State Health Privacy Laws vs HIPAA: Which States Protect You More

Many states protect your health data more than federal HIPAA β€” faster records access, a private right to sue, and extra protection for mental-health and app data. See how all 50 states compare.

πŸ“… 2026 Guide βœ“ Updated June 2026 πŸ—ΊοΈ All 50 States

Important Notes

β€’ If a state is not listed with specific additions, it generally follows the HIPAA baseline with no significant extra patient rights in this domain

β€’ All states must follow HIPAA, so this table emphasizes where state law confers greater privacy options to patients

β€’ This comparison focuses on how some states bolster patient control over health information through stricter consent laws, special protections, shorter timelines, or private rights of action

New here? Start with the big picture.

See how state law overrides HIPAA when it is stricter, read CMIA vs HIPAA for a deep dive on California's stronger standard, or review the 8 patient rights under HIPAA that apply nationwide.

Quick jump to your state:

Mental Health Privacy Laws by State

Mental-health and substance-use records get extra protection beyond standard HIPAA in many states. These are among the strongest:

California

The Lanterman-Petris-Short Act (Welfare & Institutions Code Β§5328) and the CMIA tightly restrict disclosure of mental-health information and require specific authorization for psychotherapy records.

New York

Mental Hygiene Law Β§33.13 makes clinical mental-health records confidential and limits disclosure to narrow, enumerated circumstances.

Illinois

The Mental Health and Developmental Disabilities Confidentiality Act (740 ILCS 110) is among the strictest in the nation, requiring written consent for most disclosures of mental-health records.

Texas

Health & Safety Code Chapter 611 protects the confidentiality of mental-health records and sets out specific patient access and disclosure rules.

Federal overlay: 42 CFR Part 2 adds protection for substance-use-disorder treatment records, and HIPAA requires a separate written authorization to release psychotherapy notes (45 CFR Β§164.508(a)(2)) β€” see the 8 patient rights under HIPAA.

State-by-State Privacy Rights Breakdown

50 states with detailed privacy information

Alabama

HIPAA Baseline #1 of 50
No significant state-specific enhancements beyond HIPAA. Alabama relies on HIPAA standards for patient rights (no shorter timelines or unique consent requirements beyond federal law). State law permits a maximum copying fee, but defers to HIPAA's 30-day access rule. No special state privacy statute for PHI; general physician-patient confidentiality applies (providers shouldn't disclose without patient consent except as law allows, which aligns with HIPAA).

Alaska

HIPAA Baseline #2 of 50
Genetic Privacy: Alaska law prohibits obtaining, analyzing, or disclosing a person's genetic information without informed consent (with some exceptions), giving patients strong control over genetic test results (more protective than HIPAA's general rule).

General: Otherwise, Alaska follows HIPAA's baseline. No state-mandated shorter timeline for record access (HIPAA's 30-day rule recognized). Breach notification follows general state law (similar to HIPAA's requirements).

Arizona

HIPAA Baseline #3 of 50
Medical Records Confidentiality: Arizona statutes (A.R.S. Β§Β§ 12-2291 to 12-2297) affirm that patients have a right to access their medical records and require written patient authorization for release of records except as permitted by law. This essentially mirrors HIPAA – e.g., consent is needed for disclosures outside treatment, payment, operations.

Psychotherapy Notes: Arizona specifically defines and protects "privileged psychiatric/psychological communications," generally requiring patient consent or a court order for disclosure, giving patients added privacy for mental health info.

Timeline: Arizona law implicitly defers to HIPAA's access timeline; no stricter state deadline (providers must act within 30 days per HIPAA).

Arkansas

HIPAA Baseline #4 of 50
No notable expansions. Arkansas's medical privacy provisions align with HIPAA. It has rules about who may access medical records (e.g., personal representatives) but no special consent requirements beyond HIPAA for most disclosures. Record access timing and fees are per federal law (30 days, cost-based fees). Arkansas law does require reporting of breaches to individuals under general data breach statutes, but no unique PHI-only enhancements.

California

Enhanced Rights #5 of 50
Stronger Consent & Privacy Laws: California's Confidentiality of Medical Information Act (CMIA) is one of the nation's strictest. It generally requires patient authorization for any disclosure of medical information by providers or health plans, except for certain allowed purposes (which largely parallel HIPAA, such as treatment, payment, auditing, etc.). This effectively means patients have broad rights to consent or object to disclosures – providers must obtain written permission for uses beyond those core purposes, giving patients more control. CMIA also allows patients to sue for unauthorized disclosure of their medical info and recover damages, creating a state-level remedy for privacy breaches.

Faster Access: Under California's Patient Access to Health Records Act, providers must allow patients to inspect records within 5 working days of a request and must provide copies within 15 days – significantly faster than the former federal 30-day standard. (This 15-day rule remains, though the new HIPAA 15-day requirement now matches it.)

Sensitive Info: California requires specific consent for sensitive information. For example, HIV test results generally may not be disclosed without a separate written authorization from the patient (except to the patient or treating providers). Information shared with a psychotherapist in private counseling is highly protected; disclosures usually need patient authorization (beyond HIPAA's psychotherapy note rule, California Welfare & Institutions Code also protects mental health records).

"Opt-out" Rights: California consumers have additional rights under laws like the Shine the Light law and the California Consumer Privacy Act (CCPA/CPRA), but note: CCPA exempts HIPAA-covered PHI. However, for health data outside HIPAA, Californians can opt out of sale of personal info. Within the HIPAA realm, CMIA's protections and the ability to opt out of certain sharing (by simply refusing to authorize disclosures) are key.

Breach Notification: California has stringent breach laws. Providers must notify patients and the California Department of Public Health of any unlawful or unauthorized access or disclosure of medical info without unreasonable delay (no later than 15 business days in many cases), which can be sooner than HIPAA's 60-day outer limit.

Colorado

Enhanced Rights #6 of 50
Health Information Exchange Opt-Out: Colorado law created a statewide HIE (CORHIO/Contexture) where patients by default may have records shared among providers; however, patients have the right to opt out of the HIE. By submitting an HIE opt-out form, a patient can prevent their providers from making their records available through the exchange. This gives Coloradans an extra layer of consent for inter-provider data sharing not covered by HIPAA.

Access Rights: Colorado regulation requires most health facilities to provide copies of medical records within 10 days of a signed request (or 10 business days, effectively), which is faster than federal law. Current patients can inspect their records within 24 hours of request (excluding weekends/holidays) at hospitals.

Mental Health: Colorado law protects behavioral health records; while it allows sharing for treatment, it requires patient consent or a court order for release of psychotherapy notes or records to third parties not involved in treatment.

Breach Notice: Colorado's consumer data protection law requires notice of breaches of personal information (including health data) to individuals within 30 days, which may apply in addition to HIPAA.

Connecticut

Enhanced Rights #7 of 50
HIE and Consent: Connecticut recently implemented a statewide Health Information Exchange ("Connie"). Patients in CT have the right to opt out of having their clinical information shared via the HIE by submitting an opt-out form. If opted-out, providers cannot query the HIE for that patient's data, giving patients more say in inter-organizational sharing. (Patients can also opt back in later.)

Access Law: Connecticut law stipulates providers must furnish copies of medical records within 30 days of a written request (matching HIPAA's original timeline) and caps copy fees by statute (e.g., $0.45/page). There's no shorter state deadline than the new federal 15-day rule, so the federal requirement now prevails as the most protective.

Minors' Rights: Connecticut allows minors to consent to certain services (like HIV testing, reproductive healthcare) and keeps those records confidential from parents without the minor's authorization, aligning with state consent laws – thus minors have a right to privacy for those records.

Delaware

HIPAA Baseline #8 of 50
No major deviations. Delaware's privacy statute (24 Del. Code Β§ 1731) requires practitioners to maintain confidentiality of patient communications and records, disclosing only with patient consent or as required by law – essentially the same principle as HIPAA. Delaware follows HIPAA's standards on access (30 days) and doesn't have unique additional rights beyond that. One note: Delaware's breach notification law covers medical information as personal information, so patients must be notified of breaches consistent with state requirements (which are similar to HIPAA's).

Florida

Enhanced Rights #9 of 50
Constitutional Privacy & Consent: Florida's state constitution explicitly grants individuals a right to privacy, which courts have interpreted to include medical information privacy. By statute, healthcare providers must obtain patient consent before releasing medical records except as specifically allowed by law (Fla. Stat. Β§456.057). This means patients in Florida have a strong confidentiality right – doctors generally cannot disclose your records to a third party without your written authorization, unless it's for purposes legally permitted (which align with HIPAA's exceptions, like court orders or continuity of care).

Access: Florida law requires healthcare providers to furnish copies of medical records in a timely manner (generally within 30 days, similar to HIPAA; hospitals have a 30-day rule under Fla. Stat. Β§395.3025). Some Florida providers adhere to even shorter turnaround due to state guidelines, but the law doesn't mandate less than 30 days.

Minor's Privacy: Florida allows minors to consent to some services (e.g., STI treatment, pregnancy-related care) and protects those records from automatic parental access, giving minors a privacy right over that PHI.

Data Privacy Law: (Note: Florida's 2023 Digital Bill of Rights law largely exempts HIPAA data. So, rights like opting out of sale under that law apply to non-HIPAA data and are not relevant for PHI held by HIPAA-covered entities.)

Georgia

HIPAA Baseline #10 of 50
No substantial additions. Georgia's statutes require confidentiality of patient information and generally align with HIPAA. Providers must release records to patients upon request (Ga. Code Β§ 31-33-2) with reasonable copying fees, and they often follow the 30-day federal timeline. Georgia has specific laws for certain conditions (e.g., AIDS confidential information can only be disclosed to certain parties by law), but aside from those, no broader patient rights beyond federal law.

Hawaii

HIPAA Baseline #11 of 50
Strict Privacy Law (historical): Hawaii had a pre-HIPAA law (HRS Β§323C, "Hawaii Health Privacy Project") which was quite strict on consent for disclosures. While parts have been superseded by HIPAA, Hawaii providers still generally require patient consent for releases beyond treatment purposes. For example, Hawaii law emphasizes that a patient's health information should not be used or disclosed without consent except as allowed by law, giving patients theoretical broad control (in practice it mirrors HIPAA's allowances now).

Minors: Hawaii allows certain minors to consent to treatment (e.g., for family planning) and keeps those records confidential from parents absent minor's consent.

Breach: Hawaii's breach law requires notice to individuals and the state if a breach involves personal info (including medical data). No unique timeline beyond the general 60 days.

Idaho

HIPAA Baseline #12 of 50
No notable state enhancements. Idaho relies mostly on HIPAA standards. Healthcare providers have a duty of confidentiality by professional ethics and some statutes, but Idaho law does not add specific patient rights like stricter consent or shorter access time. Access to records is governed by HIPAA (30 days formerly). Breach notifications follow state law (which is in line with typical breach rules).

Illinois

Enhanced Rights #13 of 50
Mental Health & Genetic Privacy: Illinois provides extra patient privacy rights via specialized laws. The Mental Health and Developmental Disabilities Confidentiality Act is very strict: it generally requires patient consent for any disclosure of mental health treatment records or communications to third parties, except in narrow situations. This gives Illinois patients tremendous control over their mental health records – even disclosing to another treating provider often needs consent unless an exception (like emergency) applies. Also, if a provider denies a patient access to mental health records (for safety reasons), Illinois law allows the patient to have that decision reviewed by a court.

Genetic Info: Illinois' Genetic Information Privacy Act requires written consent for disclosure of genetic testing information to anyone, with limited exceptions, granting patients strong say over their genetic data (beyond HIPAA's protections).

HIV/AIDS: Illinois' AIDS Confidentiality Act similarly mandates specific informed consent for releasing HIV-related information, giving patients an opt-in control for that sensitive data.

Access: Illinois has a Medical Patient Rights Act ensuring the right to access one's records, but timeline is default 30 days (HIPAA level). However, Illinois caps copy fees and forbids charging patients a handling fee for record requests (aligned with HIPAA's no-retrieval-fee rule).

Private Right of Action: Violations of the Illinois mental health or HIV confidentiality statutes can give patients the right to sue for damages, adding a state enforcement mechanism for their privacy rights.

Indiana

HIPAA Baseline #14 of 50
No significant additional rights. Indiana law (IC 16-39) provides patients the right to access copies of medical records and sets copy fee limits, but does not shorten the timeframe (30 days per HIPAA). No overarching privacy statute beyond professional confidentiality. Mental health records have some extra protections (consent needed to disclose psychotherapy notes, as in HIPAA). Indiana defers largely to HIPAA for general PHI handling.

Iowa

HIPAA Baseline #15 of 50
No major state-specific privacy law for PHI. Iowa has confidentiality provisions in various statutes (e.g., for mental health, substance abuse which follows federal 42 CFR Part 2, etc.). For general medical records, Iowa providers follow HIPAA. Iowa Code Β§ 622.10 establishes physician-patient privilege (can't testify or disclose without patient consent, with exceptions) – effectively, patients have a right to confidentiality in legal proceedings absent consent or court order. But beyond that, no special consent requirements or timelines different from HIPAA.

Kansas

HIPAA Baseline #16 of 50
No noteworthy enhancements beyond federal law. Kansas statutes protect patient information confidentiality and provide access rights similar to HIPAA. Kansas does have a general patients' bill of rights (for hospital patients) that includes the right to confidentiality of records and to approve or refuse their release, which reinforces HIPAA's consent principles. For example, a Kansas patient should be asked for consent before their records are sent to non-treatment third parties, giving a state endorsement of that right. Otherwise, standard HIPAA rules apply.

Kentucky

HIPAA Baseline #17 of 50
No extensive state law beyond HIPAA. Kentucky's Medical Records Act (KRS 422.317) gives patients the right to a copy of medical records within 30 days (the same as HIPAA's original timeline). Kentucky law requires patient authorization for release of medical info except as otherwise provided by law, echoing HIPAA. No separate state-level privacy act for general PHI; specific areas like mental health or HIV have their own consent rules (e.g., HIV test results can only be disclosed to those authorized by law or patient consent). Kentucky basically follows HIPAA with some added clarity in statute that patients must authorize non-routine disclosures.

Louisiana

HIPAA Baseline #18 of 50
Faster Access: Louisiana law requires healthcare providers to furnish copies of medical records within 15 days of receipt of a request (and upon payment of copying fees). This is twice as fast as the old federal standard. Louisiana patients thus have a right to a quicker turnaround for record requests.

Authorization Requirement: Louisiana's patient records statute (La. R.S. 40:1165.1) mandates patient consent for release of records except for certain purposes (treatment, payment, as required by law, etc.), similar to HIPAA. It reinforces that outside of those exceptions, your authorization is needed – giving you control.

Mental Health: Louisiana requires patient consent or a specific legal authorization for disclosures of mental health records.

Breach: Louisiana has a stringent breach law (requiring notice in the "most expedient time possible and without unreasonable delay" and within 60 days at most). Combined with HIPAA, Louisiana patients are ensured timely notification.

Maine

HIPAA Baseline #19 of 50
Access: Maine law guarantees patients the right to review their medical records and get copies within 30 days, and for hospitals/providers to grant access within 21 days of a request. This 21-day state rule is a bit faster than the former HIPAA limit.

Mental Health: Maine has strict confidentiality laws for mental health information; disclosures often require patient consent or a specific exception. For instance, psychotherapy communications can't be released without consent except by court order.

HIV: Maine requires written consent to disclose HIV test results except for certain allowed purposes, giving patients control over that information.

Other: Maine's law also states that a patient may not be charged a fee just for the provider to search for records (aligning with HIPAA's prohibition on retrieval fees). And if a provider denies access (which is rare), Maine regulations allow patients avenues to challenge that.

Maryland

Enhanced Rights #20 of 50
Maryland Confidentiality of Medical Records Act (CMRA): Maryland's law (Md. Health-General Β§4-301 et seq.) closely tracks HIPAA but in some areas is more protective. It requires patient authorization for disclosures of medical records other than to specified parties for specified purposes (treatment, payment, quality oversight, etc.). In effect, Marylanders have a state-backed right to keep their records confidential from others unless they consent or law specifically permits the disclosure. Notably, Maryland law extends to any person in interest (patients and certain representatives) the right to sue for damages for unlawful disclosure.

Access: Maryland mandates that providers respond to record requests within a reasonable time (generally interpreted similarly to HIPAA's 30 days). It also caps copy charges and requires that if a record is needed for a Social Security claim or appeal, it must be provided free of charge – an extra right for patients dealing with disability claims.

Health Information Exchange: Maryland's statewide HIE (CRISP) operates on an opt-out model. Patients have the right to opt out of HIE data sharing by submitting a request, which will prevent providers from accessing their info through the exchange.

Minor Consent: Maryland allows minors to consent to certain treatments (e.g., reproductive health, mental health age >16) and those records cannot be disclosed to parents without the minor's consent, granting minors privacy rights over those PHI instances.

Massachusetts

Enhanced Rights #21 of 50
Breach Notification and Consent: Massachusetts has a strict data breach law – if a breach involves a Massachusetts resident's personal information (which includes certain health info), the organization must notify the individual and the state Attorney General's Office and Office of Consumer Affairs without delay. Content and timing have state-specific rules (generally, as soon as practicable). This means MA patients might hear about breaches and have state oversight involved more readily than under just HIPAA.

Patient Consent: MA recognizes a general patient right of confidentiality. By regulation, hospitals must keep patient records confidential and can release them only with patient consent or as required/permitted by law (which aligns to HIPAA, but the state framing emphasizes patient permission).

Access: Massachusetts regulations require hospitals and doctors to provide copies of medical records within 30 days of request (no shorter state timeline, so now the 15-day federal rule is stronger). State law also explicitly allows patients to add a written addendum to their medical records to dispute information, up to 250 words, if they feel something is incomplete or incorrect – a right akin to but slightly different from HIPAA's amendment rule.

HIV & Genetic: Massachusetts law demands specific written consent for HIV test disclosures and has a statute limiting the use of genetic test results by insurers and others, indirectly giving patients more privacy for genetic info.

Michigan

HIPAA Baseline #22 of 50
Access and Amendment: Michigan's Medical Records Access Act gives patients the right to obtain copies of their medical records and generally mirrors HIPAA's 30-day timeframe. One twist: certain mental health professionals (like social workers, psychologists) are excluded from the definition of "health care provider" in that state law, meaning their records might be governed by other rules (the Mental Health Code). But patients still have rights via HIPAA to access those unless a special exception applies. Michigan also mandates specific maximum fees for copying records by law.

Consent Requirements: Michigan has robust confidentiality provisions for specific cases – e.g., mental health records require patient consent or a court order for release (Mental Health Code Β§ 330.1748). HIV test information requires consent for disclosure except to a few entities. So patients do hold additional consent rights for those categories.

Breach: Michigan's Identity Theft Protection Act includes health information in its breach notification rules, requiring notice to residents if certain personal data (including health insurance or medical info combined with name) is breached. Timing is without unreasonable delay (consistent with HIPAA, no stricter timeline explicitly).

Minnesota

HIPAA Baseline #23 of 50
Pre-HIPAA Consent Requirement (Minnesota Health Records Act): Minnesota historically had one of the strictest laws – it required patient consent for virtually all disclosures of health records, including for treatment purposes to outside entities, unless a specific exception applied. This meant that, beyond internal use, providers needed a signed consent to share your info with any third party (another doctor, insurance, etc.), except in emergencies or as required by law. In practice, Minnesota providers obtain a "general consent" on intake to cover treatment disclosures. This law (Minn. Stat. Β§Β§ 144.291–144.298) gave patients a theoretical right to refuse such consent, effectively keeping their records very private, but it could impede care. (Update: In 2023, Minnesota amended this law to align more with HIPAA for treatment, payment, operations, making it easier to share for care; still, for non-TPO disclosures, consent is needed.) Thus, Minnesota patients had (and to an extent still have) more say in who sees their data outside the treating entity.

Access: Minnesota requires providers to "promptly furnish" records. State law interpreted "promptly" as generally within 30 days, matching HIPAA, but expected sooner if possible. Minnesota also forbids charging patients fees for copies if the request is to review current medical care (ensuring cost isn't a barrier to recent info).

Mental Health: Minnesota's consent requirement extended to mental health records, with some exceptions for care coordination under the latest amendments.

Minor Privacy: Minnesota's minor consent laws give minors rights to confidential care (for example, minors can consent to STD treatment at 17 and those records won't be shared without minor consent).

Overall: Minnesota's law was an example often cited as "more stringent than HIPAA," giving patients greater theoretical control over disclosures. After amendments, it's closer to HIPAA for routine care, but still one of the stronger patient consent states historically.

Mississippi

HIPAA Baseline #24 of 50
No notable additional rights. Mississippi's laws on medical records largely mirror HIPAA. Patients have a right to a copy of their records (Miss. Code 41-9-65) within a reasonable time (interpreted as 30 days). MS law sets specific copy fees. No comprehensive state privacy law for PHI beyond requiring patient authorization for disclosures outside of treatment/payment (which is standard). Mississippi's data breach law covers personal information including health data, requiring notification, but otherwise patients rely on HIPAA for most rights.

Missouri

HIPAA Baseline #25 of 50
No major state-specific privacy statute. Missouri's laws uphold physician-patient privilege and require patient consent or court order for release of medical info in most non-treatment contexts. Missouri regulations say records should be made available within a "reasonable time," generally taken to be within 30 days (the state even notes 30 days is reasonable). Missouri annually sets maximum copying fees but prohibits charging for search time (consistent with HIPAA's cost rules). In general, MO follows HIPAA's baseline. One unique point: Missouri law explicitly allows a deceased patient's personal representative to sue for breach of confidentiality, giving a sort of posthumous privacy right enforceable by estate.

Montana

HIPAA Baseline #26 of 50
No significant enhancements. Montana has strong patient privilege in its rules of evidence (protecting confidentiality), and a Patients' Bill of Rights for hospitals that includes the right to privacy and to approve or refuse release of information, echoing HIPAA. No shortened timeline or special consent law beyond requiring consent for disclosures not covered by other exceptions. Montana law does require that if a provider denies a patient access to records (for example, a psychiatrist thinking it could harm the patient), the provider's refusal and reason must be documented, and the patient can designate another provider to review the record. This gives a small additional path to access in denial situations.

Nebraska

HIPAA Baseline #27 of 50
Access: Nebraska regulations mandate that hospitals allow patients to inspect their records within 10 days of request and receive copies within 30 days. So Nebraskans effectively had a right to inspect faster than federal law historically.

Accounting of Disclosures: Nebraska law (Neb. Rev. Stat. Β§ 71-8403) provides patients the right to an accounting of disclosures of their medical records made by a provider in the last 6 years, very similar to HIPAA – not an enhancement, but it codifies the right at state level (few states do that).

General: Otherwise, NE's Patient Record Act mirrors HIPAA (consent needed for non-authorized disclosures, etc.). Nebraska has an HIE (NeHII now CyncHealth) which patients can opt out of, thus Nebraskans can stop providers from sharing through the HIE if they object.

Nevada

Enhanced Rights #28 of 50
New Consumer Health Privacy Law (2023): Nevada passed a "My Health My Data" style law (SB 370) similar to Washington's, which gives consumers rights to opt out of the sale of health data, delete data, etc., but this law excludes HIPAA-covered information. It applies to entities outside HIPAA. So, for PHI under HIPAA, Nevada does not add rights beyond federal law.

General PHI: Nevada's existing laws require healthcare providers to keep patient information confidential and only release with patient consent or as law permits (Nev. Rev. Stat. 629.041). For example, a Nevada provider needs a patient's written authorization to disclose records to a third party not involved in care, reinforcing patient consent rights.

Access: By statute, copies of records must be provided within 30 days of a request (aligns with HIPAA). Nevada also mandates specific per-page copy fees.

Mental Health: Nevada law has extra confidentiality for mental health and substance abuse records (often requiring patient consent and, for certain communications with psychologists, privileged status).

New Hampshire

HIPAA Baseline #29 of 50
Sensitive Consent Laws: New Hampshire has strict laws for certain info: HIV test results require specific informed consent for disclosure, and information about a minor's reproductive health or STD treatment (if the minor consented to the care) cannot be disclosed to parents without the minor's permission. This grants minors privacy rights for those services.

General: NH's Patient Bill of Rights (RSA 151:21) ensures patients confidentiality and the right to approve or refuse release of information, similar to HIPAA's consent principle. It's more of a policy statement but gives patients grounds to expect consent will be obtained.

Access: NH law requires records to be made available within a reasonable time. There's no codified shorter period than HIPAA, but healthcare facilities typically comply with HIPAA's 30-day rule as baseline.

Mental Health: NH has a law that mental health records may only be disclosed with patient consent or by court order, except to other treating providers – stronger than HIPAA in requiring consent for many non-emergency releases.

New Jersey

HIPAA Baseline #30 of 50
Genetic Privacy & AIDS Law: New Jersey gives patients added rights through specific statutes. The New Jersey Genetic Privacy Act requires informed consent for genetic testing and prohibits disclosure of genetic information without consent, with some exceptions. This gives NJ patients control over genetic test results beyond HIPAA. NJ also has an AIDS Assistance Act that makes HIV-related information highly confidential – disclosure generally needs patient consent or a special authorization (with limited exceptions), empowering patients to manage who sees their HIV status.

Access: NJ regulations require doctors to provide copies of records within 30 days of a written request (similar to HIPAA), and hospitals to let patients have copies of discharge summaries etc. within 30 days. A recent NJ bill (NJ P.L.2022, c.64) also clarified that patients must be able to access their medical imaging studies promptly.

Miscellaneous: NJ law allows patients to submit a statement of disagreement (up to 500 words) if a provider denies amending a record, which must be kept with the record – paralleling HIPAA's right. Breach-wise, NJ requires notice to the state for certain large breaches, but timing to individuals matches HIPAA.

New Mexico

HIPAA Baseline #31 of 50
No major additional rights noted. New Mexico's laws align with HIPAA. NM has a statute requiring health facilities to keep patient records confidential and only release upon patient authorization or as law permits. Access to records is guaranteed by statute (within 15 days after written request for some facilities like HMOs, and "promptly" for others – 15 days is a common practice). NM also enacted a Genetic Information Privacy Act requiring consent for genetic info disclosure, giving patients more control there. Overall, NM's patient rights are very similar to federal rights, with a slight edge in genetic data protection.

New York

Enhanced Rights #32 of 50
Highly Protective of Specific Data: New York has strong confidentiality laws for certain health information. HIV/AIDS Information (Public Health Law Article 27-F): New York requires a specific, written patient consent (using a state-approved form) for each disclosure of HIV-related information, except for a narrow list of circumstances. This gives patients near-absolute control over who knows their HIV status – even other providers need consent unless it's for care and the patient hasn't objected.

Mental Health: New York's Mental Hygiene Law and related regulations mandate confidentiality of mental health records; disclosures outside the treating team often require patient consent or a court order. Psychotherapy notes and communications with social workers, psychologists, etc. are privileged under state law. Patients thus have a right to keep therapy records private from insurers or others (insurers, for example, often get only minimal info per NY law).

General Consent: NY law (Hospital Code) historically required hospitals to obtain a patient's written consent to release medical information, except for treatment, payment, and hospital operations – functionally similar to HIPAA but instilled as a patient right at state level.

Access: New York gives patients access rights under Public Health Law Β§ 18, which closely tracks HIPAA but actually allows providers up to 10 days to decide on granting access and up to 30 days to provide records once approved (so HIPAA's 15-day now is stricter). If access is denied, NY has an appeals process via a Medical Record Access Review Committee, giving patients a state forum to challenge denials (e.g., if a doctor thinks viewing records would harm the patient, the patient can appeal that decision).

Health Data Exchanges: New York operates health information exchanges (RHIOs) on an opt-in consent model – a provider cannot access your records from other participants unless you have signed a "SHIN-NY" consent form permitting that exchange. Patients thereby have the right to decide if their data can be queried by other providers through the state HIE network.

Breach: NY's Stop Hacks and Improve Electronic Data Security (SHIELD) Act includes health information in its breach notification requirements (notice to individuals and state AG in case of breach of private info). Timing is without unreasonable delay, consistent with HIPAA, but the additional state oversight via the Attorney General is a factor.

North Carolina

HIPAA Baseline #33 of 50
No major enhancements beyond HIPAA. North Carolina's Identity Theft Protection Act covers data breaches (including health info) requiring notice to individuals and the Consumer Protection Division. For general PHI, NC relies on HIPAA. Providers must keep patient info confidential (the NC physician-patient privilege is recognized). Mental health records have special confidentiality under state law but similar to federal 42 CFR Part 2 and HIPAA. NC doesn't have a specific timeline shorter than 30 days for records – so the new 15-day federal rule leads. One note: NC has a statute that minors who consent to certain treatments (e.g., for STIs, pregnancy) have the right to confidentiality of those records, which cannot be released to parents without the minor's permission, affording those minors a privacy right.

North Dakota

HIPAA Baseline #34 of 50
No significant additional rights. North Dakota's laws echo HIPAA. There's a general confidentiality statute for medical records and specific ones for mental health and substance abuse (which follow federal guidelines). Patients in ND have the right to access records (within 30 days, per HIPAA) and to authorize disclosures. No extra state constraints on disclosures beyond federal law were noted. ND's breach notification law requires notice to individuals if a breach occurs, similar to HIPAA's timeline (no stricter rule).

Ohio

HIPAA Baseline #35 of 50
Patient Consent & Privilege: Ohio recognizes a physician-patient privilege and has statutes requiring consent for release of medical information except as provided by law. Notably, Ohio had a statute (ORC Β§3701.243) requiring specific written consent to disclose HIV test results, thereby giving patients an opt-in control for HIV status disclosures. Ohio also has a mental health confidentiality law that's stricter for communications with counselors and therapists (consent or court order needed).

Access: Ohio law (ORC Β§3701.74) ensures patients can get copies of medical records; it sets maximum fees but not a shorter deadline than HIPAA. Typically, providers follow the 30-day rule.

Breach: Ohio has a breach law aligned with standard practice (notice without unreasonable delay, etc.).

Private Right of Action: While HIPAA violations themselves don't allow lawsuits, Ohio courts have allowed patients to sue under common law for unauthorized disclosure (breach of confidentiality is recognized in some case law), effectively giving Ohio patients a possible remedy if their doctor improperly reveals PHI.

Oklahoma

HIPAA Baseline #36 of 50
No major additions. Oklahoma law (Title 76-19.B) requires healthcare providers maintain confidentiality and generally not release medical records without patient consent unless authorized by law (reinforcing HIPAA's approach). Access to records is governed by state law requiring physicians to provide a copy upon request within 30 days (mirroring HIPAA). Oklahoma has a mental health law that gives patients rights to confidentiality and an extensive consent procedure for releasing mental health information. Also, Oklahoma has recognized in courts that unauthorized disclosure of medical info can be a breach of physician's duty, giving patients potential recourse. No specific shorter timeline or broader accounting right beyond federal law.

Oregon

Enhanced Rights #37 of 50
Minor Privacy Rights: Oregon is known for strong minor consent laws. Minors 15 or older can consent to general medical treatment, and any minor of any age can consent to reproductive health services (birth control, STD treatment) and mental health outpatient services. Oregon law then protects the confidentiality of those records from parents/guardians unless the minor agrees. This means minors in Oregon have the right to keep those PHI details private. Oregon's Minor Consent Law explicitly affords minors privacy control over certain health records.

Genetic Info: Oregon has a Genetic Privacy Act that treats genetic information as the property of the individual tested, requiring written authorization for its disclosure (except for diagnostic/therapeutic purposes). This gives patients a kind of ownership right over genetic data beyond HIPAA.

Psychotherapy Notes: Oregon mandates patient consent for release of psychotherapy notes (in line with HIPAA's strict standard, but state law cements it).

Access: Oregon regulations require records to be furnished "in a reasonable time." State administrative rules for hospitals suggest prompt turnaround, but no exact day count (so HIPAA's 15-day now sets the bar). Oregon caps copy fees and requires no charge for records needed to support disability claims, ensuring some rights around costs.

Breach: Oregon's Consumer Info Protection Act includes health info; if a breach happens, notice must be given to individuals and the state AG if >250 Oregonians affected, adding oversight.

Pennsylvania

Enhanced Rights #38 of 50
Specialty Protections: Pennsylvania has strong confidentiality statutes for certain information. For example, Pennsylvania law requires patient consent to disclose HIV-related information (Act 148) with very limited exceptions, giving patients direct control. PA also strictly protects drug and alcohol treatment records in line with 42 CFR Part 2, requiring written consent for most disclosures. Mental health records are protected under the Mental Health Procedures Act, necessitating patient consent or a court order for many disclosures.

General Medical Info: Pennsylvania doesn't have a singular HIPAA-equivalent statute, but patient privacy is enforced through professional licensure rules and common law. Patients have the right to access their records (28 Pa. Code Β§115.29 – hospitals must provide a copy of records upon request within a reasonable time). PA's timeframe is not stricter than HIPAA and often 30 days is used.

Breach: PA uses a standard breach notification law (unreasonable delay, notify if personal data compromised; medical info if combined with identifiers triggers notice). Pennsylvania also has a unique law (Act 153 of 2020) that requires timely notification to patients specifically for breaches of "unsecured protected health information" by entities like state agencies – essentially reinforcing HITECH for state-regulated entities.

Rhode Island

HIPAA Baseline #39 of 50
Pre-HIPAA Privacy Law: Rhode Island's Confidentiality of Health Care Communications and Information Act (R.I. Gen. Laws Β§ 5-37.3) predates HIPAA and is quite protective. It generally prohibits healthcare providers from releasing a patient's identifiable health information to third parties without the patient's written consent, except for certain limited purposes. This gave Rhode Islanders a broad right to confidentiality – essentially, your authorization is needed for disclosures not explicitly allowed by that law (which include things like continuity of care and mandatory reporting). HIPAA's allowances are largely mirrored, but if HIPAA would allow something not allowed under RI law, the RI law (being more stringent) controls.

Access: Rhode Island guarantees patients the right to see and copy their medical records. State law requires providers to permit inspection of records during business hours within 10 days of a request, and to provide copies within 30 days. So RI patients benefit from quick inspection and standard copy times. Fees for copies are limited by regulation.

Mental Health & HIV: RI requires patient consent for most mental health record disclosures and follows a similar consent model for HIV information.

Enforcement: Rhode Island's law gives patients the right to file a complaint with the state Department of Health for violations, and providers can face penalties. Patients can't directly sue under the statute, but they might use common law. Overall, RI's law strongly reinforces patient consent rights for info sharing beyond treatment needs, making it one of the strict states in terms of requiring patient permission.

South Carolina

HIPAA Baseline #40 of 50
No notable additional state rights. South Carolina relies on HIPAA for most patient rights. SC recognizes doctor-patient confidentiality in general, but no state statute expands on HIPAA significantly. Access to records is governed by HIPAA (30 days). SC law does require record retention for specified periods and allows reasonable costs for copies, but doesn't add a shorter timeframe or additional consent requirements. One point: SC's Physicians' Patient Records Act enshrines that patients (or their representatives) are entitled to a copy of their records, reinforcing the access right at state level. For sensitive info, SC follows federal law (e.g., Part 2 for substance abuse). No special opt-out forms or state-specific authorizations besides standard HIPAA ones.

South Dakota

HIPAA Baseline #41 of 50
No major enhancements. South Dakota has minimal state legislation on health information privacy. The state generally defers to federal law and professional standards. Patients have rights to access records (within 30 days, by HIPAA). SD's breach law requires notice to individuals for certain data breaches but doesn't specifically heighten requirements for PHI. So, SD patients rely on HIPAA's guarantees without additional state layers.

Tennessee

HIPAA Baseline #42 of 50
Private Right of Action: Tennessee stands out because its courts have recognized that patients can sue for unauthorized disclosure of medical information under the doctrine of breach of physician-patient confidentiality. Also, Tennessee statute T.C.A. Β§ 68-11-150 makes it explicit that patient records are confidential and improper disclosure can lead to liability. This means Tennessee patients have a state-backed right to keep their records private and can seek damages if a provider divulges information improperly (e.g., a nurse gossiping about a patient's condition could result in a lawsuit).

Access: Tennessee law echoes HIPAA in requiring providers to furnish records to patients; no shorter deadline is specified (so 30 days, now 15 under new HIPAA, applies).

Mental Health: Tennessee's laws on mental health records generally require patient consent for release of psychotherapy notes and communications, similar to HIPAA but reinforced by state code.

Drug Testing: TN has specific consent requirements for releasing drug/alcohol test results, giving patients rights over who can see those.

General: Aside from the ability to sue, TN's substantive rules align with HIPAA (consent needed for non-TPO disclosures, etc.). Breach notification in TN is aligned with standard practice (notice expediently, state AG notification if many affected).

Texas

Enhanced Rights #43 of 50
Texas Medical Records Privacy Act (TMRPA / HB 300): Texas significantly strengthened HIPAA protections at the state level. Broader Coverage: Texas defines "covered entity" more broadly than HIPAA – basically any entity handling PHI in Texas, not just healthcare providers/insurers, must comply, expanding privacy obligations. For patients, that means more entities (like business associates and even some non-HIPAA businesses) owe you privacy duties in Texas.

Consent for Electronic Disclosure: Texas law requires patient authorization for any electronic disclosure of PHI outside of the covered entity, except for disclosures authorized or required by other law. In practice, this means if a Texas provider wants to email or transmit your PHI to a third party for reasons other than treatment, billing, healthcare operations, or emergencies, they need your consent. This is stricter than HIPAA and gives patients a right to prevent electronic sharing of their data. (Treatment, payment, operations are exempted from needing consent, similar to HIPAA allowances.)

Standard Authorization Form: Texas, by law, had the Attorney General create a standard PHI disclosure authorization form that must be accepted by all providers. Patients can use this single form to authorize release of their records, rather than dealing with different forms for different providers – a user-friendly feature unique to TX. If you want to request your records be sent somewhere, using the state form should be universally accepted in Texas.

Faster Access: Under HB 300, if a Texas provider has an EHR system, patients have the right to get electronic copies of their records within 15 business days of a written request. This effectively codified a 15-day rule (similar to what the new federal rule has done). Texas also prohibits charging a retrieval fee for records (matching HIPAA).

Training and Notice: Texas mandates that covered entities train employees on state and federal privacy law and that they provide patients with a notice of electronic disclosures upon request.

Marketing: Texas explicitly gives patients the right to opt out of any mailing that constitutes marketing; any marketing mail must include an opt-out notice. And PHI cannot be used for telephone marketing or sales calls without your written authorization – reinforcing your right not to be solicited using your medical info.

Enforcement: Texas allows the state to enforce penalties for privacy violations. While Texas patients can't directly sue under TMRPA (enforcement is via Texas AG or regulatory boards), the law's stringent requirements back up your rights with hefty potential fines for violators. So in summary, Texas patients enjoy HIPAA's rights plus faster access, a say in electronic sharing, and clear opt-out rights for marketing.

Utah

HIPAA Baseline #44 of 50
No notable expansions. Utah's laws align closely with HIPAA. The Utah Health Information Technology Act primarily addresses electronic exchange but allows patients to opt out of the state's clinical health information exchange (cHIE). So, Utah patients can prevent their providers from sharing data in the HIE by opting out via a form. Otherwise, patient rights to access (30 days), amendment, consent, etc., follow federal law. Utah's recently passed Consumer Privacy Act (2022) excludes HIPAA data, so rights like opting out of sale under that act don't apply to PHI held by covered entities.

Vermont

HIPAA Baseline #45 of 50
Pharmacy Privacy and Data Mining: Vermont had a unique law (now largely superseded by Supreme Court ruling) that prohibited the sale or use of prescriber-identifiable prescription data for marketing without consent. This indirectly protected patient prescription privacy by limiting data miners. (The law was struck down on free speech grounds in Sorrell v. IMS Health (2011).) Still, Vermont has strong patient privacy sentiments.

General: VT law has a patients' bill of rights ensuring privacy and the right to approve release of records (consistent with HIPAA). Access to records is required by state regulation (generally within 30 days).

Mental Health: Vermont law makes mental health treatment information confidential, only to be released with patient consent or as authorized by law. For minors, VT gives those 12 and older rights to consent to some mental health or substance abuse treatment and keep those records confidential.

Data Broker Regulation: VT has a data broker law requiring companies that trade in personal data (including health data) to register and have reasonable security – though this doesn't directly give patients new rights, it's part of the privacy landscape.

Virginia

HIPAA Baseline #46 of 50
No major state PHI law beyond HIPAA. Virginia's recently enacted Consumer Data Protection Act (CDPA) excludes PHI under HIPAA, so its opt-out and access rights don't apply to HIPAA data. Virginia's health privacy provisions are scattered: e.g., there's a statute requiring consent to release medical records (with exceptions) which affirms your HIPAA rights. Virginia law specifically requires consent for release of medical records for workers' compensation claims beyond what's necessary, giving patients some control in that context. Generally, VA defers to HIPAA on timelines and content of rights. (Virginia's new mental health records law allows some sharing with family/caregivers in crisis unless patient objects, but patients can still object – a slight limitation on privacy in emergencies, though intended to help care.)

Washington

Enhanced Rights #47 of 50
"My Health My Data" Act (2023): Washington passed a comprehensive health data privacy law that gives consumers significant rights over their health data, including the right to opt out of sales, delete data, and receive disclosures about data practices. However, this law explicitly excludes HIPAA-covered information, so it doesn't enhance rights for PHI held by covered entities – it applies to health data held by non-HIPAA entities like health apps, fitness trackers, etc.

State Privacy Laws: Washington's Uniform Health Care Information Act (RCW 70.02) has long required patient authorization for disclosures of health info, with exceptions similar to HIPAA. It essentially codified HIPAA-like rights: patients must be given access to records, and their consent is needed for non-care disclosures. Washington also provides a private right of action for unauthorized disclosure – patients can sue for breaches of confidentiality under state law (with limits on damages).

Specific Consents: WA mandates consent for certain info: e.g., HIV status disclosures require written patient consent; mental health records need patient consent or a special release to share beyond treatment team.

Access: Washington's law requires providers to respond to record requests generally within 15 working days (which aligns with HIPAA's new 15 day rule roughly). It also caps fees for copying.

Conclusion: WA patients now benefit from both robust consumer health data rights (outside HIPAA) and solid medical record privacy law that reinforces consent and access rights within healthcare.

West Virginia

HIPAA Baseline #48 of 50
No major differences. West Virginia's laws incorporate HIPAA by reference in many places (for instance, WV Code Β§16-29-1 gives patients the right to access their medical records, which providers must comply with in line with HIPAA timelines and rules). WV doesn't add stricter consent requirements broadly; it follows the typical approach: patient authorization required for disclosures outside treatment/payment or other legal allowances. WV's mental health law is protective, requiring consent or court order for many disclosures of mental health info, giving patients control there. Breach notification is per general state law (notify individuals of breaches of personal information promptly). On the whole, WV patients' rights = HIPAA rights, with state support for enforcement (violations can be referred to the state's consumer protection division).

Wisconsin

Enhanced Rights #49 of 50
Strict Consent Law: Wisconsin statute Β§146.82 is known for being very strict: it states that patient health care records shall remain confidential and may be released only to designated persons or with the informed written consent of the patient, except for specific exceptions. Those exceptions include treatment of the patient, payment, certain administrative oversight, and a few others. But notably, Wisconsin did not create a broad "health care operations" exception like HIPAA – so some disclosures that HIPAA would permit (like quality improvement uses or care coordination with external entities) arguably need patient consent under WI law if not directly treatment-related. In practice, Wisconsin providers often obtain a broad consent at registration to cover permissible disclosures. Still, this law means Wisconsin patients have a right to refuse disclosure of their records to many third parties because consent is the default requirement.

Access: Wisconsin requires that patients be allowed to inspect their records during business hours upon request and get copies within a reasonable time. The law sets a maximum of 15 days for hospitals to provide records after a request. This gives a clear timeline that's on par with the new HIPAA rule.

Mental Health: Wisconsin has a separate statute for mental health records (Wis. Stat. Β§51.30) that is also very privacy-protective. It generally demands patient consent for disclosures of treatment records, with limited exceptions (even more narrow than HIPAA for some uses). Patients can designate who can receive their mental health info.

Other: WI allows minors aged 14+ to consent to outpatient mental health treatment and keeps those records confidential from parents without minor consent, granting those minors privacy rights. WI also recognizes a patient's cause of action for breach of confidentiality in some cases, so patients might sue if a provider violates Β§146.82.

Summary: Wisconsin's laws are often cited as more stringent than HIPAA, giving patients in WI tighter control – essentially you must consent to disclosures of your records unless it's among the listed exceptions.

Wyoming

HIPAA Baseline #50 of 50
No notable additional rights. Wyoming's laws generally defer to HIPAA for patient privacy rights. WY has basic confidentiality statutes for healthcare providers but no comprehensive state privacy law for PHI. Patients have rights to access records (30 days per HIPAA) and to authorize disclosures. Wyoming's breach notification law covers personal information including health data, requiring notice to individuals, but timing aligns with HIPAA. No unique state enhancements to patient rights beyond federal law.
14
States with Enhanced Rights
36
States Following HIPAA Baseline
50
Total States Covered