or substance abuse treatment and keep those records confidential.
Data Broker Regulation: VT has a data broker law requiring companies that trade in personal data (including health data) to register and have reasonable security β though this doesn't directly give patients new rights, it's part of the privacy landscape.
Virginia
Washington
State Privacy Laws: Washington's Uniform Health Care Information Act (RCW 70.02) has long required patient authorization for disclosures of health info, with exceptions similar to HIPAA. It essentially codified HIPAA-like rights: patients must be given access to records, and their consent is needed for non-care disclosures. Washington also provides a private right of action for unauthorized disclosure β patients can sue for breaches of confidentiality under state law (with limits on damages).
Specific Consents: WA mandates consent for certain info: e.g., HIV status disclosures require written patient consent; mental health records need patient consent or a special release to share beyond treatment team.
Access: Washington's law requires providers to respond to record requests generally within 15 working days (which aligns with HIPAA's new 15 day rule roughly). It also caps fees for copying.
Conclusion: WA patients now benefit from both robust consumer health data rights (outside HIPAA) and solid medical record privacy law that reinforces consent and access rights within healthcare.
West Virginia
Wisconsin
Access: Wisconsin requires that patients be allowed to inspect their records during business hours upon request and get copies within a reasonable time. The law sets a maximum of 15 days for hospitals to provide records after a request. This gives a clear timeline that's on par with the new HIPAA rule.
Mental Health: Wisconsin has a separate statute for mental health records (Wis. Stat. Β§51.30) that is also very privacy-protective. It generally demands patient consent for disclosures of treatment records, with limited exceptions (even more narrow than HIPAA for some uses). Patients can designate who can receive their mental health info.
Other: WI allows minors aged 14+ to consent to outpatient mental health treatment and keeps those records confidential from parents without minor consent, granting those minors privacy rights. WI also recognizes a patient's cause of action for breach of confidentiality in some cases, so patients might sue if a provider violates Β§146.82.
Summary: Wisconsin's laws are often cited as more stringent than HIPAA, giving patients in WI tighter control β essentially you must consent to disclosures of your records unless it's among the listed exceptions.
Wyoming
Live tracker
Recent healthcare data breaches
Real incidents from the 2026 HHS OCR portal. Each entry names the provider, the data exposed, and the steps to take if you received a notification letter.
Capitol Pain Institute
Colorado Springs, CO HQ Β· 695 affected
Cunningham Prosthetic Care LLC
Saco, ME Β· 2,523 affected
Western Orthopaedics, P.C.
Englewood, CO Β· 113,330 affected
City Health, a medical corporation
San Leandro, CA Β· 65,000 affected