Which State Laws Are More Stringent Than HIPAA? A Practical Compliance Guide

Definition of More Stringent State Laws

Under HIPAA’s Privacy Rule preemption framework, a state provision is “more stringent” when it offers greater privacy protection for an individual or gives the individual stronger rights over Protected Health Information (PHI). The analysis is provision-by-provision, not all-or-nothing.

Typical signals of a more stringent rule include shorter Patient Access Rights timeframes, tighter caps on copying fees, broader rights to amend or restrict disclosures, stricter Written Consent Requirements, Secondary Use Restrictions that limit marketing or analytics, and narrower Health Information Disclosure Limits.

If a state and HIPAA rule conflict, you first ask whether both can be followed. If not, the standard that better protects the individual’s privacy controls. This is the essence of Privacy Rule preemption.

Examples of More Stringent State Laws

The following State Privacy Statutes and health-specific laws commonly exceed HIPAA protections in defined areas. Always verify the exact provision and scenario before relying on them.

California – Confidentiality of Medical Information Act (CMIA)

CMIA applies to providers, plans, and contractors handling medical information. It requires written authorization for many disclosures that HIPAA might permit, and it sets faster access timelines (e.g., inspection within five business days and copies within 15 days). CMIA also places tighter limits on marketing-related uses without explicit authorization.

Texas – Health Privacy (HB 300; Texas Health & Safety Code ch. 181)

Texas generally requires records to be provided within 15 business days—shorter than HIPAA’s outside deadline. The law defines “covered entity” more broadly under state law, mandates periodic workforce privacy training, and restricts certain secondary uses without authorization.

Minnesota – Health Records Act

Minnesota typically requires patient consent for most disclosures of health records, including for treatment, payment, and operations, with narrow exceptions such as emergencies. It also imposes redisclosure limits that can exceed HIPAA’s baseline.

New York – Public Health Law §18

New York requires providers to respond to access requests promptly (commonly within 10 business days) and places additional conditions on access to certain sensitive records. Fee rules and response mechanics can be more protective than HIPAA.

Washington – My Health My Data Act

This statute governs consumer health data beyond PHI. It generally requires opt-in consent for collection and sharing, grants deletion rights, and restricts geofencing around sensitive locations. HIPAA entities may still be covered when processing non-PHI consumer health data.

Nevada – Consumer Health Data Privacy

Nevada’s law similarly regulates consumer health data outside HIPAA, requiring consent for certain processing and sharing and imposing detailed notice and governance duties on covered entities and data brokers.

Topic-Specific State Protections

Many states impose heightened confidentiality for HIV/AIDS information, genetic data, reproductive health, mental health records, and substance use information. These often demand explicit written consent and prohibit redisclosure without fresh authorization.

HIPAA Preemption and Exceptions

General rule: HIPAA preempts contrary state privacy provisions unless the state rule is more stringent. This Privacy Rule preemption analysis is applied to the specific requirement at issue (for example, access timelines or disclosure permissions).

Key exceptions allow state laws to stand even when not more stringent, including provisions requiring reporting of disease or injury, child abuse, births and deaths, and state oversight activities such as licensure, audits, or program monitoring. HHS may also permit state provisions needed to address insurance regulation, fraud and abuse, or compelling public health and safety needs.

Practical test: If you can comply with both, do both. If you cannot, choose the rule that maximizes individual privacy and rights, unless a listed exception applies. Document your reasoning.

Determining Applicability of State Laws

• Identify your role and data: Are you a HIPAA covered entity or business associate, and is the data PHI, consumer health data, or something else?
• Map geography: Consider the patient’s residence, where services occurred, where systems and vendors sit, and any telehealth touchpoints that cross state lines.
• Locate the governing State Privacy Statutes and health-sector rules relevant to your operations. Flag items that affect Patient Access Rights, disclosure permissions, and consent.
• Run a preemption analysis provision-by-provision. If a state standard is more protective, elevate it; if not, apply HIPAA unless a statutory exception controls.
• Record decisions in a maintained matrix, assign owners, and set review cycles for legislative updates.

Greater Privacy Protections in State Laws

Patient Access Rights

States may require faster fulfillment (for example, 5–15 business days), mandate electronic delivery when feasible, and cap or prohibit certain fees. These provisions strengthen the individual’s control over PHI.

Written Consent Requirements

Some states demand written authorization for disclosures that HIPAA permits without one, including for treatment, payment, or operations, or for marketing and research. They may also require granular, revocable consent and redisclosure warnings.

Secondary Use Restrictions

Secondary uses such as advertising, data monetization, or cross-context behavioral analytics may be limited or require explicit opt-in. Certain laws bar geofencing or location-based tracking around sensitive sites.

Health Information Disclosure Limits

States often narrow who may receive information and under what conditions, segment especially sensitive data, and prohibit redisclosure without new authorization—going beyond HIPAA’s general permissions.

Compliance Responsibilities for Covered Entities

• Establish a preemption matrix aligning HIPAA with each applicable state rule on access, consent, disclosures, and accounting.
• Update Notices of Privacy Practices, authorizations, and release-of-information workflows to reflect stricter state standards.
• Implement consent and segmentation controls in EHRs and data lakes; log disclosures and automate deadlines to meet shorter state timeframes.
• Train the workforce on state-specific requirements and escalation paths; refresh training on a defined cadence.
• Harden vendor management: update BAAs and data processing terms to honor state restrictions and pass-through rights.
• Test incident response and breach notification playbooks for multi-state scenarios with differing content and timing requirements.

Legal Implications of State Law Variances

Variance across states raises enforcement exposure from attorneys general and state health departments, potential civil penalties, and—in some jurisdictions—private rights of action. Contract disputes and licensure issues can follow from inadequate state-specific compliance.

Multi-state operations face compounded risk during breaches or large record releases, where the strictest notification clock and content often become the practical standard. Telehealth and remote care amplify conflicts when patient and provider are in different states.

Mitigation hinges on building to the most protective applicable rule, documenting preemption decisions, and embedding state-specific configurations into systems and vendor contracts. Treat patchwork compliance as an ongoing program, not a one-time project. This overview is for general information and is not legal advice.

FAQs

What criteria define a state law as more stringent than HIPAA?

A state provision is more stringent when it affords greater privacy or individual control than HIPAA—such as shorter access deadlines, lower or barred copy fees, tighter Written Consent Requirements, stronger Secondary Use Restrictions, narrower Health Information Disclosure Limits, or enhanced rights to amend or restrict disclosures.

How does HIPAA preempt less stringent state laws?

HIPAA preempts contrary state provisions unless the state rule is more stringent or a specific exception applies. Core exceptions include state mandates for public health reporting and oversight activities. If both rules can be satisfied, you follow both; if not, apply the rule that best protects the individual, subject to exceptions.

Which states have laws stricter than HIPAA?

Common examples include California’s CMIA, Texas HB 300, the Minnesota Health Records Act, New York Public Health Law §18, and consumer health data statutes in Washington and Nevada. Many states also impose heightened rules for HIV, genetic, mental health, reproductive health, and substance use information.

How should covered entities comply with conflicting state laws?

Perform a provision-by-provision preemption analysis, adopt the most protective applicable rule as your default, and memorialize decisions in a living matrix. Update policies, workflows, and vendor terms accordingly, train staff, and automate deadlines and consent checks within your systems.