When State Health Privacy Laws Override HIPAA (2026)
Understanding the relationship between federal HIPAA and state health privacy laws is crucial for protecting your medical information. Under federal HIPAA regulations, state health privacy laws prevail when they provide stronger protections.
Quick answer
Under federal HIPAA regulations, state health privacy laws prevail when they are more stringent — when they grant individuals greater access, more protection, or stronger remedies. HIPAA sets a floor, not a ceiling.
Legal basis: 45 CFR § 160.203 — the HIPAA preemption rule.
The Golden Rule: Stricter State Laws Win
Under federal HIPAA regulations (45 CFR § 160.203), state health privacy laws override HIPAA when they provide:
- More stringent privacy protections for health information
- Stronger patient rights (faster access, ability to sue, etc.)
- Higher penalties for violations
- Additional disclosure restrictions or consent requirements
Legal Citation: 45 CFR § 160.203 states: "A standard, requirement, or implementation specification... is contrary to a provision of State law if... a covered entity would find it impossible to comply with both the State and Federal requirements." When state law is more stringent, it prevails.
Bottom Line: HIPAA sets the federal baseline. States can (and do) go further. When both apply, healthcare providers must follow whichever law is stricter.
How State and Federal Laws Work Together
Federal HIPAA
Sets the minimum baseline for privacy protections nationwide. Applies to all 50 states.
State Privacy Laws
Can provide stronger protections beyond HIPAA. Vary by state.
= You have rights under BOTH laws simultaneously
The stricter protection applies in each situation
10 States with Stronger-Than-HIPAA Protections
These states have enacted health privacy laws that provide additional protections beyond federal HIPAA. Click each state to see how their laws override HIPAA:
California
Stronger than HIPAA
CMIA (Confidentiality of Medical Information Act) • Cal. Civ. Code §§ 56-56.37
California
Stronger than HIPAACMIA (Confidentiality of Medical Information Act) • Cal. Civ. Code §§ 56-56.37
Key Advantages Over HIPAA:
- ✓ 15-day medical records access (vs HIPAA 30-60 days)
- ✓ Private right to sue for violations (HIPAA doesn't allow)
- ✓ Higher penalties: up to $250,000 per violation
- ✓ Stricter marketing consent requirements
- ✓ 15-day breach notification (vs HIPAA 60 days)
Washington
Stronger than HIPAA
My Health My Data Act (MHMD) • RCW 19.373
Washington
Stronger than HIPAAMy Health My Data Act (MHMD) • RCW 19.373
Key Advantages Over HIPAA:
- ✓ Covers health data from apps, wearables, and consumer devices
- ✓ Requires explicit consent before collecting/sharing health data
- ✓ Right to delete health data
- ✓ Prohibits geofencing around healthcare facilities
- ✓ Covers non-HIPAA entities like wellness apps
Illinois
Stronger than HIPAA
Genetic Information Privacy Act (GIPA) • 410 ILCS 513
Illinois
Stronger than HIPAAGenetic Information Privacy Act (GIPA) • 410 ILCS 513
Key Advantages Over HIPAA:
- ✓ Requires written consent before genetic testing
- ✓ Genetic info cannot be disclosed without authorization
- ✓ Employers/insurers cannot require genetic tests
- ✓ Right to know who has access to genetic data
- ✓ Criminal penalties for unauthorized disclosure
Colorado
Stronger than HIPAA
Colorado Privacy Act (CPA) • C.R.S. § 6-1-1301 et seq.
Colorado
Stronger than HIPAAColorado Privacy Act (CPA) • C.R.S. § 6-1-1301 et seq.
Key Advantages Over HIPAA:
- ✓ Comprehensive data rights beyond HIPAA
- ✓ Right to opt-out of targeted advertising
- ✓ Right to opt-out of sale of personal data
- ✓ Right to delete personal data
- ✓ Universal opt-out mechanisms (browser-based)
Connecticut
Stronger than HIPAA
Connecticut Data Privacy Act (CTDPA) • Conn. Gen. Stat. § 42-515 et seq.
Connecticut
Stronger than HIPAAConnecticut Data Privacy Act (CTDPA) • Conn. Gen. Stat. § 42-515 et seq.
Key Advantages Over HIPAA:
- ✓ Right to access, correct, and delete health data
- ✓ Right to opt-out of processing for targeted ads
- ✓ Right to opt-out of sale of personal data
- ✓ Data protection assessments required
- ✓ Sensitive data requires opt-in consent
Virginia
Stronger than HIPAA
Virginia Consumer Data Protection Act (VCDPA) • Va. Code § 59.1-575 et seq.
Virginia
Stronger than HIPAAVirginia Consumer Data Protection Act (VCDPA) • Va. Code § 59.1-575 et seq.
Key Advantages Over HIPAA:
- ✓ Right to access personal data
- ✓ Right to delete personal data
- ✓ Right to opt-out of sale or targeted advertising
- ✓ Data protection assessments for high-risk processing
- ✓ Sensitive data requires opt-in consent
Texas
Stronger than HIPAA
Texas Medical Records Privacy Act • Tex. Health & Safety Code § 181
Texas
Stronger than HIPAATexas Medical Records Privacy Act • Tex. Health & Safety Code § 181
Key Advantages Over HIPAA:
- ✓ Covered entities broader than federal HIPAA
- ✓ Enhanced breach notification requirements
- ✓ Additional protections for mental health records
- ✓ Civil penalties up to $1.5M per violation category
- ✓ Attorney General enforcement
Massachusetts
Stronger than HIPAA
Massachusetts Data Privacy Law • 201 CMR 17.00
Massachusetts
Stronger than HIPAAMassachusetts Data Privacy Law • 201 CMR 17.00
Key Advantages Over HIPAA:
- ✓ Strict security requirements for personal information
- ✓ Written information security program (WISP) required
- ✓ Encryption of transmitted records
- ✓ Employee training requirements
- ✓ Breach notification within specified timeframes
New York
Stronger than HIPAA
NY Public Health Law & SHIELD Act • N.Y. Pub. Health Law § 18, N.Y. Gen. Bus. Law § 899-bb
New York
Stronger than HIPAANY Public Health Law & SHIELD Act • N.Y. Pub. Health Law § 18, N.Y. Gen. Bus. Law § 899-bb
Key Advantages Over HIPAA:
- ✓ HIV/AIDS information specially protected
- ✓ Mental health records require specific consent
- ✓ SHIELD Act requires reasonable security measures
- ✓ Strict breach notification timelines
- ✓ Attorney General enforcement authority
Pennsylvania
Stronger than HIPAA
PA Breach Notification Law & UTPCPL • 73 P.S. § 2303, 73 P.S. § 201-1 et seq.
Pennsylvania
Stronger than HIPAAPA Breach Notification Law & UTPCPL • 73 P.S. § 2303, 73 P.S. § 201-1 et seq.
Key Advantages Over HIPAA:
- ✓ 72-hour breach notification to Attorney General
- ✓ Consumer protection for health data misuse (UTPCPL)
- ✓ Enhanced HIV confidentiality (Act 148)
- ✓ Mental Health Procedures Act protections
- ✓ Special protections for substance use disorder records
Real-World Examples: When State Law Overrides HIPAA
| Scenario | HIPAA Requirement | State Law (Stronger) | Winner |
|---|---|---|---|
| Medical Records Access |
30 days 45 CFR § 164.524 | California: 15 days Civ. Code § 56.11 | State Law |
| Breach Notification |
60 days to patient 45 CFR § 164.404 | PA: 72 hours to AG CA: 15 days to patient 73 P.S. § 2303, Civ. Code § 56.101 | State Law |
| Right to Sue |
No private right of action Only HHS can enforce | CA: Can sue directly Civ. Code § 56.35 | State Law |
| Consumer Health App Data |
Not covered (non-HIPAA entity) HIPAA doesn't apply | WA: Fully protected My Health My Data Act (RCW 19.373) | State Law |
| Genetic Information |
General privacy protections Standard HIPAA rules | IL: Special protections GIPA (410 ILCS 513) | State Law |
| HIV Status Disclosure |
Standard privacy rules General PHI protections | NY/PA: Enhanced protections NY Pub. Health Law § 2782, PA Act 148 | State Law |
When Each Law Applies
HIPAA Always Applies
- All 50 states - federal baseline
- HIPAA "covered entities" (health plans, providers, clearinghouses)
- Interstate healthcare (providers operating in multiple states)
- Federal programs (Medicare, Medicaid, VA)
- When state law is weaker or silent on an issue
State Law Overrides HIPAA
- When state law is more stringent (stricter protections)
- State-specific requirements (e.g., CA 15-day access)
- When state covers more entities than HIPAA
- Private right to sue (states like CA, TX)
- Higher penalties or additional remedies
Strategy: Always Cite BOTH Federal and State Laws
Maximize your protection by invoking all applicable laws
Example Request Letter (California Resident):
[Your Name]
[Date]
[Provider Name & Address]
Re: Request for Medical Records
Dear [Provider],
Pursuant to California Civil Code § 56.11 (CMIA) and 45 CFR § 164.524 (federal HIPAA), I request access to and copies of all my medical records from [dates].
Under California law, you must provide these records within 15 business days. Under federal HIPAA, you must provide them within 30 days. California's 15-day requirement applies as the more stringent standard.
Please send them to: [your address or email].
Thank you,
[Your Signature]
Pro Tip: By citing both laws, you demonstrate awareness of your rights and ensure the provider applies the stronger standard. Most providers will defer to state law when it's stricter.
Official Resources
Authoritative sources for federal and state health privacy laws
Federal HIPAA Resources:
State Privacy Law Resources:
Automate Your Privacy Protection
HealthConsent® automatically identifies and exercises your rights under BOTH federal HIPAA and your state's privacy laws. We cite the strongest applicable law for each situation, ensuring maximum protection of your health data.
Enforces federal + state laws • Handles all compliance automatically • Cancel anytime
Live tracker
Recent healthcare data breaches
Real incidents from the 2026 HHS OCR portal. Each entry names the provider, the data exposed, and the steps to take if you received a notification letter.