Lonia Insights Accessibility · Compliance · Security
Healthcare compliance · news-analysis

Practical Guide: HIPAA and state privacy law interactions

Lonia AI Team · · 4 min read

HIPAA and State Privacy Laws: A 2025 Compliance Guide for Healthcare Organizations

Healthcare organizations must navigate an increasingly complex web of privacy regulations as state-level privacy laws multiply alongside HIPAA requirements. As of early 2025, twenty U.S. states have enacted comprehensive consumer privacy laws, with varying degrees of interaction with HIPAA compliance obligations. Understanding these intersections is crucial for healthcare providers, insurers, and business associates operating across multiple jurisdictions.

The Current Landscape: HIPAA and State Privacy Laws

State Privacy Law Evolution

The privacy regulatory landscape has transformed dramatically in recent years. While HIPAA has been the cornerstone of healthcare privacy for decades, state-level privacy laws are now creating additional compliance obligations. Key developments include:

  • Eight new state privacy laws taking effect in 2026-2025
  • Varying approaches to HIPAA entity exemptions across states
  • Enhanced enforcement at both federal and state levels
  • New specialized regulations for consumer health data outside HIPAA's scope

Types of HIPAA Exemptions

State privacy laws typically handle HIPAA-regulated entities in one of two ways:

Entity-Level Exemptions:

  • Complete exemption from state law requirements
  • Applied in Iowa, Montana, Nebraska, New Hampshire, and Tennessee
  • Simplifies compliance for HIPAA-covered entities
  • Covers all organizational data, regardless of classification

Data-Level Exemptions:

  • Applies only to Protected Health Information (PHI)
  • Implemented in Delaware, Maryland, Minnesota, and New Jersey
  • Requires separate compliance programs for non-PHI data
  • More complex to implement and maintain

Understanding HIPAA Preemption in Practice

When HIPAA Prevails

HIPAA preemption applies in situations where:

  • State and federal requirements directly conflict
  • Compliance with both is impossible
  • State law provides less protection than HIPAA

When State Laws Take Precedence

States can enforce more stringent requirements than HIPAA, including:

  • Additional patient rights
  • Stricter security measures
  • More comprehensive breach notification requirements
  • Enhanced penalties for violations

Practical Compliance Steps for Healthcare Organizations

1. Assess Your Organization's Status

First, determine your exposure to various regulations:

  • Identify applicable state jurisdictions
  • Review revenue thresholds for state law applicability
  • Calculate resident data volume processing
  • Document HIPAA covered entity/business associate status

2. Data Classification and Mapping

Create a comprehensive data inventory:

  • Categorize data as PHI vs. non-PHI
  • Map data flows across state lines
  • Identify systems containing multiple data types
  • Document processing purposes and legal bases

3. Policy and Procedure Updates

Develop integrated compliance frameworks:

  • Update privacy notices to reflect state requirements
  • Implement data protection assessment procedures
  • Create state-specific disclosure protocols
  • Establish data minimization guidelines

4. Security Measure Enhancement

Strengthen security controls to meet both HIPAA and state requirements:

  • Implement enhanced encryption standards
  • Deploy comprehensive access controls
  • Establish incident response procedures
  • Conduct regular security assessments

State-Specific Compliance Considerations

States with Entity-Level Exemptions

For organizations operating in states with full HIPAA exemptions:

  • Document exemption status
  • Maintain HIPAA compliance program
  • Monitor state law changes
  • Prepare for potential exemption modifications

States with Data-Level Exemptions

Organizations in these jurisdictions must:

  • Separate PHI and non-PHI data management
  • Implement dual compliance programs
  • Conduct regular data classification reviews
  • Maintain distinct security protocols

Emerging Trends and Future Considerations

Consumer Health Data Regulations

Four states now regulate consumer health data outside HIPAA:

  • Washington
  • Nevada
  • Connecticut
  • Maryland

This trend is likely to continue, with additional states considering similar legislation.

Reproductive Health Privacy

Special considerations include:

  • New HIPAA Privacy Rule updates
  • State-specific reproductive health protections
  • Cross-border data sharing restrictions
  • Enhanced consent requirements

Key Takeaways

  • Assess your organization's exposure to state privacy laws and HIPAA requirements
  • Understand the distinction between entity-level and data-level HIPAA exemptions
  • Implement comprehensive data classification and mapping procedures
  • Develop integrated compliance frameworks that address both federal and state requirements
  • Monitor emerging trends and prepare for additional state regulations
  • Maintain robust documentation of compliance efforts
  • Regular review and updates of privacy and security measures

Frequently Asked Questions

How do we determine which state privacy laws apply to our organization?

Consider your physical locations, where you provide services, where your patients/members reside, and your data processing volumes. Most state privacy laws include specific thresholds for applicability, such as revenue generated in the state or number of residents whose data you process. Conduct a thorough assessment and document your findings.

What should we do if we operate in states with different types of HIPAA exemptions?

Implement a tiered compliance approach. Maintain HIPAA compliance as your baseline, then layer additional state-specific requirements based on your operational locations. For states with data-level exemptions, establish separate protocols for managing non-PHI data that falls under state jurisdiction.

How often should we review our compliance program?

Conduct comprehensive reviews at least annually and whenever significant changes occur in:

  • Applicable laws or regulations
  • Your organization's operations or service areas
  • Technology systems or data processing activities
  • Business relationships affecting data handling

Next Steps

  1. Conduct a comprehensive assessment of your current compliance status
  2. Identify gaps in your privacy and security programs
  3. Develop an action plan to address compliance requirements
  4. Implement required changes systematically
  5. Document all compliance efforts and decisions
  6. Schedule regular reviews and updates

Contact your privacy officer or legal counsel for specific guidance on implementing these recommendations in your organization.

Need help with healthcare compliance?

Lonia AI specializes in accessibility audits and compliance solutions.

Contact Lonia AI