Compliance

State Privacy Laws Beyond HIPAA That Healthcare Providers Miss

Luma Team
Luma Team
|
Cover Image for State Privacy Laws Beyond HIPAA That Healthcare Providers Miss

HIPAA Is the Floor, Not the Ceiling

The HIPAA Privacy and Security Rules establish a federal baseline for health data protection. What most providers don't internalize is that they're a floor — states can and do go further. HIPAA explicitly says so: where a state law is more protective of patient privacy than HIPAA, the state law controls.

In 2026, at least a dozen states have enacted privacy laws with meaningful healthcare implications. Four in particular have requirements that apply to providers operating in those states or serving patients who are residents, and the differences from HIPAA are not minor.

California: CCPA/CPRA

California's California Consumer Privacy Act, strengthened by the 2020 Proposition 24 amendments that created the CPRA, is the most comprehensive consumer privacy law in the country. Healthcare providers need to understand both what it covers and its exemptions.

HIPAA-covered entities are partially exempt from CCPA when they handle health information in their capacity as a covered entity. The exemption is narrower than most providers assume: it covers health information collected and used for treatment, payment, and healthcare operations — the traditional HIPAA use cases. It does not broadly exempt a provider's entire data ecosystem.

The tricky area: non-clinical data that a provider collects. Website analytics, marketing data, patient portal behavior, appointment scheduling data. CCPA applies to this data even at a HIPAA-covered entity. Providers with websites, patient apps, or marketing operations have CCPA obligations they often don't think of as healthcare compliance requirements.

CPRA added a new category: sensitive personal information. This includes health information, but also racial or ethnic origin, genetic data, and biometric data. Consumers have the right to limit use of sensitive personal information, and businesses must disclose it clearly. The California Privacy Protection Agency can enforce violations, and consumers have a private right of action for certain data breaches.

The practical gap for most providers: they have solid HIPAA compliance programs and almost no CCPA compliance program. If you serve California patients and have a website, a mobile app, or any marketing function, you have CCPA obligations.

Texas: THIPA

The Texas Health Privacy Act has been on the books longer than most providers realize and has a broader scope than HIPAA. Texas defines "covered entity" more expansively than the federal law — it covers any person who engages in a business, professional practice, or other activity for which the entity maintains PHI.

That broader definition captures entities that would not be HIPAA-covered: personal wellness apps, fitness trackers, direct-to-consumer health services, and certain employer health programs. But it also creates compliance obligations for HIPAA-covered entities on data that sits outside the HIPAA framework.

Texas also has stronger patient rights provisions. Patients can request restrictions on certain uses of their health information and have broader rights to access and correct records. Violations can result in civil penalties up to $5,000 per violation per day, which can compound quickly for systematic failures.

Texas's law is also notable for applying to the sale of PHI. Selling or receiving anything of value in exchange for health information is restricted in ways that go beyond HIPAA's payment rules. This has implications for analytics vendors, data brokers, and research partnerships.

Washington: My Health MY Data Act

Washington's My Health MY Data Act is the most aggressive state health privacy law currently in effect. It passed in 2023 and applies broadly to consumer health data — and it has teeth that HIPAA lacks: a private right of action that lets individuals sue directly for violations.

The law defines "consumer health data" expansively: any personal information that is linked or reasonably linkable to a consumer and identifies their past, present, or future health conditions, treatment, medications, or attempts to obtain health services. That definition covers information that HIPAA would not — including health-related search queries, fitness data from wearables, and any data derived from non-clinical sources that reflects health information.

Key requirements: organizations must obtain affirmative consent before collecting consumer health data, must provide a privacy policy specifically addressing health data, and must delete consumer health data on request. Geofencing near healthcare facilities to target consumers is explicitly prohibited.

The private right of action is the part providers should take most seriously. Unlike HIPAA, which only lets OCR enforce violations, Washington residents can sue directly. Class actions are possible. The litigation exposure is real and already producing cases.

For providers with patients in Washington — including telehealth providers who serve Washington residents from outside the state — this law applies. The state of the patient, not the state of the provider, determines applicability.

Colorado: Colorado Privacy Act

Colorado's Colorado Privacy Act follows the general structure of CCPA but with some meaningful differences. It applies to controllers that process personal data of 100,000 or more Colorado residents per year, or 25,000 or more residents with some form of revenue derived from that data.

Healthcare-specific note: Colorado's law has a HIPAA exemption similar to California's — but again, the exemption is narrower than providers often assume. It covers health information regulated under HIPAA, but not a provider's broader data operations. Website data, marketing data, and non-clinical patient data are not exempt.

Colorado adds a notable requirement that California does not: universal opt-out signals. Starting in 2024, businesses subject to the CPA must honor universal opt-out signals from browsers and devices. If a Colorado patient uses a browser with a global privacy control enabled and visits your website, you're required to honor that signal and stop selling or sharing their data.

The Key Differences That Catch Providers Off Guard

A few patterns emerge across these state laws that differ materially from HIPAA:

Broader definitions of health data. HIPAA defines PHI around specific identifiers and healthcare transactions. State laws often define health data to include anything relating to someone's health status — including inferred data, behavioral data, and data derived from non-clinical sources. Fitness app data, period tracking data, and browsing patterns around health topics can fall under state laws even though they'd never touch HIPAA.

Consumer rights that HIPAA doesn't provide. The right to deletion is the biggest example. HIPAA gives patients limited rights to restrict certain uses of PHI and to correct inaccurate records. State laws like CCPA and Washington's law give consumers the right to demand deletion of their data. For a healthcare provider, satisfying a deletion request while maintaining legally required medical records is a genuine operational challenge.

Private rights of action. HIPAA enforcement runs through OCR. States like Washington give individuals a direct path to sue. This changes the litigation risk profile entirely. You're not just managing a federal agency investigation — you're managing potential class action exposure.

Explicit restrictions on health data sales. Multiple state laws restrict or prohibit selling health data even in cases where HIPAA would permit it. Data partnerships, analytics vendors, and research agreements need review against state law, not just HIPAA.

What Multi-State Providers Need to Do

The first step is actually knowing which state laws apply. The answer isn't "where your practice is located." Telehealth providers, multi-state health systems, and any organization with a consumer-facing web presence need to map their patient geography and assess which state laws reach them.

Second, the HIPAA exemption analysis needs to be done carefully. Assuming state law doesn't apply because you're HIPAA-covered is a common and costly mistake. The exemptions are specific and narrow.

Third, data practices that are compliant under HIPAA need state-law review. Website analytics, marketing operations, patient-facing apps, wellness programs, and data sharing arrangements may be HIPAA-clean and state-law violations at the same time.

Where De-Identification Helps Again

The same logic that makes Safe Harbor de-identification attractive for HIPAA compliance applies here. State laws follow HIPAA's approach to de-identification in most cases: properly de-identified data falls outside the definition of health data subject to the law.

At Luma, the Safe Harbor de-identification architecture means that the data entering the AI layer doesn't meet the definition of protected health information under HIPAA or the broader consumer health data definitions in state laws. The compliance analysis gets simpler when you're not dealing with identifiable health data in the first place.

It's not a solution to every state law challenge — a provider still needs to manage their website data, their marketing operations, and their broader patient data ecosystem. But for the specific question of AI tool compliance, starting with de-identified data sidesteps a significant layer of multi-state legal complexity.

This Landscape Is Still Moving

As of early 2026, more than 20 states have comprehensive privacy laws in some stage of enactment or enforcement. The healthcare-specific provisions are getting stricter with each new legislative cycle, not more lenient. Federal comprehensive privacy legislation has stalled repeatedly, which means the patchwork of state laws is likely to remain the operating environment for the foreseeable future.

Treating HIPAA as the complete picture of your privacy compliance obligations stopped being accurate several years ago. The question now isn't whether additional state laws apply — it's which ones, and whether your organization has a plan for each of them.

Sources:
California AG — CCPA/CPRA Overview
Washington My Health MY Data Act — RCW 70.372
Colorado Privacy Act — SB 21-190
HHS — HIPAA and State Preemption
IAPP — US State Privacy Legislation Tracker

Want to learn more about Luma?