What HIPAA Laws Protect vs State Privacy Laws (CMIA, HB300, CPRA): 2025 Guide

You face overlapping healthcare data privacy laws. This 2025 guide clarifies what HIPAA protects and how state privacy laws—California’s CMIA and CPRA, and Texas HB 300—extend or narrow duties. You’ll see what counts as Protected Health Information, where Patient Authorization is required, which Personal Information Exemptions apply, and how to build practical Electronic Health Records Safeguards.

HIPAA Privacy Rule Protections

Scope and permitted uses

HIPAA’s Privacy Rule protects “protected health information” (PHI) held by covered entities and business associates. It permits use and disclosure for treatment, payment, and health care operations (TPO) without individual authorization, while granting patients rights such as access and an accounting of disclosures. ([dol.gov](https://www.dol.gov/agencies/oalj/PUBLIC/RULES_OF_PRACTICE/REFERENCES/REGULATIONS/HIPAA_164_502?utm_source=openai))

Minimum necessary and incidental disclosures

Outside of treatment, you must limit PHI to the minimum necessary for the purpose, and apply safeguards to prevent inappropriate access; incidental disclosures are allowed only when these safeguards and the minimum necessary standard are in place. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/minimum-necessary-requirement/index.html?utm_source=openai))

Federal floor and state preemption

HIPAA sets a federal floor. More stringent state health privacy rules are not preempted and can prevail where they provide greater privacy protections or rights. In practice, you must harmonize HIPAA with any stricter state requirement. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.203?utm_source=openai))

2025 update: reproductive health PHI

HHS finalized a rule in April 2024 to further restrict disclosures of PHI related to lawful reproductive health care, including an attestation requirement for certain requests. On June 18, 2025, a federal court vacated most of that rule; Notice of Privacy Practices updates remain, with compliance due February 16, 2026. Monitor litigation and adjust policies accordingly. ([aha.org](https://www.aha.org/news/headline/2024-04-22-ocr-finalizes-rule-prohibiting-certain-reproductive-health-care-disclosures?utm_source=openai))

HIPAA Security Rule Requirements

Administrative safeguards

Conduct a risk analysis, implement risk management, assign security responsibility, train your workforce, manage sanctions, and establish incident response. Your business associate contracts must ensure appropriate protections for ePHI. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.308?utm_source=openai))

Physical safeguards

Limit facility access, govern workstation and device use, and control media movement and disposal—so only authorized personnel access systems housing ePHI. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.310?utm_source=openai))

Technical safeguards and Electronic Health Records Safeguards

Enforce access controls (unique IDs, emergency access, automatic logoff), audit controls, integrity protections, authentication, and transmission security. In practice, use encryption, multifactor authentication, and detailed audit logging within your EHR to strengthen Digital Health Data Protection. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.312?utm_source=openai))

CMIA Coverage and Restrictions

What CMIA covers

California’s CMIA protects “medical information,” meaning individually identifiable data about a patient’s medical history, condition, or treatment, in any form, when held by providers, health plans, pharmaceutical companies, or contractors. ([law.justia.com](https://law.justia.com/codes/california/2010/civ/56-56.07.html?utm_source=openai))

Confidentiality and disclosures

CMIA requires Medical Information Confidentiality in creation, storage, and disposal, and generally prohibits disclosure without Patient Authorization, subject to specified exceptions (for example, court orders or patient access). EHR systems must preserve integrity and record who changed data and when. ([california.public.law](https://california.public.law/codes/civil_code_section_56.101?utm_source=openai))

CMIA Recent Amendments

AB 254 (2023): reproductive or sexual health application information

AB 254 extends CMIA to “reproductive or sexual health application information” collected by a “reproductive or sexual health digital service,” bringing certain apps and websites into CMIA’s protections and duties. This closes gaps where HIPAA may not apply. ([california.public.law](https://california.public.law/codes/civil_code_section_56.05?utm_source=openai))

AB 352 (2023): cross‑border sharing limits and data segregation

Effective January 1, 2024, CMIA largely prohibits sharing abortion-related medical information with out‑of‑state entities without valid authorization; by July 1, 2024, entities that store or maintain CMIA-covered records must enable controls to limit user access, segregate abortion, contraception, and gender‑affirming care data, and prevent cross‑border disclosure via EHR/HIE. ([cdph.ca.gov](https://www.cdph.ca.gov/Programs/CHCQ/LCP/Pages/AFL-24-03.aspx?utm_source=openai))

Exchange framework considerations

California’s Data Exchange Framework excludes abortion and abortion‑related data from required sharing, and implementers should align EHR capabilities to segment sensitive services accordingly. ([connectingforbetterhealth.com](https://connectingforbetterhealth.com/resources/securing-reproductive-health-care-privacy-in-california-considerations-for-ab-352-implementation/?utm_source=openai))

CPRA Exemptions and Applicability

What CPRA exempts

CPRA excludes: (1) CMIA‑governed medical information and HIPAA PHI; (2) providers and HIPAA covered entities only to the extent they handle patient information “in the same manner” as PHI; (3) business associates handling patient information as PHI; and (4) properly deidentified data derived from regulated sources. ([california.public.law](https://california.public.law/codes/civil_code_section_1798.146?utm_source=openai))

Reidentification and research carve‑outs

CPRA bars reidentifying deidentified patient data except for limited purposes (e.g., treatment, public health, research). Clinical trial and similar research data are separately exempt when specific conditions are met. ([california.public.law](https://california.public.law/codes/civil_code_section_1798.148?utm_source=openai))

Practical applicability

Even when PHI and CMIA data are exempt, CPRA typically still applies to nonexempt personal information your organization collects (for example, from websites, apps, or marketing), so you should maintain a Consumer Privacy program alongside HIPAA/CMIA compliance. ([dwt.com](https://www.dwt.com/blogs/privacy--security-law-blog/2023/01/privacy-healthcare-providers-hipaa?utm_source=openai))

Comparative Analysis of HIPAA and State Laws

Scope and covered entities

HIPAA applies to covered entities and business associates handling PHI; CMIA covers a wider set of holders of “medical information,” including certain digital health services; CPRA applies to for‑profit businesses meeting thresholds but carves out regulated health data; Texas HB 300 broadly defines “covered entity” under Texas law. ([law.justia.com](https://law.justia.com/codes/california/2010/civ/56-56.07.html?utm_source=openai))

Consent and disclosure standards

HIPAA allows TPO disclosures without authorization; CMIA is stricter and generally requires Patient Authorization except for defined exceptions; Texas HB 300 adds an authorization requirement for many electronic disclosures absent TPO or other legal basis. ([dol.gov](https://www.dol.gov/agencies/oalj/PUBLIC/RULES_OF_PRACTICE/REFERENCES/REGULATIONS/HIPAA_164_502?utm_source=openai))

Timelines and individual rights

HIPAA’s Right of Access requires action within 30 days (with one 30‑day extension); Texas HB 300 requires electronic health records to be provided within 15 business days when technically feasible—often faster than HIPAA. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.524?utm_source=openai))

Security expectations

HIPAA mandates risk‑based administrative, physical, and technical safeguards; CMIA imposes record‑integrity and audit‑trail requirements for EHRs; AB 352 adds segmentation and cross‑border access controls for specified sensitive services. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.312?utm_source=openai))

Preemption and “more stringent” rules

Where a state law provides greater privacy protection or rights, it generally takes precedence over HIPAA’s floor, so multi‑state health organizations must implement the most protective rule across overlapping workflows. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.203?utm_source=openai))

Implementing Compliance Controls

Build a unified, risk‑based program

Use a single control framework that maps HIPAA duties to CMIA, HB 300, and CPRA. Classify data into PHI, CMIA medical information, and nonexempt personal information to apply the right rule to each flow.

• Data mapping and minimization: inventory PHI/medical information and nonexempt CPRA data; enforce the minimum necessary standard for uses beyond treatment. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/minimum-necessary-requirement/index.html?utm_source=openai))
• Electronic Health Records Safeguards: enforce role‑based access, audit logging, integrity controls, and encryption/MFA; retain audit trails and track changes. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.312?utm_source=openai))
• Segmentation for California sensitive services: configure EHR/HIE to segregate abortion, contraception, and gender‑affirming care data and to prevent cross‑border sharing absent authorization. ([cdph.ca.gov](https://www.cdph.ca.gov/Programs/CHCQ/LCP/Pages/AFL-24-03.aspx?utm_source=openai))
• Texas HB 300 steps: deliver privacy training within 90 days of hire; post electronic‑disclosure notices; require authorization for most electronic disclosures outside TPO; fulfill EHR access within 15 business days when feasible. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_section_181.101?utm_source=openai))
• Access rights operations: meet HIPAA’s 30‑day access clock and track state‑specific, shorter timelines; standardize responses and fees. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/2050/how-timely-must-a-covered-entity-be/index.html?utm_source=openai))
• Vendor management: maintain business associate agreements and CPRA service provider/addendum terms; verify downstream controls and incident duties. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.308?utm_source=openai))
• CPRA program for nonexempt data: support rights to know, delete, correct, and limit sensitive personal information; maintain records of processing and risk assessments where appropriate. ([california.public.law](https://california.public.law/codes/civil_code_section_1798.146?utm_source=openai))

Conclusion

Think “federal floor plus state layers.” HIPAA sets core privacy and security, while CMIA, AB 254, AB 352, CPRA, and HB 300 add stronger duties for Medical Information Confidentiality, Digital Health Data Protection, and consumer rights. Map your data, align controls to the strictest rule that applies, and operationalize state‑specific requirements within your HIPAA program.

FAQs

How do HIPAA laws differ from CMIA?

HIPAA governs PHI held by covered entities/business associates and permits TPO disclosures without authorization; CMIA protects “medical information” in a wider set of hands and generally requires Patient Authorization for disclosure unless a statutory exception applies. If CMIA is more stringent, it prevails over HIPAA’s floor. ([dol.gov](https://www.dol.gov/agencies/oalj/PUBLIC/RULES_OF_PRACTICE/REFERENCES/REGULATIONS/HIPAA_164_502?utm_source=openai))

What protections does HIPAA provide for electronic health records?

The Security Rule requires administrative (risk analysis, workforce training), physical (facility/device controls), and technical safeguards (access control, audit controls, integrity, authentication, transmission security). Implement role‑based access, audit logs, and encryption/MFA to harden EHR environments. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.308?utm_source=openai))

Which types of data are exempt under CPRA?

CPRA exempts CMIA medical information, HIPAA PHI handled by covered entities/business associates (and certain patient information they treat as PHI), and deidentified data derived from regulated sources; reidentification is generally prohibited except for limited purposes such as treatment, public health, or research. ([california.public.law](https://california.public.law/codes/civil_code_section_1798.146?utm_source=openai))

How do AB 254 and AB 352 amend CMIA protections?

AB 254 brings certain reproductive or sexual health apps and websites under CMIA by defining protected “reproductive or sexual health application information.” AB 352 restricts out‑of‑state sharing of abortion‑related information and requires EHR/HIE capabilities to limit access and segregate data for abortion, contraception, and gender‑affirming care (key dates: Jan 1, 2024 and July 1, 2024). ([california.public.law](https://california.public.law/codes/civil_code_section_56.05?utm_source=openai))