If you're operating a healthcare organization, following HIPAA isn't enough. Many states have their own health privacy laws that provide additional protections beyond federal requirements.
The interaction between federal HIPAA and state privacy laws can be confusing. Which rules do you follow? What happens when they conflict? Do you need to comply with privacy laws in states where you don't have a physical presence?
This guide will help you understand the relationship between HIPAA and state laws, identify which states have stricter requirements, and ensure you're meeting all applicable obligations.
Understanding HIPAA Preemption
HIPAA includes a "preemption" provision that determines the relationship between federal and state law. The rule is simple in concept but complex in application:
The Golden Rule
HIPAA sets the floor, not the ceiling. If a state law is more protective of patient privacy, you must follow the stricter state law.
Specifically, HIPAA preempts (overrides) state law when:
- The state law is contrary to HIPAA
- Following the state law would make compliance with HIPAA impossible
- The state law provides less protection than HIPAA
However, HIPAA does NOT preempt state law when the state law:
- Provides greater privacy protections or patient rights
- Relates to public health reporting requirements
- Regulates controlled substances
- Addresses matters not covered by HIPAA
Critical Point
When in doubt, follow the stricter standard. If you're compliant with the more restrictive law, you'll be compliant with both. Consulting with legal counsel familiar with both HIPAA and your state's laws is highly recommended.
States with Stricter Privacy Laws
The following states have health privacy laws that provide additional protections beyond HIPAA. If you serve patients in these states, you need to understand and comply with their specific requirements.
California
California Confidentiality of Medical Information Act (CMIA)
Key Differences from HIPAA:
- Stricter consent requirements for marketing and third-party disclosures
- Requires specific authorization language and checkboxes
- Shorter timeframes for breach notification (15 days vs 60 days)
- Private right of action for violations (patients can sue directly)
When It Applies:
Applies to all California residents' health information, regardless of where the covered entity is located
Texas
Texas Medical Records Privacy Act
Key Differences from HIPAA:
- Requires patient authorization for most disclosures, even for treatment in some cases
- More restrictive release requirements for mental health and HIV/AIDS records
- Stricter rules for medical records requests and release fees
- Additional penalties for unauthorized access
When It Applies:
Applies to healthcare providers and facilities operating in Texas
New York
New York Public Health Law & Mental Hygiene Law
Key Differences from HIPAA:
- Highly restrictive mental health and substance abuse records protections
- Requires specific written consent for HIV/AIDS information
- Stricter requirements for genetic testing information
- Additional protections for reproductive health information
When It Applies:
Applies to New York healthcare providers and records created in New York
Illinois
Illinois Mental Health and Developmental Disabilities Confidentiality Act
Key Differences from HIPAA:
- Extremely strict protections for mental health records
- Requires specific written consent for each disclosure
- Limited exceptions even for treatment purposes
- Criminal penalties for violations
When It Applies:
Applies to mental health records in Illinois regardless of patient location
Washington
Washington State Health Care Information Act
Key Differences from HIPAA:
- Broader definition of health care information
- Requires written authorization for most disclosures
- Specific requirements for disclosures to employers and insurers
- Private right of action with statutory damages
When It Applies:
Applies to healthcare providers and facilities in Washington state
Common Areas Where State Laws Differ
Consent Requirements
HIPAA Standard:
General consent for treatment, payment, operations
State Law May Require:
May require specific written consent for each disclosure or category
Mental Health Records
HIPAA Standard:
Same protections as other PHI
State Law May Require:
Often requires heightened protections and separate consent
Substance Abuse Records
HIPAA Standard:
Protected as PHI
State Law May Require:
May have additional restrictions (also see 42 CFR Part 2)
HIV/AIDS Information
HIPAA Standard:
Protected as PHI
State Law May Require:
Often requires specific written consent for any disclosure
Genetic Information
HIPAA Standard:
Protected as PHI
State Law May Require:
May prohibit certain uses (employment, insurance underwriting)
Minors' Records
HIPAA Standard:
Parents generally have access
State Law May Require:
May grant minors control over certain records (reproductive health, mental health)
Breach Notification Timing
HIPAA Standard:
60 days to notify individuals
State Law May Require:
Some states require notification within 15-30 days
Patient Access Fees
HIPAA Standard:
Reasonable, cost-based fees allowed
State Law May Require:
Some states cap fees or prohibit charges for electronic copies
Operating Across State Lines
If your organization serves patients in multiple states, compliance becomes more complex. Here's how to navigate it:
Determine Applicable Laws
- •Identify all states where you have patients or physical locations
- •Research health privacy laws for each state
- •Document which state laws apply to your operations
Compare Requirements
- •Create a comparison matrix of HIPAA vs each state's requirements
- •Identify the strictest standard for each privacy element
- •Flag areas where state laws conflict
Design for the Strictest Standard
- •Build policies and procedures that meet the most restrictive requirements
- •This ensures compliance across all jurisdictions
- •Document why you chose specific standards
Implement State-Specific Processes
- •Some processes may need to vary by state (consent forms, breach notification)
- •Train staff on which processes apply to which patients
- •Use technology to flag patient location when relevant
Telehealth Consideration
If you provide telehealth services, you may need to comply with privacy laws in the state where the patient is located—even if you're physically located in a different state. Some states explicitly extend their privacy laws to out-of-state providers treating their residents.
Practical Compliance Steps
Conduct a Multi-Jurisdictional Analysis
Work with legal counsel to identify all applicable state laws and create a comprehensive compliance matrix
Update Consent Forms
Ensure authorization forms meet the strictest state requirements or create state-specific versions
Review Disclosure Practices
Audit current PHI disclosure practices to ensure they meet all applicable state standards
Strengthen Sensitive Record Protections
Implement additional controls for mental health, HIV/AIDS, substance abuse, and genetic information
Adjust Breach Notification Procedures
Update incident response plan to accommodate the fastest state notification timeline
Train Staff on State Variations
Ensure workforce understands when and why processes differ based on patient location
Update Privacy Notices
Notice of Privacy Practices should reflect the most protective standards you follow
Monitor Legislative Changes
State privacy laws are evolving rapidly—stay informed of new requirements
Key Takeaways
- HIPAA sets the minimum standard—state laws can be more protective but not less
- Many states have stricter requirements for mental health, HIV/AIDS, and substance abuse records
- If you operate in multiple states, design for the strictest applicable standard
- Telehealth providers must consider privacy laws in the patient's state, not just their own
- Breach notification timelines can be much shorter under state law (15-30 days vs 60)
- State laws often provide private rights of action, meaning patients can sue directly
- When in doubt, follow the more restrictive standard and consult legal counsel
The Bottom Line
Navigating the intersection of HIPAA and state privacy laws requires diligence, documentation, and often legal guidance. The good news is that by building your compliance program to meet the strictest applicable standards, you can create a robust privacy framework that protects patient information and minimizes legal risk across all jurisdictions.
Remember: privacy laws are constantly evolving. What's true today may change tomorrow as states pass new legislation or amend existing laws. Regular compliance reviews and staying informed of legal developments are essential parts of a mature privacy program.