Checklist for State Healthcare Privacy Compliance

Healthcare privacy laws are changing fast, and keeping up is critical. As of January 2026, 19 state privacy laws are in effect, with new rules from Indiana, Kentucky, and Rhode Island. These laws often go beyond HIPAA, targeting businesses like fitness apps and wellness platforms. The challenge? Each state has its own rules, from consent requirements to enforcement methods.

Here’s what you need to know:

• Key Laws: Washington’s My Health My Data Act, Nevada’s SB 370, and Maryland’s MODPA lead the way with stricter protections.
• Who’s Affected: Even small businesses handling health data (like apps) must comply - revenue size often doesn’t matter.
• Consumer Rights: Opt-in consent, data deletion, and tighter breach notification timelines are common requirements.
• Penalties: States vary, with some allowing lawsuits (Washington) and others relying on government enforcement (Nevada).

Quick Tip: Start by identifying which state laws apply to your business. Then, implement privacy controls, train staff, and create a breach response plan to stay compliant.

When A State Law Is More Stringent Than HIPAA? - SecurityFirstCorp.com

State-Specific Privacy Requirements Explained

This section dives into the key aspects of state healthcare privacy laws. To navigate these regulations, it's crucial to understand three main areas: who must comply, the required privacy protections, and the penalties for falling short. Let’s break these down.

Who Must Comply

Laws like Washington's My Health My Data Act and Nevada's SB 370 have expanded their reach by removing revenue or data volume thresholds. Essentially, they apply to any organization collecting consumer health data, even if they don't fall under traditional HIPAA guidelines. This includes businesses dealing with data from fitness trackers, wellness apps, or biometric devices. If you’re operating in a state or targeting its residents, these laws likely apply to you.

A critical factor is determining whether a state law is "more stringent" than HIPAA. When a state law offers stronger privacy protections or grants additional rights to individuals, organizations must comply with both HIPAA and the state-specific rules. For example, some states require explicit patient consent for mental health disclosures, even in cases where HIPAA would allow such disclosures for treatment or payment without additional authorization.

Required Privacy Protections

State laws demand stricter privacy measures, including explicit opt-in consent for collecting, sharing, or selling health data. Pre-checked boxes or vague agreements won’t cut it - you need clear, documented permission that specifies who will receive the data and why.

These laws also expand consumer rights. Individuals may be entitled to delete their health data or withdraw consent at any time. Breach notification timelines are often tighter than HIPAA’s 60-day window. For instance, California requires notifications within 15 days of discovering unauthorized access. Nevada goes a step further by banning geofencing around healthcare facilities to prevent tracking or targeted health ads. Additionally, documentation requirements often align with HIPAA’s six-year retention rule, although some states call for detailed records of separate consents for data collection and sharing.

Penalties for Violations

Failing to comply with these laws can lead to hefty fines and legal consequences. Washington’s My Health My Data Act allows consumers to sue organizations directly for violations. In contrast, Nevada’s SB 370 relies on enforcement by the Attorney General and the Commissioner of Consumer Affairs, treating violations as deceptive trade practices. Penalties vary by state, ranging from civil fines to private lawsuits, so it’s vital to understand the enforcement mechanisms in each jurisdiction where your organization operates.

Major State Healthcare Privacy Laws

Three states have introduced healthcare privacy laws that go beyond HIPAA's protections, each with its own enforcement methods and specific requirements for organizations.

Washington State Mobile Health Data Mobilization Act (MHMDA)

Washington's MHMDA bans the use of geofencing within 2,000 feet of healthcare facilities to track individuals, gather health data, or send targeted ads. It defines "precise location information" as geographic coordinates within a 1,750-foot radius.

The law also requires organizations to post a consumer health data privacy policy prominently on their homepage, listing all affiliates and third parties with access to the data. Before selling consumer health data, companies must obtain signed authorization that specifies the buyer's identity and the purpose of the sale.

MHMDA grants consumers a private right of action, enabling them to sue for violations and potentially recover treble damages up to $25,000. The Washington Attorney General can impose civil penalties of up to $7,500 per violation. Organizations must respond to consumer data requests within 45 days, with the option to extend by another 45 days if necessary. Additionally, data must be fully removed from backup systems within six months.

Nevada Senate Bill 370

Nevada's SB 370 also restricts geofencing but sets the boundary at 1,750 feet from healthcare facilities, slightly narrower than Washington's law. The law requires separate consents for data collection and sharing, as well as written authorization for data sales.

Unlike Washington, Nevada treats violations as deceptive trade practices under state law, enforceable only by the Attorney General and the Commissioner of Consumer Affairs - there is no private right of action. Organizations must respond to consumer requests within 45 days and notify affiliates, contractors, and processors to delete data within 30 days of a deletion request. Nevada's HIPAA exemption applies to entire entities rather than specific data types.

Maryland Online Data Privacy Act (MODPA)

Maryland's MODPA takes a different approach, focusing on safeguarding sensitive reproductive health information. The law prohibits state judges from compelling individuals to provide out-of-state evidence related to legally protected health services, such as abortion care. It also requires health information exchanges to obtain explicit patient consent before sharing abortion-related data with entities outside the state. This ensures additional protection for sensitive reproductive health data.

sbb-itb-5f36581

Compliance Checklist

Identify Applicable Laws

Start by mapping out where your patients and consumers reside. State laws typically apply based on an individual's location. Assess your HIPAA status to determine whether you're classified as a Covered Entity or Business Associate. If your organization handles both covered and non-covered functions, you'll need to designate specific "health care components" to clarify which regulations apply to different parts of your business.

Pay attention to state-specific thresholds. Unlike broader privacy laws that often hinge on processing data for 100,000+ consumers or earning $25 million+ in revenue, certain health-specific laws - like Washington's MHMD and Nevada's SB 370 - apply regardless of revenue or data volume. Maryland's MODPA, on the other hand, applies to businesses managing personal data for at least 35,000 residents annually.

Take a close look at whether your data collection practices fall under state definitions of "Consumer Health Data." For detailed definitions, refer to earlier sections of this guide. States like Washington and Nevada define this broadly, covering physical and mental health information, biometric and genetic data, and even precise geolocation data tied to healthcare services. Be sure to also check for restrictions on practices like geofencing, as these vary by state.

Once you've identified the laws that apply, the next step is to establish strong privacy and security measures.

Set Up Privacy and Security Controls

Appoint leadership by assigning a Privacy and Security Officer to oversee compliance. For smaller organizations, a single person can handle both roles. The Security Officer’s responsibilities include conducting risk analyses, implementing security measures, and managing workforce training and access to sensitive information.

Introduce role-based access controls to limit data access to only what's necessary for a specific role. Each user should have a unique ID, and systems should include automatic logoff features to protect against unauthorized access during inactivity. Audit logs are essential for tracking system activity, while encryption ensures data is secure during transmission.

Train your entire workforce on security policies, even those with minimal or no direct access to sensitive data. Policies should be adaptable to your organization’s size and risk level. Under HIPAA’s Security Rule, you're required to keep documentation of security policies and assessments for at least six years from their creation or last effective date.

Establish Business Associate Agreements (BAAs) with all third-party vendors handling sensitive data. These agreements ensure that your vendors follow the same security standards as your organization. Additionally, create a contingency plan that outlines procedures for data backup, disaster recovery, and emergency operations to maintain data availability during unexpected system failures. These steps will help you comply with both HIPAA and stricter state-level laws.

Create a Breach Response Plan

Once your privacy and security measures are in place, develop a clear and efficient breach response protocol. Set up immediate reporting procedures for any suspected or confirmed incidents. Reports should go to an internal Incident Management Team or IT Service Desk. Form a Breach Analysis Team, which might include the Business Owner, Information System Security Officer, and Senior Privacy Official, to evaluate risks and approve notification plans.

Develop a risk assessment framework to analyze breaches. This framework should evaluate factors like the type of data involved, who accessed it, whether it was acquired or viewed, and the potential for mitigation. State-specific deadlines for breach notifications vary, ranging from 15 business days to 60 calendar days. If a breach affects more than 500 residents, authorities must also be notified. Under HIPAA, individuals must be informed of reportable breaches within 60 days of discovery.

Use standardized templates, such as the HHS PIRT Response Plan Template, to meet all legal requirements for breach notices. Notifications should be written in plain, easy-to-understand language and include key details such as the nature of the breach, the types of data involved, steps individuals can take to protect themselves, and your organization’s contact information. Document all corrective actions taken to prevent similar incidents in the future, and consider offering services like identity theft protection or credit monitoring to affected individuals.

Maintaining Compliance Over Time

Once initial controls are in place, the real challenge begins: keeping up with changing laws and maintaining compliance as regulations evolve.

Regular Law Reviews and Updates

State privacy laws are in constant motion, and staying updated is not optional. Federal regulations mandate that covered entities and business associates regularly review and adjust their security measures "as needed" to ensure the ongoing protection of electronic protected health information (ePHI). For instance, in 2025, eight new state privacy laws came into effect, introducing requirements like stricter data necessity rules and mandatory appointments of data protection officers.

To stay informed, monitor reliable resources frequently. Tools like the IAPP US State Privacy Legislation Tracker and the National Governors Association State Roadmap provide current information on both enacted and proposed legislation. Additionally, state-specific manuals, such as California's Hospital Health Information Privacy Manual, undergo significant annual updates to address new issues such as substance use disorder records, reproductive health protections, and compliance with out-of-state subpoenas.

Using Tools to Support Compliance

Automated audit controls are essential for tracking and analyzing activity within systems that handle protected health information. Platforms like Reform offer secure, no-code solutions for managing sensitive data. Features such as email validation, spam prevention, and real-time analytics help ensure privacy while simplifying data management.

When choosing compliance tools, prioritize those with role-based access controls and seamless CRM integrations. Regularly evaluate these tools to ensure they meet updated security requirements. Any technology you implement should align with the Security Rule's flexibility, allowing measures tailored to your organization's size and risk level. Also, confirm that all third-party providers sign a Business Associate Agreement, which obligates them to comply with security standards and report any incidents.

FAQs

How can I identify which state healthcare privacy laws apply to my business?

To figure out which state healthcare privacy laws apply to your business, start by pinpointing the types of health data you handle and the states where you operate. Laws like Washington’s My Health My Data Act often apply to any business dealing with consumer health data, regardless of its size or revenue.

Once you've identified the states involved, dig into the specific requirements for each one. Pay attention to factors like data volume thresholds, revenue criteria, or obligations such as obtaining opt-in consent, providing consumers with rights to access or delete their data, and adhering to breach notification rules. A compliance checklist can help you align your policies and workflows with these regulations.

To simplify the process, consider using tools like Reform, a no-code form builder. Its features, such as conditional routing and customizable consent options, allow you to tailor your forms to meet the varying regulations of different states, ensuring your data collection practices stay on the right side of the law.

What are the consequences of not following state healthcare privacy laws?

Failing to follow state healthcare privacy laws can result in hefty fines. The penalties differ depending on the state. For instance, under California’s CCPA/CPRA, fines can reach up to $2,500 per violation and as much as $7,500 for intentional violations. Other states have their own fine systems, which may also involve further enforcement actions.

To steer clear of these penalties, businesses need to stay updated on state-specific rules and take steps to align with healthcare privacy requirements.

How can small businesses comply with state healthcare privacy laws?

Small businesses can tackle the challenges of state healthcare privacy laws by developing a compliance program that’s both thorough and adaptable to specific state regulations. Start by identifying all the personal health information (PHI) your business collects, processes, or shares. Then, map out this data in relation to key privacy principles such as lawful use, minimizing data collection, respecting consumer rights, and implementing robust security measures.

Create privacy policies and consent processes that align with the most stringent state laws, like requiring opt-in consent for health data. For states with unique requirements - such as Washington's My Health My Data Act - adjust your policies to meet those additional standards. Tools like no-code platforms, such as Reform, can make it easier to manage consent forms and automate compliance tasks.

Regularly review and update your privacy notices to ensure they include all necessary details, such as consumer rights and data retention policies. Stay ahead of new regulations by conducting periodic audits and providing ongoing training for your team. With a strong foundation and proactive updates, small businesses can confidently navigate the shifting landscape of state healthcare privacy laws.

Related Blog Posts

• HIPAA Compliance for B2B Healthcare Marketing
• HIPAA-Compliant Forms for Global Healthcare
• How Healthcare Data Breach Laws Impact SaaS Tools
• Checklist for Mobile Commerce Data Privacy Compliance