25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

When does State Privacy Law Supersede HIPAA?

Posted By on Dec 12, 2025

State privacy law supersedes HIPAA when a state law provides greater privacy protections for individually identifiable health information than HIPAA or when a state law provides individuals with more privacy rights than HIPAA. In such cases, the superseding standard or clause applies rather than the whole of the state privacy law.

Prior to the passage of HIPAA, there were no nationwide standards to protect the privacy and security of patients’ health information. The confidentiality of medical information was subject to a patchwork of state laws, federal statutes, and professional codes of conduct; and patients’ rights – and the ability to exercise them – often varied depending on where patients lived. 

This resulted in a situation in which patients had unequal privacy protections. The privacy and security of health information could vary depending on what health conditions were involved and the organizations patients were dealing with. There were also cases in which patients avoided seeking care due to concerns that sensitive health information could be disclosed to employers and insurers. 

HIPAA and Preemption  

HIPAA addressed this situation by creating a federal floor of privacy and security standards that preempted state laws, unless a state law provides patients with greater protections or more rights. In such cases, only the more protective provisions of state law apply.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

For example, if a state law stipulates that an authorization must be obtained before disclosing a certain health condition, but HIPAA permits the disclosure without an authorization, the state law applies – but only for disclosures of the stipulated health condition. For all other uses and disclosures of health information, HIPAA still applies. 

In most cases, the laws with provisions that supersede HIPAA are not general state privacy laws. Usually, they are laws that have been introduced to protect specific types of healthcare information. Examples include:

  • New York: Public Health Law Article 27-F requires written consent for disclosure of HIV-related information. 
  • Virginia: Amended Consumer Protection Act — prohibits disclosures of reproductive health data without explicit consent. 
  • Massachusetts: General Laws Ch. 123 § 36 — restricts disclosure of mental health facility records without patient consent.  

Other state laws may extend what is considered Protected Health Information or prohibit the collection of specific identifiers. Examples include California SB81 which classifies patients’ place of birth and immigration status as medical information, and Texas SB1188 which prohibits the collection of patients’ credit scores and voter registration status by healthcare organizations. 

When Does State Privacy Law Supersede HIPAA? 

In the context of when does state privacy law supersede HIPAA, most states that have enacted consumer privacy laws exempt covered entities and business associates in respect of Protected Health Information, but not necessarily in respect of information collected about patients that does not qualify as Protected Health Information. 

For example, in California, HIPAA covered healthcare providers are exempted from complying with the California Consumer Protection Act (CCPA) in respect of information that qualifies as PHI under HIPAA or as medical information under CMIA. 

However, there are many circumstances in which a covered healthcare provider could collect, process, and maintain information about patients that does not qualify as PHI or medical information. Examples include newsletter sign-ups, interactions with corporate social media accounts, credit card numbers used to pay parking fees, and video surveillance footage in non-clinical areas. 

Note: Strictly speaking, because these examples are not examples of “HIPAA-regulated” activities, CCPA does not supersede HIPAA in these circumstances because HIPAA does not apply. Nonetheless, it may be important for workforce members to understand that personally identifiable non-health information may be subject to state privacy laws when it is not maintained in designated record sets with Protected Health Information even though it could be considered a “HIPAA identifier”. 

Other State Laws to Consider when Developing HIPAA Policies 

In addition to state laws that require authorizations for disclosures of Protected Health Information that would otherwise be permitted by HIPAA, and state privacy laws that require the protection of data that does not qualify as PHI, there are many other state laws that should be considered when developing HIPAA policies.  

Laws such as California’s Patient Access to Health Records Act significantly reduce the amount of time healthcare organizations are allowed to respond to patient access requests. Similarly, Texas’ SB1188 allows immediate parental access to minors’ EHRs subject to privacy protections applied to sensitive information maintained in the EHR. 

More likely to have an impact on the development of HIPAA policies is the growing number of states that have adopted regulations for the responsible use of artificial intelligence in healthcare. Many states now require the human review of AI outputs before they are used to diagnose illnesses or develop treatment plans, while several healthcare providers obtain patients’ consent before disclosing PHI to AI systems.  

Mandatory Notifications and Data Breaches 

Although a minor example of when does state privacy law supersede HIPAA, many states have mandated notification requirements for specific injuries or illnesses. Some require covered entities to report child abuse, tuberculosis, and STDs, while Texas requires healthcare providers to report gunshot wounds and Maryland requires that impairments which could affect a patient´s ability to drive are reported to the state´s Motor Vehicle Administration. 

With regards to notification of a different nature, under HIPAA covered entities must notify HHS’ Office for Civil Rights and affected individuals if there is a breach of unsecured PHI – unless it can be demonstrated via a risk assessment there is a low probability of the breached PHI being compromised. In some states, not only does the “low probability” clause not apply, but breaches involving more than PHI have to be reported. 

In Illinois, for example, breaches of biometric information have to be reported to the Illinois Department of Human Services regardless of whether the breached information could be used to identify an individual. In New York State, any unauthorized access to computerized data – even if the data does not contain health information – has to be reported to the New York State Attorney General, the Department of State, and the Division of State Police within ten days. 

When Does State Law Preempt HIPAA Breach Notification Requirements? 

One of the most common examples of when state laws preempt HIPAA is with regards to data breach notifications. The HIPAA breach notification requirements are that affected individuals must be notified of a data breach within sixty days of a data breach being discovered, regardless of the number of records breached or individuals affected. 

There are many examples in which state law preempts the HIPAA breach notification requirements or only partially excludes covered entities and business associates from compliance. Examples of when does state law preempt HIPAA breach notification requirements include: 

  • In Connecticut, Conn. Gen. Stat. §36a-701b exempts covered entities and business associates from complying with the state’s breach notification requirements. However, the exemption is on the condition that, if a Social Security or tax identification number is stolen, identity theft protection is offered to all citizens of the state affected by the breach. 
  • In Minnesota, exemptions to Minn. Stat. §325E.61 apply to covered entities, but not to business associates. Although specific timeframe for data breaches is stated in the Stature, business associates notifying the State Attorney General of a breach affecting 500 or more individuals must also notify appropriate nationwide consumer reporting agencies within48 hours. 
  • In Puerto Rica, state law 10 LPRA §4051 preempts HIPAA by requiring covered entities and business associates to notify affected individuals and the Department of Consumer Affairs within ten days of a breach being identified. The failure to provide timely notifications can result in financial penalties of up to $5,000 per violation plus expose the organization to civil liabilities. 
  • In Vermont, HIPAA covered entities are excepted from complying with 9 VSA §§ 2430 and 2435 in respect of health and insurance data collected from an individual. However, there are no exceptions for payment data or data received (i.e., by a business associate for processing purposes), and affected individuals must be notified within 45 days. 
  • In Wisconsin, covered entities are excepted from complying with Wis. Stat. §134.98, but not businesses associates, who – if not notifying individuals of a data breach via a covered entity – must issue breach notifications with 45 days of a breach being discovered. Other examples of when does state law preempt HIPAA breach notification requirements can be found on this link. 

Why it is Important to Know when does State Privacy Law Supersede HIPAA 

Although there is no single state privacy law that supersedes HIPAA in its entirety, and because many state privacy laws exclude HIPAA covered entities and business associates, elements of other non-privacy state laws can apply which will require covered entities to implement more stringent privacy protections and account for greater individuals’ rights than HIPAA. 

The reason why it is important to know when does state privacy law supersede HIPAA is that State Attorneys General have the authority to impose fines for violations of state laws other than HIPAA. Some state laws also have a private right of action that allows individuals to claim damages in the event of a data breach using HIPAA to demonstrate the expected standard of care in civil proceedings. 

Author: Owen Bates is an Contributing Editor and HIPAA Subject Matter Expert at The HIPAA Journal, having joined the publication in November 2024. He researches HIPAA compliance topics and writes authoritative reference articles that help readers understand complex regulatory requirements in a clear and practical way. He also reviews and updates existing content to reflect changes to HIPAA regulations, helping ensure the accuracy and relevance of published material. In addition to his editorial work, Owen contributes as a reviewer and tester of The HIPAA Journal Training courses, supporting the development of high-quality educational content. He also advises The HIPAA Journal’s clients on best practices for HIPAA implementation and enforcement. Owen is a psychology graduate of Westmont College, California.

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist