Federal HIPAA Mandates vs. Privacy Laws by State

Practical guidance for healthcare teams and business associates

State Privacy Laws vs Federal HIPAA rules

\n

Navigating state privacy laws alongside federal\nHIPAA rules is one of the most complex challenges facing\nhealthcare groups that operate across multiple jurisdictions.\nWhile HIPAA establishes a national baseline for protecting health\ninformation, it does not occupy the field entirely. States retain broad\nauthority to enact their own privacy protections.

Many have done so\nwith rules that exceed HIPAA in major ways.

\n

For rule-keeping officers, attorneys, and healthcare administrators,\nthe interaction between state and federal privacy law demands careful\nanalysis. Applying the wrong standard in the wrong jurisdiction can\nexpose an group to rule-based action, civil liability, and\nreputational harm. This guide examines how the federal preemption\ndoctrine works, highlights key state laws that affect healthcare\ngroups, and offers practical strategies for building a\nmulti-state regulatory compliance program.

\n

The Federal Preemption Doctrine

\n

How HIPAA Preemption Works

\n

HIPAA includes a preemption term that governs its relationship\nwith state law. Under 45 CFR 160.203, HIPAA preempts state laws that are\ncontrary to the federal rules. However, this\npreemption is not absolute. A state law is not preempted if it is\nmore stringent than the corresponding HIPAA rule\nin protecting patient privacy or providing patients with greater rights\nregarding their health information.

\n

This “floor, not ceiling” approach means that HIPAA sets the\nminimum standard for privacy protection. States are\nfree to impose rules that go further than HIPAA.

When they\ndo, healthcare groups must comply with both the federal and the\nmore restrictive state standard.

\n

The “More Stringent” Standard

\n

Determining whether a state law is “more stringent” requires\nanalyzing the specific rule-based rule at issue. Under 45 CFR\n160.202, a state law is more stringent than HIPAA if it meets any of the\nfollowing criteria:

\n
    \n
  • Prohibits or restricts a use or sharing that\nHIPAA would permit
  • \n
  • Provides people with greater access to their\nown health information
  • \n
  • Requires more detailed record-keeping or\nwritten records than HIPAA mandates
  • \n
  • Provides people with greater rights to amend\nor correct their records
  • \n
  • Narrows the scope of allowed uses and shares\nbeyond what HIPAA allows
  • \n
  • Requires more stringent breach notice than\nthe HIPAA Breach notice Rule
  • \n
\n

When a state law is determined to be more stringent, groups\nmust follow the state law in that jurisdiction while still meeting all\nother HIPAA rules. This creates a layered rule-keeping\nduty that can vary greatly from state to state.

\n

Preemption in Practice: Real Examples

\n

The following examples show how the floor-not-ceiling rule plays out for covered entities operating in specific states:

\n
    \n
  • Medical records turnaround: HIPAA gives patients 30 days to receive their records (with one 30-day extension). California law requires records within 15 business days. A California provider must meet the 15-day standard.
  • \n
  • Breach notification windows: HIPAA allows 60 days from discovery. Colorado and Florida require notice within 30 days. Multi-state organizations must meet the shorter deadline for affected patients in those states.
  • \n
  • Vendor coverage: HIPAA reaches business associates through signed agreements. Texas HB 300 extends HIPAA-equivalent obligations directly to vendors and contractors regardless of whether a BAA is in place.
  • \n
  • Consumer health apps: A period-tracking app or wellness platform that is not a covered entity is not subject to HIPAA. It may, however, be subject to California CPRA, Washington's My Health MY Data Act, or Nevada SB370 — all of which cover consumer health data outside the HIPAA ecosystem.
  • \n
\n

Exceptions to Preemption

\n

Several categories of state law are explicitly exempt from HIPAA\npreemption no matter what of whether they are more or less stringent:

\n
    \n
  • State laws governing reporting of disease, injury, child\nabuse, birth, or death
  • \n
  • Public health surveillance and review\nlaws
  • \n
  • Laws requiring health plan reporting for\nmanagement, financial audits, or program tracking
  • \n
  • State laws governing health plan rule\nincluding licensure and certification
  • \n
\n

These exceptions ensure that key state public health and\nrule-based functions continue to operate without interference from the\nfederal privacy framework.

\n

Key State Privacy Laws Affecting Healthcare

\n

California: CCPA, CPRA, and\nCMIA

\n

California has the most extensive state privacy framework in the\nnation. Healthcare groups operating in California must navigate\nmultiple overlapping laws:

\n

The data privacy of Medical Information Act\n(CMIA) predates HIPAA and imposes extra restrictions on\nthe use and sharing of medical information. CMIA applies to\nhealthcare providers, health insurers, and their contractors, with\nseveral terms that exceed HIPAA:

\n
    \n
  • Written access rights rules that are more\ndetailed than HIPAA’s access rights standard
  • \n
  • Restrictions on marketing uses of health\ninformation that go beyond HIPAA’s marketing terms
  • \n
  • Private right of action allowing patients to sue\nfor unapproved shares, with statutory damages of $1,000 per\nbreach plus actual damages
  • \n
  • Criminal penalties for knowing and willful\nunapproved sharing
  • \n
\n

The California Consumer Privacy Act (CCPA) and its\nsuccessor, the California Privacy Rights Act (CPRA),\nusually exempt health information managed by HIPAA. However, the\nexemption applies only to information that is actually protected by\nHIPAA. Consumer health data collected outside the HIPAA framework, such\nas health information gathered by wellness apps or direct-to-consumer\nhealth services, may fall under CCPA/CPRA protections instead.

\n

New York: SHIELD Act

\n

The New York Stop Hacks and Improve digital Data Security\n(SHIELD) Act greatly expanded New York’s data breach\nnotice rules and imposed affirmative data security\nduties on businesses that hold private information of New York\nresidents.

\n

Key SHIELD Act terms relevant to healthcare groups\ninclude:

\n
    \n
  • Expanded definition of private information that\nincludes biometric data and username/email combined with a password
  • \n
  • Broader breach notice triggers including\nunapproved access to data, not just getting
  • \n
  • Mandatory security program rules including\nadmin, tech, and physical protections
  • \n
  • Penalties up to $5,000 per breach for failure to\ncomply with security rules, with a cap of $250,000 for breach\nnotice failures
  • \n
\n

The SHIELD Act’s security rules parallel HIPAA’s Security Rule\nin many respects but apply to a broader range of data types and impose\nsome duties that exceed HIPAA’s terms.

\n

Texas:\nHB 300 and the Texas Medical Records Privacy Act

\n

Texas enacted House Bill 300 in 2012, creating one\nof the most aggressive state health privacy laws in the country. Key\nterms include:

\n
    \n
  • Expanded definition of covered groups that goes\nbeyond HIPAA’s categories to include any person who assembles, collects,\nor obtains PHI
  • \n
  • Training rules mandating that employees with\naccess to PHI complete privacy training within 90 days of hire and every\ntwo years thereafter
  • \n
  • Enhanced penalties with civil penalties ranging\nfrom $5,000 to $250,000 per breach depending on severity
  • \n
  • Consumer health privacy protections that apply to\ngroups not covered by HIPAA, filling gaps in federal protection
  • \n
  • Restrictions on digital sharing with specific\nrules for transmitting health information electronically
  • \n
  • State AG enforcement with explicit authority for\nthe Texas Attorney General to look into breaches and pursue\npenalties
  • \n
\n

Texas HB 300 is especially major because it extends privacy\nduties to groups that fall outside HIPAA’s covered group and\nbusiness associate framework, creating a broader protective net for\npatient health information.

\n

Massachusetts: 201 CMR 17.00

\n

Massachusetts 201 CMR 17.00 establishes\ncomplete data protection rules for any group that owns or\nlicenses personal information of Massachusetts residents. While not\nspecific to healthcare, the rule imposes rules that affect\nhealthcare groups operating in the state:

\n
    \n
  • Written Information Security Program (WISP)\nrule with specific mandated elements
  • \n
  • data scrambling rules for personal information\ntransmitted wirelessly or stored on portable devices
  • \n
  • Access control rules including unique user\nIDs, secure login checks, and restrictions on access to records
  • \n
  • Monitoring rules for unapproved access or\nuse of personal information
  • \n
  • Vendor management duties including contractual\nrules for third-party service providers
  • \n
\n

Massachusetts 201 CMR 17.00 is notable for its prescriptive tech\nrules, which in some areas exceed the flexibility that HIPAA’s\nSecurity Rule provides through its “addressable” setup\nspecs.

\n

Illinois: Biometric Information Privacy Act (BIPA)

\n

Illinois' Biometric Information Privacy Act (BIPA) is the strictest biometric data law in the country.

Healthcare organizations are not exempt. BIPA applies to any private entity that collects, captures, purchases, or otherwise obtains biometric identifiers — including retinal scans, fingerprints, voiceprints, and facial geometry — from Illinois residents.

\n

Key BIPA requirements that go beyond HIPAA:

\n
    \n
  • Written informed consent is required before collecting any biometric data — HIPAA has no equivalent requirement for biometric identifiers
  • \n
  • Written retention and destruction policy must be publicly available before collection begins
  • \n
  • No sale or profit from biometric data — organizations cannot sell, lease, trade, or profit from biometric identifiers under any circumstances
  • \n
  • Private right of action with statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation — plaintiffs do not need to show actual harm
  • \n
\n

Healthcare organizations in Illinois using biometric time clocks, fingerprint-based EHR login, or retinal scanning for access control must comply with BIPA independently of their HIPAA obligations. See our Illinois HIPAA compliance guide for state-specific requirements.

\n\n

Washington: My Health MY Data Act (2023)

\n

Washington's My Health MY Data Act (MHMD), effective March 2024 for large businesses and June 2024 for small businesses, is the first U.S. state law specifically targeting consumer health data outside the HIPAA ecosystem. It is among the most significant state health privacy developments since HIPAA itself.

\n

Key provisions:

\n
    \n
  • Scope beyond HIPAA: MHMD covers any entity that conducts business in Washington or targets Washington consumers — regardless of HIPAA covered entity status. Apps, wellness platforms.
  • Data brokers that handle health data fall under MHMD even if they are not subject to HIPAA.
  • \n
  • Consent required for collection and sharing: Organizations must obtain consumer consent before collecting or sharing consumer health data — a requirement with no direct HIPAA equivalent for non-covered entities.
  • \n
  • Right to deletion: Consumers can demand deletion of their health data and require that the organization direct third parties to delete it as well.
  • \n
  • Geofencing prohibition: MHMD prohibits geofencing around healthcare facilities for the purpose of identifying, tracking, or targeting individuals seeking healthcare services.
  • \n
  • Private right of action through the Washington Consumer Protection Act, with potential for class actions.
  • \n
\n\n

Nevada: SB370 Health Data Protections (2023)

\n

Nevada Senate Bill 370 (effective October 2023) added health data protections to Nevada's existing privacy framework. Like Washington's MHMD, SB370 is designed to reach consumer health data outside the HIPAA ecosystem.

\n

Key requirements:

\n
    \n
  • Consumer consent required before selling health data or sharing it for targeted advertising
  • \n
  • Right to opt out of the sale of health data
  • \n
  • Applies to non-HIPAA entities including apps, wellness services, and data brokers operating in Nevada or targeting Nevada residents
  • \n
  • Enforcement by the Nevada Attorney General — no private right of action under SB370 itself
  • \n
\n\n

Connecticut: CTDPA Sensitive Health Data Provisions (2023)

\n

Connecticut's Data Privacy Act (CTDPA), effective July 2023, classifies health data as sensitive data and imposes opt-in consent requirements for its processing. CTDPA applies to businesses that process the personal data of 100,000 or more Connecticut residents per year, or that derive more than 25% of gross revenue from selling personal data and process data of 25,000 or more residents.

\n

Relevant provisions for healthcare-adjacent organizations:

\n
    \n
  • Opt-in consent required before processing sensitive health data — stricter than HIPAA's treatment, payment, and operations carve-outs
  • \n
  • Right to opt out of the sale of personal data and targeted advertising
  • \n
  • Data minimization requirements — only collect data adequate, relevant, and necessary for the stated purpose
  • \n
  • Exemption for HIPAA-covered data — data actually protected under HIPAA is exempt, but consumer health data outside the HIPAA framework is not
  • \n
\n\n

Florida: Breach Notification and HB 1547

\n

Florida combines HIPAA-overlapping breach notification rules with a 2023 digital privacy law that affects healthcare-adjacent technology companies. Florida's breach notification law requires notice within 30 days of breach determination — half of HIPAA's 60-day window — and mandates notification to the Florida Attorney General for breaches affecting 500 or more individuals.

\n

Florida HB 1547 (Digital Bill of Rights, effective July 2024) applies to large data controllers and includes health data protections for consumers whose data is processed outside the HIPAA framework. Covered organizations must provide opt-out rights for the sale of sensitive personal data.

This includes health information. See our Florida HIPAA compliance guide for complete state requirements.

\n\n

State Privacy Laws vs. HIPAA: Quick Reference Table

\n

The following table summarizes key divergences between HIPAA and major state health privacy laws. This is a reference summary, not legal advice. Consult healthcare compliance counsel for jurisdiction-specific guidance.

\n
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
StateKey Law(s)How It Exceeds HIPAAApplies to Non-HIPAA Entities?
CaliforniaCMIA, CCPA/CPRARecords within 15 days (vs. HIPAA's 30); private right of action; broader marketing restrictions; consumer health data covered by CPRA even outside HIPAAYes (CPRA)
TexasHB 300, TMRPACovers vendors and contractors regardless of HIPAA status; stricter employee training requirements; broader definition of covered entitiesYes
New YorkSHIELD Act, PHIPAExpanded breach definition; mandatory AG notification for large breaches; applies to any business holding NY residents' dataYes
FloridaBreach Law, HB 154730-day breach notification (vs. HIPAA's 60 days); mandatory AG notification for breaches ≥500 individuals; HB 1547 digital privacy rights for large data controllersPartial (HB 1547)
IllinoisBIPAWritten consent required for all biometric data collection; no sale of biometrics permitted; $1,000–$5,000 statutory damages per violation without showing actual harmYes
WashingtonMy Health MY Data Act (2023)First U.S. law specifically targeting consumer health data outside HIPAA; consent required for collection and sharing; geofencing prohibition near healthcare facilities; right to deletionYes — primary target
NevadaSB370 (2023)Health data consent required for sales and targeted advertising; applies to non-HIPAA consumer health apps and wellness platformsYes
ConnecticutCTDPA (2023)Opt-in consent required for sensitive health data; data minimization requirements; sale opt-out rights; HIPAA-covered data is exempt but consumer health data is notYes
MarylandMHPAStricter disclosure rules for mental health records than HIPAA; higher bar for consent to share psychiatric records with third partiesNo
ColoradoCPA + Breach Law30-day breach notification; CPA sensitive data provisions apply opt-in consent requirements for health data processing outside HIPAAPartial (CPA)
Massachusetts201 CMR 17.00Prescriptive technical security requirements including specific encryption mandates for portable devices and wireless transmission; WISP requirement with specific elementsYes (any entity with MA residents' data)
\n
\n

Key takeaway: If your organization operates in California, Texas, Washington, or New York, you almost certainly face requirements that go beyond HIPAA alone. If you handle consumer health data through apps, wellness services, or non-clinical platforms, Washington, Nevada, and Connecticut laws may apply regardless of your HIPAA status.

\n\n

Breach Notification Variations by State

\n

The Patchwork of State\nrules

\n

Every U.S. state and territory has enacted its own breach\nnotice law, creating a complex patchwork that healthcare\ngroups must navigate when a data breach occurs. While the HIPAA\nBreach notice Rule provides a federal baseline, state laws often\nimpose extra or different rules.

\n

Key areas where state breach notice laws\nvary:

\n
    \n
  • Definition of personal information that triggers\nnotice duties
  • \n
  • Definition of breach including whether unapproved\naccess alone is enough or whether getting is required
  • \n
  • notice timeframes ranging from “most\nexpedient time possible” to specific day counts (30, 45, 60, or 72 hours\nin some states)
  • \n
  • notice recipients including people,\nstate regulators, consumer reporting agencies, and in some states the\nstate Attorney General
  • \n
  • Content rules for notice letters, with\nsome states mandating specific information elements
  • \n
  • Substitute notice methods available when\ndirect notice is impractical
  • \n
  • Safe harbor terms for encrypted data, with\nvariations in what qualifies as enough data scrambling
  • \n
\n

States with Notably\nStringent rules

\n

Several states stand out for breach notice rules that\ngreatly exceed the federal HIPAA standard:

\n
    \n
  • Colorado requires notice within 30\ndays of breach discovery, considerably shorter than HIPAA’s\n60-day window
  • \n
  • Florida requires notice within 30\ndays and mandates notice to the state Attorney General\nfor breaches affecting 500 or more people
  • \n
  • New York requires notice to the Attorney\nGeneral, Department of State, and Division of State Police when a breach\nexceeds certain thresholds
  • \n
  • Oregon requires notice within 45\ndays and mandates notice to the Attorney General for any\nbreach, no matter what of size
  • \n
\n

Healthcare groups must track the breach notice\nrules for every state in which they have patients or hold\npersonal information. A breach affecting patients in multiple states can\ntrigger dozens of different notice duties simultaneously.

\n

Reproductive Health Privacy: The Post-Dobbs Compliance Landscape (2025–2026)

\n

No area of health privacy law has moved faster than reproductive health data since the Supreme Court's 2022 Dobbs decision. As of 2026, both federal rule updates and a wave of state legislation have created a complex and rapidly evolving compliance requirement for covered entities and non-HIPAA health data holders alike.

\n\n

The HHS Reproductive Health Privacy Rule (Compliance Deadline: February 16, 2026)

\n

The Department of Health and Human Services issued a final rule in 2024 prohibiting HIPAA covered entities and business associates from using or disclosing protected health information related to lawful reproductive health care when the purpose of the request is to investigate or impose liability on an individual for seeking, obtaining, providing, or facilitating that care.

\n

Key requirements that took effect February 16, 2026:

\n
    \n
  • Prohibition on PHI disclosure to law enforcement when the purpose is to investigate or penalize individuals for seeking lawful reproductive care — even in response to a subpoena or court order from another state
  • \n
  • New attestation requirement: When a covered entity receives a request for PHI potentially related to reproductive health care, the requesting party must attest that the PHI will not be used for prohibited purposes
  • \n
  • Notice of Privacy Practices update required: Every covered entity's NPP must be updated to describe the new prohibition. Organizations that have not updated their NPP since February 2026 may already be out of compliance
  • \n
  • Workforce training: All staff who handle PHI requests — including medical records, billing.
  • Front desk — must be trained on the new prohibition and the attestation process
  • \n
\n\n

State-Level Reproductive Health Data Protections

\n

Several states have enacted additional reproductive health data protections that extend beyond the HHS rule, often reaching non-HIPAA entities:

\n
    \n
  • California: AB 352 (2023) prohibits covered entities from disclosing PHI in response to out-of-state law enforcement requests related to lawful reproductive care. The California CMIA independently restricts sharing reproductive health information.
  • \n
  • Washington: The My Health MY Data Act explicitly includes reproductive health data in its definition of "consumer health data".
  • And extends protections to apps, period trackers, and wellness platforms — entities not covered by HIPAA at all.
  • \n
  • Colorado: Colorado's CCCPA and a 2023 executive order restrict state agencies from cooperating with out-of-state investigations into reproductive health care.
  • \n
  • Illinois: The Illinois Reproductive Health Act prohibits disclosure of patient information related to reproductive health services sought or obtained in Illinois.
  • \n
\n

Practical steps for covered entities in 2026:

\n
    \n
  1. Confirm your Notice of Privacy Practices has been updated to reflect the HHS reproductive health privacy rule
  2. \n
  3. Update your law enforcement disclosure protocols to include a reproductive health care analysis step before any disclosure
  4. \n
  5. Train workforce members on the attestation requirement and what requests must be declined
  6. \n
  7. If you operate a consumer-facing health app or wellness platform in Washington, Nevada, or California, assess whether the My Health MY Data Act, SB370, or CPRA applies to your reproductive health data independently of HIPAA
  8. \n
\n\n

Multi-State Compliance Strategies

\n

Building a Unified\nCompliance Framework

\n

groups operating in multiple states need a systematic approach\nto managing overlapping and potentially conflicting privacy\nrules. The most effective strategy is to build a rule-keeping\nframework that meets the most stringent relevant\nstandard across all jurisdictions.

\n

Step 1: Identify all relevant jurisdictions. Map\nevery state in which your group provides services, stores data,\nhas employees, or has patients. Each jurisdiction may impose its own\nprivacy and breach notice rules.

\n

Step 2: Conduct a comparative analysis. For each\nmajor rule-keeping area (consent, access rights, breach notice, data\nsecurity, patient rights), compare the HIPAA rule with the\nrelevant state rules in each jurisdiction. Identify where state\nlaw is more stringent.

\n

Step 3: Adopt the highest standard. Where practical,\nimplement policies and steps that meet the most stringent\nrule across all relevant jurisdictions. This approach\nsimplifies rule-keeping by reducing the need for jurisdiction-specific\nvariations.

\n

Step 4: keep jurisdiction-specific steps.\nFor rules that are truly jurisdiction-specific and cannot be\ngeneralized (such as specific breach notice recipients or\nstate-mandated forms), keep written down steps that address each\nstate’s unique rules.

\n

Step 5: Monitor legislative changes. State privacy\nlaws are evolving rapidly. Assign duty for tracking new\nlegislation and rule-based changes in every relevant jurisdiction, and\nupdate your rule-keeping program as needed.

\n

Practical Compliance Tips

\n
    \n
  • keep a state law matrix writing down the key\nprivacy and breach notice rules for each state where you\noperate
  • \n
  • Train team members on the strictest relevant\nstandards rather than the minimum HIPAA rules
  • \n
  • set up relationships with local counsel in\nstates with especially complex rules
  • \n
  • Include state-specific terms in Business Associate\nAgreements to ensure vendors comply with relevant state\nrules, not just HIPAA
  • \n
  • Document your preemption analysis showing how you\ndetermined which standard applies in each jurisdiction
  • \n
\n

For extra context on federal HIPAA rules that form the\nbaseline for this analysis, see our guides on HIPAA Privacy Rule\nrules and what is\nHIPAA.

\n

State vs Federal HIPAA FAQ

\n

Does HIPAA\noverride all state health privacy laws?

\n

No. HIPAA only preempts state laws that are contrary\nto HIPAA and less protective of patient privacy. State\nlaws that provide greater privacy protections or grant patients\nextra rights are not preempted and must be followed in addition to\nHIPAA. This means healthcare groups often must comply with both\nfederal and state rules simultaneously.

\nHow\ndo I determine which standard applies in a specific situation?\n

Conduct a term-by-term analysis comparing the HIPAA\nrule with the relevant state law. If the state law is more\nstringent (prohibits something HIPAA permits, gives patients more\nrights, or requires more protections), follow the state law. If the state\nlaw is less protective than HIPAA, follow HIPAA. When in doubt, consult\nwith legal counsel experienced in health privacy law.

\n

Do state laws apply\nto business associates?

\n

It depends on the state. HIPAA applies to business associates through\nthe federal framework. However, many state laws also impose duties on\ngroups that handle health or personal information, even if those\ngroups are not HIPAA-covered groups or business associates. Texas HB\n300, for example, applies to any person who assembles, collects, or\nobtains PHI, no matter what of HIPAA status.

\nWhat\nhappens if I comply with HIPAA but violate a more stringent state\nlaw?\n

You may face state-level enforcement action, civil penalties, and\npotentially private lawsuits under state law. HIPAA rule-keeping does not\nprovide a defense against state law claims when the state law imposes a\nhigher standard. Some states allow people to sue directly for\nbreaches, creating liability exposure beyond what OCR enforcement\nalone would produce.

\n

Are there states considering new health privacy laws?

\n

Yes. The state privacy law space is evolving rapidly. Multiple states are considering or have recently enacted comprehensive privacy laws that affect healthcare data. Organizations should track legislative developments in every state where they operate and update their compliance programs as new laws take effect.

\n\n

Does Washington's My Health MY Data Act apply to HIPAA-covered entities?

\n

HIPAA-covered entities are partially exempt from the My Health MY Data Act. However, only for data that is actually regulated under HIPAA. Any consumer health data that falls outside the HIPAA framework — such as data collected through a patient portal app that is not part of a covered entity's designated record set, or data collected before a patient establishes a treatment relationship — may still be subject to MHMD. Organizations operating in Washington should conduct a data mapping exercise to identify which data streams are HIPAA-covered and which may fall under MHMD.

\n\n

What does the 2026 HIPAA reproductive health privacy rule require?

\n

The HHS reproductive health privacy rule, with a compliance deadline of February 16, 2026, prohibits covered entities and business associates from using or disclosing PHI related to lawful reproductive health care when the purpose is to investigate or impose liability on individuals seeking or providing that care. The rule also requires a new attestation process for PHI requests that may involve reproductive health information.

Requires every covered entity to update its Notice of Privacy Practices. Organizations that have not completed these updates should treat this as an immediate compliance gap.

\n\n

Does Texas HB 300 apply to my organization if we are not a Texas-based covered entity?

\n

Texas HB 300 applies to any person who engages in the assembling, collecting, analyzing, using, evaluating, storing, or transmitting of protected health information — without regard to whether the organization is a Texas-based covered entity or a HIPAA business associate. If you handle the PHI of Texas residents, even from another state, HB 300 may apply. The law also imposes employee training requirements that are stricter than HIPAA's general training mandate: Texas requires training that is specific to the relevant job duties of each employee.

\n\n

Does Illinois BIPA apply to healthcare organizations?

\n

Yes. Illinois BIPA applies to any private entity that collects, stores, or uses biometric identifiers or biometric information — and healthcare organizations are not exempt. Common healthcare use cases that trigger BIPA include fingerprint-based EHR login systems, biometric time clocks.

Retinal scanning for secure access to medication dispensing systems. BIPA requires written informed consent before collection, a publicly available retention and destruction policy, and prohibits the sale of biometric data. Violations carry statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation, with no requirement to show actual harm — a litigation risk that has produced significant class action activity in Illinois.

\n\n

If we operate in multiple states, which state privacy law applies when there is a conflict?

\n

In most cases, there is no true conflict — you simply apply the strictest relevant standard from each jurisdiction. The rule of thumb is to identify, for each compliance obligation (consent, access rights, breach notification, data retention), which state imposes the highest bar.

Build your policy to meet that bar uniformly. True conflicts — where complying with one state's law makes it impossible to comply with another — are rare and generally require legal counsel to resolve. For breach notification specifically, when a breach affects individuals in multiple states, you must meet the shortest notification deadline among all affected states.

\n

State vs Federal Law Takeaways

\n

The intersection of state privacy laws and federal HIPAA rules creates a layered compliance challenge that demands careful analysis and ongoing vigilance. Healthcare organizations that operate across state lines cannot rely on HIPAA compliance alone. They must identify, track.

Comply with the more stringent state rules that apply in each jurisdiction where they serve patients or handle health information. As of 2026, the landscape has grown significantly more complex: Washington's My Health MY Data Act, the HHS reproductive health privacy rule, and new consumer health data laws in Nevada and Connecticut have expanded obligations far beyond the traditional HIPAA-covered entity universe.

\n

One Guy Consulting specializes in helping healthcare organizations navigate multi-jurisdictional compliance obligations. From\nrunning state law reviews to building unified rule-keeping\nframeworks that satisfy both HIPAA and relevant state rules,\nour team ensures your group meets its duties in every\njurisdiction. Contact us today to strengthen your\nrule-keeping program across all the states where you operate.

\n

Related: HIPAA requirements in California · HIPAA requirements in Florida · HIPAA requirements in Illinois · HIPAA requirements in New York · HIPAA requirements in Texas

\n\n
\n

Key stat: All 50 states plus Washington D.C. have enacted breach notification laws, while 20 states have comprehensive consumer privacy statutes as of 2026. For healthcare organizations operating across state lines, this creates a patchwork of obligations that layer on top of federal HIPAA requirements - each with different notification timelines, reporting thresholds, and enforcement mechanisms.

\n
\n\n

Sources

\n\n\n\n
\n

Key stat: All 50 states plus Washington D.C. have enacted breach notification laws, while 20 states have comprehensive consumer privacy statutes as of 2026. For healthcare organizations operating across state lines, this creates a patchwork of obligations that layer on top of federal HIPAA requirements - each with different notification timelines, reporting thresholds, and enforcement mechanisms.

\n
\n\n

Sources

\n\n\n

Related Reading

\n