State Laws vs HIPAA: How privacy rules work together in healthcare

State laws and the Health Insurance Portability and Accountability Act (HIPAA) frequently intersect in the regulation of healthcare privacy. While both are designed to protect patient information and promote the secure handling of health data, they differ in their scope, requirements, and application. HIPAA establishes a nationwide framework that sets minimum standards for the protection of protected health information (PHI), ensuring a consistent baseline of privacy rights across the United States. State laws, on the other hand, can supplement these federal requirements by addressing specific healthcare privacy concerns within a particular jurisdiction and, in many cases, providing stronger protections than HIPAA.

Despite these differences, HIPAA and state laws share the common goal of safeguarding patient privacy, maintaining confidentiality, and promoting trust in the healthcare system. Both regulate how health information is used, disclosed, stored, and shared, and both can impose penalties for non-compliance.

For healthcare organizations, understanding the relationship between HIPAA and state laws can be challenging as they must often determine which law applies in a particular situation and whether federal or state requirements take precedence.

HIPAA's role in healthcare privacy

Enacted in 1996, HIPAA established national standards for protecting patients' medical information. The law applies to covered entities, including healthcare providers, health plans, and healthcare clearinghouses, as well as business associates that handle PHI on behalf of covered entities.

According to an article by Peter F. Edemekong published by the National Library of Medicine, the goals of the Act are to:

• “limit the use of PHI to individuals with a 'need to know.'”
• “impose penalties on those who fail to comply with confidentiality regulations.”

HIPAA establishes a federal baseline rather than a comprehensive set of privacy requirements. This means organizations must often look beyond HIPAA to determine their full compliance obligations. It is implemented through several rules and regulations, each addressing a different aspect of healthcare privacy, security, and administrative efficiency.

The HIPAA Privacy Rule

The HIPAA Privacy Rule establishes standards for the use and disclosure of PHI. According to the HHS, the goal of the Privacy Rule is to “assure that individuals' health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being.” It does this by limiting when healthcare organizations can share patient information and granting patients rights regarding the handling of their health records. These rights include the ability to access and obtain copies of their medical records, request corrections to inaccurate information, receive an accounting of certain disclosures, and request restrictions on how their information is used or shared.

The Privacy Rule applies to PHI in all forms, whether electronic, paper-based, or oral, and serves as the foundation of HIPAA's patient privacy protections.

The HIPAA Security Rule

“The Security Rule establishes a national set of security standards to protect certain health information that is maintained or transmitted in electronic form,” says the HHS. Rather than prescribing specific technologies, “the Security Rule sets forth the administrative, physical, and technical safeguards that covered entities and business associates (collectively, “regulated entities”) must put in place to secure individuals’ electronic protected health information.”

Examples of Security Rule safeguards include workforce training, access controls, encryption, audit logs, password management, facility security measures, and regular risk assessments.

The HIPAA Breach Notification Rule

The Breach Notification Rule outlines the actions organizations must take when unsecured PHI is compromised. According to the Rule, “covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate.”

The rule establishes timelines for notification and helps ensure transparency when patient information is exposed, accessed, or disclosed without authorization.

The HIPAA Enforcement Rule

“The HIPAA Enforcement Rule contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings,” writes the HHS. It grants the Office for Civil Rights (OCR) within the Department of Health and Human Services authority to enforce HIPAA requirements.

Violations can result in corrective action plans, resolution agreements, and significant civil monetary penalties, depending on the severity of the violation and the organization's level of culpability.

The HIPAA Omnibus Rule

Implemented in 2013, the HIPAA Omnibus Rule strengthens existing privacy and security protections by incorporating provisions from the Health Information Technology for Economic and Clinical Health (HITECH) Act. The rule expands the liability of business associates, enhances patients' rights regarding their health information, strengthens breach notification requirements, and increases penalties for non-compliance.

State laws and healthcare

While HIPAA serves as the primary federal law governing healthcare privacy, it is not the only law that governs the collection, use, and protection of health information. Healthcare organizations must also comply with a growing number of state privacy and data protection laws that can supplement, and sometimes exceed, federal requirements. In fact, according to an article from DLA Piper, the US does not have a single comprehensive federal privacy law. Instead, healthcare organizations must navigate a complex patchwork of federal, state, and local regulations that govern the collection, use, disclosure, and protection of personal information.

In recent years, states have become increasingly active in regulating privacy and data protection. Starting with California's enactment of the California Consumer Privacy Act (CCPA), many states have introduced comprehensive privacy laws that impose additional obligations on organizations handling personal information. Although many of these laws are not healthcare-specific, they can still affect healthcare organizations, particularly when they collect, process, or store information that falls outside HIPAA's definition of PHI.

State laws address areas such as:

• Consumer health data privacy
• Data breach notification requirements
• Biometric information
• Online tracking and geolocation data
• Data security safeguards
• Data retention and destruction requirements
• Patient consent and authorization requirements

According to DLA Piper, the US privacy landscape is governed by a combination of sector-specific federal laws, such as HIPAA, and an expanding patchwork of state privacy statutes. Together, these laws regulate how organizations collect, use, disclose, store, and protect personal information, creating a complex compliance environment for healthcare organizations that must navigate both federal and state requirements.

California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), was the first comprehensive state privacy law in the United States and has influenced privacy legislation across the country. These laws grant California residents rights regarding their personal information, including the right to access, correct, delete, and limit certain uses of their data.

Although HIPAA-regulated PHI is generally exempt from the CCPA and CPRA, healthcare organizations may still be subject to these laws when handling information that falls outside HIPAA's scope, such as website visitor information, marketing data, and employee records.

Read also: CCPA: How California's new privacy law impacts healthcare

Virginia Consumer Data Protection Act (VCDPA)

The Virginia Consumer Data Protection Act provides Virginia residents with rights to access, correct, delete, and obtain copies of their personal data. The law also requires organizations to conduct data protection assessments for certain high-risk processing activities.

Healthcare organizations operating in Virginia may need to evaluate whether non-HIPAA-regulated information falls within the scope of the law.

Colorado Privacy Act (CPA)

The Colorado Privacy Act (CPA) establishes consumer rights over personal information and requires organizations to implement reasonable data protection measures. The law also imposes obligations related to transparency, data minimization, and the processing of sensitive data.

Healthcare organizations that operate consumer-facing services may need to consider these requirements alongside HIPAA obligations.

Connecticut Data Privacy Act (CTDPA)

The Connecticut Data Privacy Act (CTDPA) grants consumers rights over their personal data and imposes requirements regarding privacy notices, consent, and data protection assessments. Similar to other state privacy laws, it can affect healthcare organizations when handling information that is not covered by HIPAA.

Utah Consumer Privacy Act (UCPA)

The Utah Consumer Privacy Act (UCPA) provides consumers with rights to access and delete personal information while requiring organizations to maintain reasonable data security practices. Healthcare organizations should assess whether certain business activities fall within the law's scope.

Consumer health data laws

DLA Piper also notes the emergence of consumer health privacy laws that extend protections beyond traditional healthcare settings. One notable example is the Washington My Health My Data Act, which regulates consumer health information collected by organizations that may not be covered by HIPAA.

These laws are particularly relevant to healthcare organizations that use telehealth platforms, mobile applications, wearable technologies, and digital health services that collect health-related information outside traditional healthcare environments.

State data breach notification laws

In addition to comprehensive privacy statutes, all states have enacted data breach notification laws. These laws often require organizations to notify affected individuals when certain categories of personal information are compromised. Some states impose stricter reporting timelines or broader notification requirements than HIPAA's Breach Notification Rule.

For healthcare organizations, a data breach may trigger both HIPAA notification requirements and state-specific reporting obligations.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQS

What does it mean when a state law is "more stringent" than HIPAA?

A state law is considered more stringent when it provides greater privacy protections, restricts disclosures more than HIPAA, grants patients additional rights, or imposes stricter compliance requirements on healthcare organizations.

Can healthcare organizations comply with HIPAA and still violate state law?

Yes. Compliance with HIPAA does not automatically mean compliance with state law. Healthcare organizations must ensure they meet both federal and applicable state requirements, particularly when state laws impose stricter standards.

Why do state healthcare privacy laws vary?

Healthcare privacy laws are created by individual state legislatures to address local concerns, public health priorities, and evolving privacy expectations. As a result, requirements can differ significantly from one state to another.

What types of health information are often subject to stricter state protections?

Many states provide enhanced protections for mental health records, HIV/AIDS-related information, substance use treatment records, reproductive healthcare information, and records involving minors.

How can healthcare organizations determine whether HIPAA or state law applies?

Organizations must evaluate whether the state law conflicts with HIPAA and whether the state law provides greater privacy protections. If the state law is more stringent, it generally takes precedence over HIPAA.