State Laws ⚖️ Federal HIPAA

When State Health Privacy Laws Override HIPAA (2026)

Understanding the relationship between federal HIPAA and state health privacy laws is crucial for protecting your medical information. Under federal HIPAA regulations, state health privacy laws prevail when they provide stronger protections.

Quick answer

Under federal HIPAA regulations, state health privacy laws prevail when they are more stringent — when they grant individuals greater access, more protection, or stronger remedies. HIPAA sets a floor, not a ceiling.

Legal basis: 45 CFR § 160.203 — the HIPAA preemption rule.

The Golden Rule: Stricter State Laws Win

Under federal HIPAA regulations (45 CFR § 160.203), state health privacy laws override HIPAA when they provide:

  • More stringent privacy protections for health information
  • Stronger patient rights (faster access, ability to sue, etc.)
  • Higher penalties for violations
  • Additional disclosure restrictions or consent requirements

Legal Citation: 45 CFR § 160.203 states: "A standard, requirement, or implementation specification... is contrary to a provision of State law if... a covered entity would find it impossible to comply with both the State and Federal requirements." When state law is more stringent, it prevails.

Bottom Line: HIPAA sets the federal baseline. States can (and do) go further. When both apply, healthcare providers must follow whichever law is stricter.

How State and Federal Laws Work Together

Federal HIPAA

Sets the minimum baseline for privacy protections nationwide. Applies to all 50 states.

+

State Privacy Laws

Can provide stronger protections beyond HIPAA. Vary by state.

= You have rights under BOTH laws simultaneously

The stricter protection applies in each situation

10 States with Stronger-Than-HIPAA Protections

These states have enacted health privacy laws that provide additional protections beyond federal HIPAA. Click each state to see how their laws override HIPAA:

California

Stronger than HIPAA

CMIA (Confidentiality of Medical Information Act) • Cal. Civ. Code §§ 56-56.37

Key Advantages Over HIPAA:

  • 15-day medical records access (vs HIPAA 30-60 days)
  • Private right to sue for violations (HIPAA doesn't allow)
  • Higher penalties: up to $250,000 per violation
  • Stricter marketing consent requirements
  • 15-day breach notification (vs HIPAA 60 days)

Washington

Stronger than HIPAA

My Health My Data Act (MHMD) • RCW 19.373

Key Advantages Over HIPAA:

  • Covers health data from apps, wearables, and consumer devices
  • Requires explicit consent before collecting/sharing health data
  • Right to delete health data
  • Prohibits geofencing around healthcare facilities
  • Covers non-HIPAA entities like wellness apps

Illinois

Stronger than HIPAA

Genetic Information Privacy Act (GIPA) • 410 ILCS 513

Key Advantages Over HIPAA:

  • Requires written consent before genetic testing
  • Genetic info cannot be disclosed without authorization
  • Employers/insurers cannot require genetic tests
  • Right to know who has access to genetic data
  • Criminal penalties for unauthorized disclosure

Colorado

Stronger than HIPAA

Colorado Privacy Act (CPA) • C.R.S. § 6-1-1301 et seq.

Key Advantages Over HIPAA:

  • Comprehensive data rights beyond HIPAA
  • Right to opt-out of targeted advertising
  • Right to opt-out of sale of personal data
  • Right to delete personal data
  • Universal opt-out mechanisms (browser-based)

Connecticut

Stronger than HIPAA

Connecticut Data Privacy Act (CTDPA) • Conn. Gen. Stat. § 42-515 et seq.

Key Advantages Over HIPAA:

  • Right to access, correct, and delete health data
  • Right to opt-out of processing for targeted ads
  • Right to opt-out of sale of personal data
  • Data protection assessments required
  • Sensitive data requires opt-in consent

Virginia

Stronger than HIPAA

Virginia Consumer Data Protection Act (VCDPA) • Va. Code § 59.1-575 et seq.

Key Advantages Over HIPAA:

  • Right to access personal data
  • Right to delete personal data
  • Right to opt-out of sale or targeted advertising
  • Data protection assessments for high-risk processing
  • Sensitive data requires opt-in consent

Texas

Stronger than HIPAA

Texas Medical Records Privacy Act • Tex. Health & Safety Code § 181

Key Advantages Over HIPAA:

  • Covered entities broader than federal HIPAA
  • Enhanced breach notification requirements
  • Additional protections for mental health records
  • Civil penalties up to $1.5M per violation category
  • Attorney General enforcement

Massachusetts

Stronger than HIPAA

Massachusetts Data Privacy Law • 201 CMR 17.00

Key Advantages Over HIPAA:

  • Strict security requirements for personal information
  • Written information security program (WISP) required
  • Encryption of transmitted records
  • Employee training requirements
  • Breach notification within specified timeframes

New York

Stronger than HIPAA

NY Public Health Law & SHIELD Act • N.Y. Pub. Health Law § 18, N.Y. Gen. Bus. Law § 899-bb

Key Advantages Over HIPAA:

  • HIV/AIDS information specially protected
  • Mental health records require specific consent
  • SHIELD Act requires reasonable security measures
  • Strict breach notification timelines
  • Attorney General enforcement authority

Pennsylvania

Stronger than HIPAA

PA Breach Notification Law & UTPCPL • 73 P.S. § 2303, 73 P.S. § 201-1 et seq.

Key Advantages Over HIPAA:

  • 72-hour breach notification to Attorney General
  • Consumer protection for health data misuse (UTPCPL)
  • Enhanced HIV confidentiality (Act 148)
  • Mental Health Procedures Act protections
  • Special protections for substance use disorder records

Real-World Examples: When State Law Overrides HIPAA

Scenario HIPAA Requirement State Law (Stronger) Winner
Medical Records Access 30 days
45 CFR § 164.524
California: 15 days
Civ. Code § 56.11
State Law
Breach Notification 60 days to patient
45 CFR § 164.404
PA: 72 hours to AG
CA: 15 days to patient
73 P.S. § 2303, Civ. Code § 56.101
State Law
Right to Sue No private right of action
Only HHS can enforce
CA: Can sue directly
Civ. Code § 56.35
State Law
Consumer Health App Data Not covered (non-HIPAA entity)
HIPAA doesn't apply
WA: Fully protected
My Health My Data Act (RCW 19.373)
State Law
Genetic Information General privacy protections
Standard HIPAA rules
IL: Special protections
GIPA (410 ILCS 513)
State Law
HIV Status Disclosure Standard privacy rules
General PHI protections
NY/PA: Enhanced protections
NY Pub. Health Law § 2782, PA Act 148
State Law

When Each Law Applies

HIPAA Always Applies

  • All 50 states - federal baseline
  • HIPAA "covered entities" (health plans, providers, clearinghouses)
  • Interstate healthcare (providers operating in multiple states)
  • Federal programs (Medicare, Medicaid, VA)
  • When state law is weaker or silent on an issue

State Law Overrides HIPAA

  • When state law is more stringent (stricter protections)
  • State-specific requirements (e.g., CA 15-day access)
  • When state covers more entities than HIPAA
  • Private right to sue (states like CA, TX)
  • Higher penalties or additional remedies

Strategy: Always Cite BOTH Federal and State Laws

Maximize your protection by invoking all applicable laws

Example Request Letter (California Resident):

[Your Name]

[Date]

[Provider Name & Address]

Re: Request for Medical Records

Dear [Provider],

Pursuant to California Civil Code § 56.11 (CMIA) and 45 CFR § 164.524 (federal HIPAA), I request access to and copies of all my medical records from [dates].

Under California law, you must provide these records within 15 business days. Under federal HIPAA, you must provide them within 30 days. California's 15-day requirement applies as the more stringent standard.

Please send them to: [your address or email].

Thank you,

[Your Signature]

Pro Tip: By citing both laws, you demonstrate awareness of your rights and ensure the provider applies the stronger standard. Most providers will defer to state law when it's stricter.

Official Resources

Authoritative sources for federal and state health privacy laws

Automate Your Privacy Protection

HealthConsent® automatically identifies and exercises your rights under BOTH federal HIPAA and your state's privacy laws. We cite the strongest applicable law for each situation, ensuring maximum protection of your health data.

Enforces federal + state laws • Handles all compliance automatically • Cancel anytime