PrivacyLawMap
Back to Blog
GuidesMarch 28, 20269 min read

When Does State Privacy Law Supersede HIPAA? A Practical Guide

Share:

The Short Answer

State privacy laws supersede HIPAA when they provide greater privacy protections to individuals than HIPAA does. This is known as the HIPAA preemption rule, codified at 45 CFR 160.203. HIPAA sets a federal floor, not a ceiling — states are free to enact laws that go further in protecting health information and personal data.

How HIPAA Preemption Works

Under the general preemption rule, HIPAA supersedes contrary state law. However, there are important exceptions where state law takes precedence:

  • The state law is more stringent than HIPAA — meaning it provides greater privacy protections, gives individuals more rights over their data, or imposes stricter penalties
  • The state law addresses public health reporting, disease prevention, or health oversight
  • The state law requires health plan reporting or addresses health plan regulation
  • The Secretary of HHS determines the state law serves a compelling public health, safety, or welfare need

Where State Comprehensive Privacy Laws and HIPAA Overlap

The 20 comprehensive state privacy laws tracked on this site generally exempt HIPAA-covered entities and data. However, the details matter:

Most State Privacy Laws Exempt HIPAA Data

Nearly all state comprehensive privacy laws — including California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), and others — exempt protected health information (PHI) that is already regulated under HIPAA. Some exempt the entire covered entity; others only exempt the specific data governed by HIPAA.

The Gap: Non-HIPAA Health Data

Here is where it gets important: state privacy laws do apply to health-related data that is not covered by HIPAA. Common examples include:

  • Health data collected by fitness apps, wellness platforms, and wearable devices (not covered entities under HIPAA)
  • Health information collected by employers outside of group health plans
  • Data collected by health-related websites that are not covered entities or business associates
  • Consumer health data collected by retailers, pharmacies (for non-prescription activities), or tech companies

Washington's My Health My Data Act

Washington State enacted the My Health My Data Act specifically to address the gap between HIPAA and consumer health data. Unlike comprehensive privacy laws, it applies broadly to "consumer health data" regardless of whether the entity is HIPAA-covered. Several other states are considering similar targeted health data legislation.

Specific Areas Where State Laws Are Stricter Than HIPAA

Mental Health Records

Many states have laws that provide greater protections for mental health records than HIPAA requires. For example, some states require specific written consent before disclosing mental health treatment records, even when HIPAA might allow disclosure for treatment, payment, or operations.

Substance Abuse Records

Federal regulation 42 CFR Part 2 and various state laws impose stricter confidentiality requirements on substance abuse treatment records than general HIPAA rules.

HIV/AIDS Status

Nearly every state has laws that provide heightened confidentiality protections for HIV/AIDS diagnosis and testing information, going well beyond HIPAA's general requirements.

Genetic Information

Several states have enacted genetic privacy laws that are more protective than HIPAA's provisions on genetic information. These may restrict how insurers, employers, or researchers can use genetic data.

Practical Guidance for Organizations

  1. Do not assume HIPAA compliance is sufficient — always check the specific state laws where your patients or customers reside
  2. Identify your non-HIPAA health data — fitness apps, wellness programs, and employee health surveys may fall under state privacy law
  3. Check state-specific consent requirements — especially for mental health, substance abuse, HIV, and genetic information
  4. Use our privacy law calculator to determine which state privacy laws apply to your organization based on your data practices
  5. Monitor state legislation — new health data laws like Washington's MHMDA are being introduced in additional states

This article provides general educational information and is not legal advice. Consult qualified legal counsel for guidance specific to your organization. Last updated: March 28, 2026.

Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.