Taction Software®
Custom Software

State Health Data Privacy Laws Beyond HIPAA

HIPAA sets the federal floor for health data privacy — but it only applies to covered entities and their business associates. Consumer health apps, wearable fitness platforms, mHealth tools, wellness programs, and any organization that handles health-related data outside the HIPAA ecosystem has historically operated in a regulatory gap. States are rapidly closing that gap with their own health data privacy laws — creating a patchwork of regulations that healthcare IT organizations must navigate.

Certification

Tell Us Your Requirements

Our experts are ready to understand your business goals.

What is 1 + 1 ?

100% confidential & no spam

Trusted Partners

Trusted by Industry Leaders Worldwide

Recognition

Awards & Recognitions

Clutch AI Award
Top Clutch Developers
Top Software Developers
Top Staff Augmentation Company
Clutch Verified
Clutch Profile

Why State Laws Matter for Healthcare IT

HIPAA hasn’t been significantly updated since 2013. Meanwhile, the health data landscape has transformed — consumer health apps track symptoms, fertility, mental health, and substance use. Remote monitoring devices collect continuous physiological data. Telehealth platforms operate across state lines. Genomic testing services process the most intimate biological data. AI tools analyze health data at scale.

Much of this data falls outside HIPAA because the organizations collecting it aren’t covered entities or business associates. States have responded with laws that:

  • Expand the definition of “health data” beyond HIPAA’s definition of PHI
  • Apply to entities HIPAA doesn’t cover — consumer apps, data brokers, advertisers
  • Create new consent requirements for health data collection and use
  • Grant consumers rights to access, delete, and control their health data
  • Impose penalties for non-compliance independent of HIPAA enforcement

Key State Laws

  1. 01

    Washington — My Health My Data Act (2023)

    The most comprehensive state health data privacy law. Applies to any entity conducting business in Washington that collects, processes, or shares “consumer health data” — defined broadly to include data that identifies a consumer’s past, present, or future physical or mental health status. This includes data from health apps, fitness trackers, mHealth platforms, and any digital service that processes health-related information.

    Key requirements: Affirmative consent before collecting or sharing consumer health data. Consumer rights to access, delete, and withdraw consent. No sale of consumer health data without separate, specific consent. Geofencing prohibition — cannot collect data around healthcare facilities for identification purposes. Private right of action — consumers can sue directly.

  2. 02

    Connecticut — Consumer Health Data Privacy (2023)

    Similar to Washington’s law but with some differences. Applies to entities processing consumer health data of Connecticut residents. Defines consumer health data broadly. Requires consent for collection and sharing. Grants deletion rights. Includes geofencing restrictions around healthcare facilities.

  3. 03

    Nevada — Consumer Health Data Privacy (2023)

    Nevada’s law focuses on the sale of consumer health data. Requires opt-in consent before selling consumer health data. Broader than HIPAA in scope — applies to any entity, not just covered entities.

  4. 04

    California — CCPA/CPRA Health Data Provisions

    The California Consumer Privacy Act and California Privacy Rights Act include health data within the category of “sensitive personal information.” Businesses must provide notice and opt-out rights for the sale/sharing of sensitive data. The California Age-Appropriate Design Code adds protections for minors’ health data in digital services.

  5. 05

    New York — SHIELD Act and Health Data Protections

    New York’s SHIELD Act broadens the definition of private information to include biometric data and username/password combinations. Healthcare organizations must implement reasonable safeguards. New York also has some of the strictest consent requirements for sharing health information through HIEs — requiring affirmative opt-in consent.

  6. 06

    Texas — Medical Records Privacy Act

    Texas imposes additional protections beyond HIPAA for medical records — including stricter breach notification requirements (60-day notification to individuals, electronic notification to the state AG within 60 days), additional consent requirements for electronic health record disclosure, and penalties up to $250,000 per violation.

  7. 07

    Other States to Watch

    Colorado, Virginia, Oregon, and Montana have comprehensive consumer privacy laws with health data provisions. Illinois has BIPA (Biometric Information Privacy Act) with a private right of action. Multiple states have laws specifically protecting reproductive health data, mental health records, and genetic information.

Technical Implementation Details

Consent Management for Multi-State Compliance

Organizations operating across states need consent management infrastructure that:

  • Identifies the consumer’s state of residence (or state where data is collected)
  • Applies the most restrictive applicable consent requirements
  • Captures affirmative consent before collecting health data (where required)
  • Supports granular consent — different permissions for different data types and uses
  • Records consent with timestamp, version, and scope for audit purposes
  • Supports consent withdrawal and data deletion requests

Data Inventory and Classification

Compliance starts with knowing what health data you have. Build a comprehensive data inventory that classifies:

  • What data is collected (symptoms, diagnoses, medications, biometrics, fertility, substance use, mental health)
  • How it’s collected (consumer-provided, device-generated, inferred through analytics)
  • Where it’s stored (databases, analytics platforms, third-party services)
  • Who it’s shared with (analytics vendors, advertisers, research partners)
  • Which state laws apply based on consumer location and business operations

Data Deletion Architecture

Multiple state laws grant consumers the right to delete their health data. Your systems must support:

  • Identifying all locations where a consumer’s data exists (databases, backups, analytics, third-party systems)
  • Executing deletion across all locations within required timelines
  • Cascading deletion requests to third parties who received the data
  • Documenting deletion completion for compliance records
  • Handling exceptions (data required for legal compliance, pending transactions)

Geofencing Compliance

Washington and Connecticut prohibit collecting consumer data within a specified distance of healthcare facilities for identification purposes. If your application uses location data, implement geofencing controls that prevent health-related data collection around medical facilities — including hospitals, clinics, behavioral health centers, and reproductive health facilities.

Compliance Checklist

Data inventory:

  • Complete inventory of all consumer health data collected, processed, and shared
  • Data classified by type, source, storage location, and sharing partners
  • State law applicability mapped based on consumer locations and business operations

How Taction Ensures Compliance

At Taction, our team helps healthcare and digital health organizations navigate the intersection of HIPAA and state health data privacy laws.

What we do:

  • Multi-state compliance assessment — We assess your data practices against applicable state health data privacy laws, identify gaps, and build compliance roadmaps prioritized by enforcement risk and business impact.
  • Consent management implementation — We build consent management platforms that handle multi-state consent requirements — jurisdiction detection, granular consent capture, withdrawal processing, and audit-ready documentation.
  • Data inventory and classification — We inventory consumer health data across your technology stack — identifying data types, storage locations, sharing relationships, and applicable state law requirements.
  • Deletion architecture — We design and implement data deletion capabilities that satisfy state law requirements — cross-system identification, cascading deletion to third parties, and completion documentation.
  • Privacy-by-design development — For digital health products and consumer health applications, we build privacy controls into the architecture from the start — consent capture, data minimization, purpose limitation, and deletion readiness.

Ready to Discuss Your Project With Us?

Your email address will not be published. Required fields are marked *

What is 1 + 1 ?

What's Next?

Our expert reaches out shortly after receiving your request and analyzing your requirements.

If needed, we sign an NDA to protect your privacy.

We request additional information to better understand and analyze your project.

We schedule a call to discuss your project, goals. and priorities, and provide preliminary feedback.

If you're satisfied, we finalize the agreement and start your project.