State Laws vs HIPAA – What You Need to Know

June 8, 2020

When it comes to regulations surrounding the privacy and security of health information, federal HIPAA laws are typically the golden rules to follow. But did you know that many states have their own laws surrounding patient rights, data privacy, and medical records which sometimes overrule the federal guidelines? These state laws either predate the enactment of HIPAA or were passed to create stricter safeguards and typically focused on technology use. We understand HIPAA laws are confusing, and ensuring that you’re following the rules only becomes a little harder when it’s not crystal clear which rules are the ‘right’ ones. 

It’s important to note that when HIPAA laws and state laws go head to head, HIPAA typically comes out on top. But like most things, there are some exceptions to the rule where the state law takes precedence. These specific instances include: 

  • If there is no HIPAA law on a specific subject – some states have laws specifically for medical privacy, patient access, and other subjects that are either more broadly covered or not regulated at all under HIPAA.
  • The state law is more stringent than federal HIPAA laws. These “more stringent” laws often have to do with authorization or consent procedures that are more specific than what is covered under HIPAA as well as certain timeframes for reporting or providing records to patients that may be shorter and stricter than federal law. 
  • There is an exception under HIPAA – oftentimes these exceptions have to do with serving needs related to the health, safety, and welfare of the general public such as the reporting of diseases or child abuse as well as conducting public health investigations or interventions. In some cases, these laws preempt HIPAA even if a state law is considered to be ‘less stringent.’

In HHS’ own words, “HIPAA provides a Federal floor of privacy protections for individuals’ individually identifiable health information,” basically meaning that any laws that are viewed to be ‘weaker’ than HIPAA regulations will be overruled. State laws will also be overruled if they contradict a HIPAA law. It’s not always easy to determine which laws are stricter and there are many areas of overlap between HIPAA regulations and state-specific laws. To try and give some clarity, here are some topics that commonly conflict each other: 

  • Specific numbers that regulate time frames and monetary fines. Often the amount of time practices have for reporting breaches or responding to patient record requests vary from state to state and can be considered more stringent than HIPAA’s time frame.
  • Uses and disclosures of PHI. Some permissible disclosure regulations under HIPAA are actually in violation of certain state laws. 
  • Patient rights. States such as California and New York have implemented laws that expand patient rights and access to their health information and therefore are considered to be more stringent than HIPAA.  
    • The map below provided by shows each state’s regulations for patient access to medical records – as you can see there are actually 13 states that have laws considered to be ‘stricter’ than HIPAA.  


As data privacy has become an increasing topic of concern, individual state’s as well as the federal government have been enacting stricter policies on matters that concern the security and privacy of electronic health information. More recently, events such as the COVID-19 public health emergency have been a catalyst for updating regulations to best meet the changing needs of the public. And as HIPAA laws, as well as state laws, have been under constant update, it’s harder for practices to keep up.

We know that HIPAA alone is confusing, especially when you add in state-specific rules and regulations, which is why Abyde dynamically generates policies and procedures specific to your practice and the state you’re located in if applicable. With Abyde you don’t have to worry about reading through pages of laws, determining whether there are any contradictions, and figuring out which law preempts the other – we’re here as your HIPAA experts to help do so for you!

While we know HIPAA like the back and maybe even front of our hand, there may be laws outside of HIPAA that impact your practice and overall operations – this blog article shouldn’t be considered legal advice, and we always recommend consulting with a legal team regarding your practice’s legal needs!