Compliance Guide

HIPAA vs. State Privacy Laws: When State Rules Win (2026)

Q: Does HIPAA preempt state law?

Not entirely. HIPAA establishes a federal floor — state laws that are contrary to HIPAA are generally preempted, but state laws that are more stringent (more protective of patient privacy) are not preempted and must be followed instead. This is the HIPAA preemption framework under 45 CFR § 160.203.

Q: Which states have stricter health privacy laws than HIPAA?

Several states have health privacy laws that exceed HIPAA's requirements in important respects: California (CMIA — stricter consent for mental health, substance abuse, and other sensitive categories), Washington (My Health My Data Act — broader coverage than HIPAA), Texas (Health and Safety Code Ch. 181 — stricter authorization requirements), New York (Public Health Law Article 27-F — HIV/AIDS confidentiality), Illinois (BIPA — biometric data), Massachusetts (201 CMR 17 — comprehensive data security standards).

Q: What is the CCPA's relationship to HIPAA?

The California Consumer Privacy Act (CCPA) explicitly exempts PHI that is subject to HIPAA and information maintained by a covered entity or business associate. However, health data held by non-HIPAA entities (fitness apps, wellness programs, consumer health apps) may be subject to CCPA but not HIPAA. The California Privacy Rights Act (CPRA) of 2023 adds additional requirements for 'sensitive personal information' that may include health data.

Q: What is Washington's My Health My Data Act?

Washington's My Health My Data Act (MHMD Act), effective March 31, 2024 for regulated entities, covers 'consumer health data' more broadly than HIPAA — including data not held by HIPAA-covered entities such as fitness tracking apps, location data related to health conditions, and consumer wellness products. It requires authorization before collecting or sharing health data, gives consumers the right to withdraw consent, and prohibits selling consumer health data without affirmative consent. Violations carry significant penalties.

Q: How do I comply with both HIPAA and state law?

Apply the more protective standard. If state law requires more stringent protections than HIPAA (longer retention, stricter consent, additional patient rights), you must meet the state standard. For multi-state organizations, this means identifying the most protective requirements across all jurisdictions where you operate and implementing those as your baseline. State-specific provisions can be added to your NPP and BAAs — both BAAGenerator.com and NPPGenerator.com generate state-customizable documents.

By ComplyCreate Editorial Team · Published Apr 24, 2026 · Last reviewed Apr 24, 2026

Quick answer: HIPAA preempts state law only when state law is less protective. When state law is more stringent — stricter consent requirements, longer retention, additional patient rights — the state law applies. For multi-state organizations, this means your BAAs may need state-specific provisions, and your compliance program must meet the highest bar across all your operating states.

Many healthcare organizations assume that "being HIPAA compliant" is sufficient. For organizations operating only in states without stricter laws, this may be true. But several states — including California, Washington, Texas, New York, Illinois, and Massachusetts — have enacted health privacy laws that exceed HIPAA's protections in important respects. In those states, HIPAA sets the floor, not the ceiling.

The HIPAA Preemption Framework: 45 CFR § 160.203

Under 45 CFR § 160.203, HIPAA generally preempts contrary state law — meaning a state law that is in conflict with HIPAA's requirements cannot be enforced to the extent of the conflict. However, three exceptions preserve state law:

More stringent state laws: State laws that are more stringent than HIPAA — providing greater privacy protections or greater patient rights — are not preempted. The covered entity must comply with the state law.
State law necessary for state regulation of health insurance plans: HHS may determine that certain state insurance laws must remain in effect.
State laws related to reporting disease or injury, vital statistics, or public health surveillance: These are generally not preempted.

The practical result: HIPAA is a federal floor. Where state law is higher, the state standard governs. Where HIPAA is higher, HIPAA governs. Organizations must implement the most protective standard applicable in each state where they operate.

Key States with Stricter Health Privacy Laws

California — Confidentiality of Medical Information Act (CMIA)

California's CMIA (Cal. Civ. Code §§ 56–56.37) applies to providers, health plans, and their contractors. It provides stricter protections for sensitive categories of health information — including mental health records, substance abuse records, HIV/AIDS information, and reproductive health information. Providers who share medical information without proper authorization face civil liability up to $250,000 per violation. The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) add additional requirements for health data held by non-HIPAA entities. California's new reproductive health privacy regulations (effective 2024) impose strict limits on sharing information related to abortion, contraception, and related care.

Washington — My Health My Data Act

Effective March 31, 2024, Washington's My Health My Data Act (MHMD Act) covers "consumer health data" far more broadly than HIPAA. The MHMD Act applies to any entity that collects, shares, or processes consumer health data of Washington residents — including fitness apps, wellness platforms, and consumer technology companies that are not HIPAA covered entities. Requires authorization before collecting or sharing health data, grants consumers the right to withdraw consent, and prohibits selling consumer health data without affirmative consent. Penalties include up to $7,500 per intentional violation. The MHMD Act significantly expands the definition of health data beyond HIPAA's 18 identifiers.

Texas — Health & Safety Code Chapter 181

Texas Health and Safety Code Chapter 181 applies to "covered entities" as defined by Texas law, which includes entities that are not HIPAA covered entities — including health researchers, certain school health programs, and entities contracting with covered entities. Texas requires written authorization for most uses and disclosures of protected health information, similar to HIPAA, but with some differences in scope. Violations of Chapter 181 can result in civil penalties up to $1.5 million per year per violation category — enforcement is by the Texas Attorney General.

New York — Public Health Law Article 27-F (HIV/AIDS)

New York's HIV/AIDS confidentiality law (Public Health Law Art. 27-F) provides some of the strictest HIV-related health privacy protections in the country. It requires written authorization for disclosure of HIV-related information in most circumstances, beyond what HIPAA's general privacy framework requires. Providers treating patients with HIV in New York must comply with both HIPAA and Article 27-F, applying the more stringent standard in each case.

Illinois — Biometric Information Privacy Act (BIPA)

Illinois's BIPA (740 ILCS 14) governs collection, use, and storage of biometric identifiers — including fingerprints, retinal scans, face geometry, and voice prints. Healthcare organizations that collect biometric data from patients or employees in Illinois must comply with BIPA's requirements: informed written consent, a written data retention and destruction policy, and prohibitions on selling or profiting from biometric data. BIPA violations carry substantial statutory damages ($1,000–$5,000 per violation) and have generated significant class action litigation. HIPAA's inclusion of biometric identifiers as PHI identifiers does not satisfy BIPA's separate consent and disclosure requirements.

Massachusetts — 201 CMR 17 (Data Security Regulations)

Massachusetts 201 CMR 17 requires businesses that store personal information of Massachusetts residents — including health information — to implement a written comprehensive information security program (WISP) with specific technical requirements: encryption of personal information in transit, secure user authentication, access controls, and regular security awareness training. These requirements overlap with but in some respects exceed HIPAA's Security Rule addressable safeguard specifications.

Practical Guidance for Multi-State Organizations

Identify Your State-Specific Obligations

For each state where you operate (where you treat patients, employ staff, or process data of residents), identify the applicable state health privacy laws and determine where they exceed HIPAA. Work with a healthcare attorney to map these requirements for your specific operations.

Update Your BAAs for State-Specific Provisions

Business Associate Agreements may need state-specific provisions — for example, incorporating California CMIA restrictions on mental health data, or Washington MHMD Act obligations for Washington-resident data. When generating BAAs, consider whether state-specific addenda are needed for your operating jurisdictions.

Update Your NPP for State Requirements

Your Notice of Privacy Practices may need to reference additional patient rights under applicable state law. California patients, for example, have additional rights under CMIA and CPRA. Including state-specific rights disclosures in your NPP reduces confusion and demonstrates good-faith compliance effort. See our HIPAA compliance checklist for a full documentation review framework.

Frequently Asked Questions

Does HIPAA preempt state law?

HIPAA preempts state laws that are contrary to HIPAA and less protective of patient privacy. However, under 45 CFR § 160.203, state laws that are more stringent (more protective) than HIPAA are not preempted — covered entities must follow the state standard. HIPAA is a federal floor, not a ceiling.

Which states have stricter health privacy laws than HIPAA?

California (CMIA, CCPA/CPRA), Washington (My Health My Data Act), Texas (Health & Safety Code Ch. 181), New York (Public Health Law Article 27-F for HIV), Illinois (BIPA for biometric data), and Massachusetts (201 CMR 17 for data security) all have health privacy laws that exceed HIPAA's requirements in important areas. This list continues to grow as states enact new health data privacy legislation.

What is the CCPA's relationship to HIPAA?

The CCPA explicitly exempts PHI subject to HIPAA and information maintained by HIPAA-covered entities and BAs. However, health data held by non-HIPAA entities (fitness apps, wellness programs, consumer health technology) may be subject to CCPA/CPRA even though it's not covered by HIPAA. Organizations must assess which law applies to which data flows.

What is Washington's My Health My Data Act?

Washington's MHMD Act (effective March 2024) covers "consumer health data" more broadly than HIPAA — applying to apps, consumer devices, and other non-HIPAA entities that collect health data from Washington residents. It requires affirmative authorization for data collection and sharing, prohibits selling health data without consent, and grants consumers the right to withdraw consent and delete data. Violations carry per-violation penalties up to $7,500.

How do I comply with both HIPAA and state law?

Apply the more protective standard. Identify all applicable state health privacy laws in your operating jurisdictions. For each requirement, implement the more stringent of HIPAA and the applicable state law. Update your NPP to reference applicable state patient rights. Consider state-specific addenda to your BAAs. Consult a healthcare attorney for a jurisdiction-specific compliance analysis.