View all articles | Read the next article

Since California enacted the California Consumer Privacy Act (CCPA) in 2018,1 an additional 18 states have enacted comprehensive consumer privacy laws.2 Additionally, Washington has enacted the My Health My Data Act governing consumer health data, and Nevada has enacted a similar law.3 All of these state laws include exemptions related to HIPAA and its implementing regulations. But that does not mean that HIPAA-regulated entities (e.g., covered entities (CEs) and business associates (BAs)) are completely exempt from these laws. While some state laws completely exempt HIPAA-regulated entities, others may impose new compliance obligations on them.

In this article, we discuss the interplay between HIPAA and these state laws and potential compliance obligations on organizations that are not completely exempt.

What follows is a chart with key information to determine the applicability of state consumer privacy laws to HIPAA-regulated entities (see Figure 1). Note that this chart, and all subsequent information in this article, is current as of December 1, 2025. This is a dynamic area, however, with frequent changes to state consumer privacy laws.

The first column lists all states with a comprehensive privacy law. We do not include state privacy laws focused on consumer health data, such as Washington’s My Health My Data Act, because analyzing such laws is a bit different (subsequently discussed).

The second column clarifies the scope of the HIPAA exemption. Some states only exempt protected health information (PHI), meaning that a HIPAA-regulated entity’s personal information that is not PHI is within scope. Other states include both entity-level exemptions

Figure 1: State Consumer Privacy Laws and Their Exemptions

for HIPAA-regulated entities and data exemptions for PHI. Note that California exempts providers of healthcare subject to the Confidentiality of Medical Information Act and HIPAA-regulated entities, but only to the extent that the entities maintain, use, and disclose patient information in the same manner as medical information or PHI.4 We do not interpret that these are true entity-level exemptions, as they are limited to patient information. In practice, it is unclear whether these exemptions have any practical effect, since a HIPAA-regulated entity’s patient information will either be PHI subject to HIPAA or will be excluded from HIPAA through designation as a hybrid entity (in which case it is unlikely the hybrid entity will apply HIPAA protections to the excluded patient information).

The third column clarifies whether the law exempts nonprofit organizations. We list California as “generally” because CCPA generally exempts nonprofit organizations unless the nonprofit entity controls or is controlled by a “business” that meets the CCPA’s threshold (discussed below) and the entities share common branding. For example, if a health system is a nonprofit organization but includes a for-profit subsidiary with more than $26.625 million in annual revenue and common branding with the health system, then the nonprofit health system will be subject to the CCPA. A few states offer very limited nonprofit exemptions unlikely to apply to HIPAA-regulated entities, such as nonprofit organizations dedicated exclusively to preventing and addressing insurance crime. For purposes of the chart, we treat these states as not having an exemption for nonprofit organizations.

The fourth column includes the threshold for qualifying as a regulated entity under the consumer privacy law. As a matter of statutory jurisdiction, all of the state consumer privacy laws only apply to an entity that does business in the state, provides products or services to residents of the state, and/or targets residents of the state (e.g., directs marketing efforts towards the state’s residents). The jurisdictional requirements vary slightly from state to state. Most state consumer privacy laws apply only if an entity processes the personal information of a minimum number of state residents (e.g., 100,000). Nebraska’s and Texas’s laws apply without any such minimum threshold.

Tennessee’s and Utah’s laws only apply if an entity has at least $25 million in annual revenue and processes the personal information of a minimum number of state residents. In contrast, California will regulate a for-profit entity as a “business” if it has revenue of $26.625 million (based on the most recent biannual inflation update) or processes the personal information of 100,000 California residents (e.g., it will apply to a business that has $30 million in annual revenue even if the business only processes 10 Californians’ personal information). Finally, most states include an alternative threshold, regulating an entity that controls or processes personal information of a lower number of residents but derives a significant percentage of gross revenue from the sale of personal information (e.g., Delaware’s law applies to an entity that controls or processes the personal information of at least 10,000 Delaware residents and derives more than 20% of its gross revenue from the sale of personal information). We did not include these alternative thresholds in the fourth column because we expect that few, if any, HIPAA-regulated entities derive a significant portion of their gross revenue from the sale of personal information.

Based on the above, we recommend the following steps for a HIPAA-regulated entity to determine whether it has compliance obligations under state consumer privacy laws.

Step 1: HIPAA entity-level exemption

The first step is to determine whether the state consumer privacy law includes an entity-level exemption. If so, then the analysis is done with respect to that state.

Accordingly, HIPAA-regulated entities currently need not worry about the following state laws:

• Connecticut 
•  Indiana 
• Iowa 
• Kentucky 
• Montana 
• Nebraska 
• New Hampshire 
• Rhode Island 
• Tennessee 
• Texas 
• Utah 
• Virginia 

Note that the aforementioned states include broad exemptions for HIPAA BAs. It is not clear that state legislatures appreciated that an entity can qualify as a BA but be subject to HIPAA only with respect to a small percentage of its business. For example, a technology company could contract with 10,000 customers, with only one qualifying as a CE. The technology company will qualify as a BA but will only have HIPAA obligations with respect to its one CE customer’s data. Under the plain language of the above states’ consumer privacy laws, the technology company is completely exempt from them, even though the personal information of 99.9% of its customers falls outside HIPAA. Notwithstanding the plain text of the statutes, though, there is a risk that a court or regulator could interpret the technology company’s exemption as only pertaining to the one customer for whom it is acting as a BA. Accordingly, if an entity is a BA, it will need to decide whether to take a legally conservative approach and treat its exemptions from state consumer privacy laws as applying only to its HIPAA-regulated data.

In contrast, the following state laws potentially apply to HIPAA-regulated entities:

• California 
• Colorado 
• Delaware 
• Maryland 
• Minnesota 
• New Jersey 
• Oregon 

If a HIPAA-regulated entity does not do business in or target residents of any of the latter states, its analysis is complete, and it is not currently subject to state consumer privacy laws.

Step 2: Nonprofit status

Next, if a HIPAA-regulated entity is a nonprofit, then it should review whether the state law exempts nonprofits.

In the states that do not completely exclude HIPAA-regulated entities (California, Colorado, Delaware, Maryland, Minnesota, New Jersey, and Oregon), only the following apply to nonprofits:

• California (nonprofits are generally exempt, but could be subject to CCPA if the nonprofit controls or is controlled by a for-profit entity that shares common branding and qualifies as a “business”) 
• Colorado 
• Delaware 
• Maryland 
• Minnesota 
• Oregon 

If the HIPAA-regulated entity is a for-profit organization, then it can skip this step.

Step 3: Applicability threshold

Finally, a HIPAA-regulated entity will only be subject to a state law if it satisfies the applicability threshold. For example, a HIPAA-regulated entity that does business in Oregon or targets its services to Oregon residents will be subject to the Oregon consumer privacy law if it controls or processes the personal information of 100,000 or more Oregon residents.

Compliance obligations

What happens if you have gotten this far and determined that you do need to comply with a state consumer privacy law? The answer will vary by state and requires a state-by-state analysis. But we can offer some general themes.

Except for CCPA, all state consumer privacy laws exclude personal information from commercial or employment contexts. This means that personal information of business-to-business contacts (such as a healthcare professional who is a referral source), employees, and job applicants is excluded. Additionally, all state consumer privacy laws exclude PHI of HIPAA-regulated entities: personal information about patients or plan members that relates to physical or mental condition, the provision of healthcare, or payment for the provision of healthcare. What’s left?

Usually, what is left is personal information collected from the website that is not PHI. The U.S. Department of Health and Human Services Office for Civil Rights’ (OCR) guidance on the use of online tracking technologies and HIPAA advises that:

Tracking technologies on many unauthenticated webpages do not have access to individuals’ PHI; in this case, a regulated entity’s use of such tracking technologies is not regulated by the HIPAA Rules.

However, in some cases, tracking technologies on unauthenticated webpages may have access to PHI, in which case the HIPAA Rules apply to the regulated entities’ use of tracking technologies and disclosures to the tracking technology vendors.5

Except for CCPA, all state consumer privacy laws exclude personal information from commercial or employment contexts.

Essentially, if personal information collected from a website qualifies as health information (i.e., it relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual), then it will be PHI subject to HIPAA and exempt from the state consumer privacy law. An example is information that identifies that someone is or was a patient or plan member of a CE, such as website data showing that they logged in to a patient or plan member portal. If the persona information does not qualify as health information — such as the mere fact that someone visited a healthcare provider’s website — then it is not PHI but may be personal information subject to any applicable state consumer privacy laws. The biggest challenge is the grey area. For example, if a website user visits a page about a particular medical condition or searches for a particular type of specialist, the original version of the OCR guidance suggested that this is PHI. The U.S. District Court for the Northern District of Texas, however, vacated this portion of the guidance.6 HIPAA-regulated entities may benefit from a bootsand-suspenders approach, seeking to comply with both HIPAA and applicable state consumer privacy law with respect to any website data that is on the line between PHI and non-PHI. OCR could view the information as PHI, but a state regulator could view the data as falling outside the state law’s PHI exemption.

Another potential bucket of personal information is information collected about non-patient consumers, including visitors. For example, a hospital’s gift shop may collect personal information of shoppers. Or that fancy new parking system may collect visitors’ phone numbers to text parking-related messages and may record license plate numbers (associating the license plate with the phone number for returning visitors).

CCPA also covers personal information of employees and business contacts. Accordingly, if subject to CCPA, a HIPAA-regulated entity likely has to address four categories of personal information: (1) website information that is not PHI;

• (2) personal information of visitors; (3) employee and job applicant information; and 
• (4) personal information of business contacts (such as referral sources). If business contacts’ personal information is found in PHI or HIPAA-de-identified data (e.g., a healthcare professional’s information), then it is unclear whether the CCPA exempts the personal information or whether the personal information is subject to the CCPA. On the one hand, the CCPA exempts both PHI and HIPAA-de-identified data. These exemptions arguably encompass any personal information in PHI or HIPAA-de-identified data. On the other hand, HIPAA only protects the privacy of the individual who is the subject of the PHI and does not more broadly protect the privacy of other persons’ personal information. This supports an interpretation that only applies 

the HIPAA exemption to personal information about the individual who is the subject of the PHI. Organizations will need to make a risk-based decision, with the conservative approach being to treat personal information in PHI as subject to CCPA if it is not about the individual who is the subject of the PHI.

Concerning personal information that is subject to one or more state consumer privacy laws, typical obligations under these laws include:

• Privacy policy. State consumer privacy laws typically require a published privacy policy. Most HIPAA-regulated organizations already have a HIPAA notice of privacy practices governing PHI and website privacy policy. The organization may need to revise its website privacy policy to apply more broadly (e.g., personal information collected offline) and comply with a state consumer privacy law’s specific content requirements. 
  • Privacy rights. State consumer privacy laws typically provide consumers with certain privacy rights, such as: (i) confirmation of what personal information is collected, sold, or shared; 
  • (ii) access to the personal information; (iii) correction of inaccurate personal information; and (iv) deletion of personal information. These privacy rights differ significantly from HIPAA’s privacy rights, so HIPAA-regulated entities may need separate programs for personal information and PHI.
• Data minimization. State consumer privacy laws may include data minimization requirements that limit the 

unnecessary collection of personal information

• Opt-in/opt-out rights. State consumer privacy laws typically provide some opt-in and opt-out rights regarding certain collections, uses, and disclosures of personal information. For example, consumers may have a right to opt out of the “sale” of their personal information, with the definition of “sale” broadly covering disclosures in which the regulated entity receives anything of value in return (not just monetary payments). The laws may also include opt-out rights with respect to the “sharing” of personal information, with the term “sharing” potentially limited to cross-context behavioral advertising (when a consumer is targeted with advertisements on one website based on personal information obtained from an unrelated website). A HIPAA-regulated entity may need opt-in consent to sell or share a minor’s personal information. The laws often include greater restrictions on “sensitive” personal information, which generally includes health information (although such health information in the hands of a HIPAA-regulated entity is likely PHI that is exempt from any state consumer privacy law). 
• Security requirements. State consumer privacy laws typically require entities to maintain the security of personal information. Most states do not include detailed information security requirements like the HIPAA Security Rule, however. 

◆ Agreements with service providers. The state consumer privacy laws require entities to enter into agreements with their third-party service providers (known as “processors” under most state privacy laws). While serving a similar purpose to BA agreements (BAAs), state laws’ requirements for data processor agreements are typically very different from BAA requirements. Accordingly, HIPAA-regulated entities may want to include an increasing number of privacy and security addenda to their services agreements depending on the type of data shared with the service provider: (i) a BAA; (ii) a data processor agreement; (iii) specific information security requirements; and (iv) (because one cannot write an article these days without at least mentioning AI) restrictions and requirements on the use of AI.

Most states do not include detailed information security requirements like the HIPAA Security Rule, however.

◆ Data protection assessments. Many state consumer privacy laws require entities to conduct data protection assessments, in which they weigh the benefits of processing activities against potential risks to consumers.

The above is not an exhaustive list of state consumer privacy law requirements. Rather, it is intended to give HIPAA-regulated entities a general idea of their compliance obligations if they are subject to one or more state consumer privacy laws. If subject to a state consumer privacy law, a HIPAA-regulated entity should carefully analyze its privacy and security obligations under that law.

Consumer health data privacy laws

State consumer health data privacy laws, such as Washington’s My Health My Data Act and Nevada’s similar law, are arguably the strictest privacy laws in the country.7 They have many similarities to more general state consumer privacy laws, but require more details in privacy notices, provide greater consent rights to consumers, include more stringent privacy rights and geofencing restrictions, and do not include entity-level exemptions for HIPAA-regulated entities and nonprofit organizations. Nevertheless, they likely have minimal impact on HIPAA-regulated entities.

The laws govern “consumer health data,” but exempt PHI “for purposes of [HIPAA]” and records subject to the Family Educational Rights and Privacy Act (FERPA).8 They define “consumer health data” as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status” and then provide numerous examples.9 The definition of “consumer” exempts information collected in an employment context.10 The resulting definition of “consumer health data” closely aligns with HIPAA’s definition of “individually identifiable health information” but does not include HIPAA’s exceptions found in the definition of PHI for certain student treatment records that are exempt from FERPA and records of persons deceased for more than 50 years.11 The interplay of these definitions means that a HIPAA-regulated entity’s consumer health data is almost always PHI and, therefore, almost always exempt from the state consumer health data privacy law.12

The consumer health data privacy laws’ geofencing restrictions arguably have minimal impact on HIPAA-regulated entities as well. A healthcare provider may potentially use a geofence and PHI to assist patients, such as monitoring the location of a dementia patient or providing facility directions upon a patient’s arrival. The laws provide that it is unlawful to implement a geofence around an entity that provides in-person healthcare services where such geofence is used to: (1) identify or track consumers seeking healthcare services; (2) collect consumer health data from consumers; or

(3) send notifications, messages, or advertisements to consumers related to their consumer health data or healthcare services. All three of these geofencing restrictions involve information about a consumer seeking healthcare services or consumer health data, both of which arguably qualify as PHI in the hands of a HIPAA-regulated entity and, therefore, arguably are exempt from the consumer health data privacy laws. One can argue that this means the geofencing restrictions are inapplicable, since the information about the geofence’s use is exempt. Because this is a new area of law, yet, there remains some risk that a regulator or court would find that the PHI is exempt from the state law, but that the related use of geofencing is not exempt. Accordingly, if HIPAA-regulated entities use geofencing technology, they may argue that the geofencing restrictions are not applicable because they are tied to exempt PHI; however, the organization should understand that there is some risk that a regulator could disagree and assess the use of the geofencing technology accordingly.

Conclusion

HIPAA-regulated entities are mostly exempt from state consumer privacy laws, but the devil is in the details. Entities should assess whether any state privacy laws are potentially applicable, and then whether they are categorically exempt from such laws or if only their PHI is exempt. If it’s the latter, then they should identify if they process personal information that is not PHI and put in place an appropriate privacy program for such data. Finally, entities should keep in mind that this is a dynamic area of law, with new state privacy laws popping up and legislatures amending existing laws. Accordingly, entities should be vigilant for changes in state privacy laws that may impact them.

Endnotes

• 1. Cal. Civ. Code tit. 1.81.5, https://leginfo.legislature.ca.gov/faces/codes_displayText. xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&chapter=&article= . 
  • 2. We are not including the Florida Digital Bill of Rights, Fla. Stat. tit. XXXIII ch. 501 pt. 5, in this count because it only applies to a relatively small subset of organizations (businesses in Florida with $1 billion or more in gross annual revenue and that: 
  • (1) generate at least 50% of revenue from the sale of advertisements online; (2) operate an app store or digital distribution platform that offers at least 250,000 different software applications for consumers to download and install; or (3) operate a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud-computing service that uses hands-free verbal activation), https://www.flsenate.gov/Laws/Statutes/2023/Chapter501/PART_V .
• 3. Wash. Rev. Stat. ch. 19.373, https://app.leg.wa.gov/RCW/default.aspx?cite=19.373; Nev. Rev. Stat. §§ 603A.400–490, https://www.leg.state.nv.us/nrs/nrs-603a. html#NRS603ASec400. 
• 4. Cal. Civ. Code § 1798.146(a)(2) and (3), https://leginfo.legislature.ca.gov/faces/codes_ displaySection.xhtml?lawCode=CIV&sectionNum=1798.146 . 
• 5. U.S. Department of Health and Human Services, Office for Civil Rights, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,” content last reviewed June 26, 2024, https://www.hhs.gov/hipaa/for-professionals/privacy/ guidance/hipaa-online-tracking/index.html . The U.S. District Court for the Northern District of Texas vacated a portion of the guidance: Am. Hosp. Ass’n v. Becerra, 738 F.Supp.3d 780 (2024). 
• 6. Am. Hosp. Ass’n v. Becerra, 738 F.Supp.3d 780 (N.D. Tex. 2024). 
• 7. Connecticut amended its general consumer privacy law to further regulate consumer health data. Unlike the Washington and Nevada laws, however, the Connecticut law governing consumer health data completely exempts HIPAA-regulated entities. Conn. Gen. Stat. § 42-526(b)(6), https://www.cga.ct.gov/2024/sup/chap_743jj. htm#sec_42-526. Accordingly, we only intend to limit the remaining references to consumer health data laws to those of Washington and Nevada. 
• 8. Wash. Rev. Code § 19.373.100(1)(a)(i) and (2)(d), https://app.leg.wa.gov/RCW/ default.aspx?cite=19.373.100 ; Nev. Rev. Stat. § 603A.490(1)(a) and (h)(3), https://www.leg.state.nv.us/nrs/nrs-603a.html#NRS603ASec490. 
• 9. Wash. Rev. Code § 19.373.010(8), https://app.leg.wa.gov/RCW/default. aspx?cite=19.373.010 ; Nev. Rev. Stat. § 603A.430, https://www.leg.state.nv.us/nrs/nrs603a.html#NRS603ASec430. 
• 10. Wash. Rev. Code § 19.373.010(7), https://app.leg.wa.gov/RCW/default. aspx?cite=19.373.010 ; Nev. Rev. Stat. § 603A.425, https://www.leg.state.nv.us/nrs/nrs603a.html#NRS603ASec425. 
• 11. See definitions of “individually identifiable health information” and “protected health information,” 45 C.F.R. § 160.103, https://www.ecfr.gov/current/title-45/subtitle-A/ subchapter-C/part-160/subpart-A/section-160.103 . 
• 12. The only edge cases in which consumer health data is not exempt from state consumer health data privacy laws are certain student treatment records described at 20 U.S.C. 1232g(a)(4)(B)(iv), https://bit.ly/4rh1eYk, that are exempt from both HIPAA and the Family Educational Rights and Privacy Act and records of persons deceased for more than 50 years, 45 C.F.R. § 160.103 (see definition of “protected health information” at paragraphs (2)(ii) and (iv)). A HIPAA-regulated entity should consider whether it is likely to have such consumer health data and, if so, whether this data is likely to implicate compliance obligations under a state consumer health data law. 
• 13. Cal. Civ. Code §§ 1798.140(d),https://leginfo.legislature.ca.gov/faces/ codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.140 ; 145(c)(1)(A), https://leginfo.legislature.ca.gov/faces/codes_ 

(1), https://leginfo.legislature.ca.gov/faces/codes_displaySection. xhtml?sectionNum=1798.146.&nodeTreePath=8.4.53&lawCode=CIV California Privacy Protection Agency, “California Privacy Protection Agency Announces 2025 Increases for CCPA Fines and Penalties,” news release, December 17, 2024, https://cppa.ca.gov/ announcements/2024/20241217.html .

• 14. Colo. Rev. Stat. § 6-1-1304(1)(a)(I) and (2)(a), https://bit.ly/4tqbXkm. 
• 15. Conn. Gen. Stat. §§ 42-516 , https://www.cga.ct.gov/2023/pub/chap_743jj. htm#sec_42-516; 517(a)(1), (2), and (6), https://www.cga.ct.gov/2023/pub/chap_743jj. htm#sec_42-517; Conn. Pub. Act No. 25-113 (2025), https://www.cga.ct.gov/2025/ ACT/PA/PDF/2025PA-00113-R00SB-01295-PA.PDF . 
• 16. The nonprofit exception does not extend to the processing of consumer health data, although the Connecticut law completely exempts HIPAA-regulated entities from provisions governing consumer health data. Conn. Gen. Stat. § 42-526(b)(6), https://www.cga.ct.gov/2024/sup/chap_743jj.htm#sec_42-526. 
• 17. Del. Code Ann. tit. 6, § 12D-103(a)(1), (b)(3), and (c)(1), https://delcode.delaware.gov/title6/c012d/index.html#12D-103. 
• 18. Ind. Code §§ 24-15-1-1(a)(1), (b)(3), and (b)(4), https://iga.in.gov/laws/2023/ic/ titles/24#24-15-1-1; 24-15-1-2(1), https://iga.in.gov/laws/2023/ic/titles/24#24-15-1-2. 
• 19. Iowa Code § 715D.2(1), (2), and (3)(a), https://www.legis.iowa.gov/docs/code/715d.pdf. 
• 20. Ky. Rev. Stat. Ann. § 367.3613(1)(a), (2)(c) and (d), and (3)(a), https://apps.legislature.ky.gov/law/Statutes/statute.aspx?id=56648 . 
• 21. Md. Code Ann., Com. Law §§ 14-4702https://mgaleg.maryland.gov/mgawebsite/ Laws/StatuteText?article=gcl&section=14-4702 ; 4703(a)(4) and (b)(1), https://mgaleg. maryland.gov/mgawebsite/Laws/StatuteText?article=gcl&section=14-4703 . 
• 22. Minn. Stat. § 325M.12 subd. 1(a) and subd. 2(a)(3)(i), https://www.revisor.mn.gov/statutes/cite/325M.12 . 
• 23. Mont. Code Ann. §§ 30-14-2803 , https://archive.legmt.gov/bills/mca/title_0300/ chapter_0140/part_0280/section_0030/0300-0140-0280-0030.html ; 2804(1)(b), (1) (f ), and (2)(a), https://archive.legmt.gov/bills/mca/title_0300/chapter_0140/part_0280/ section_0040/0300-0140-0280-0040.html ; Minn. S.B. 297, https://docs.legmt.gov/ download-ticket?ticketId=cb19d561-a2af-4fe7-bae8-81d1581de7aa . 
• 24. Neb. Rev. Stat. §§ 87-1103(1), (2)(c), (d), https://nebraskalegislature.gov/laws/ statutes.php?statute=87-1103 ; 1104(1), https://nebraskalegislature.gov/laws/statutes. php?statute=87-1104 . 
• 25. N.H. Rev. Stat. Ann. § 507-H:3(I)(b), (f ), and (II)(a), https://gc.nh.gov/rsa/html/ LII/507-H/507-H-3.htm . 
• 26. N.J. Stat. Ann. §§ 56:8-166.4 – 166.19, https://pub.njleg.state.nj.us/Bills/2022/ S0500/332_R6.PDF . 
• 27. Or. Rev. Stat. § 646A.572(1)(a), https://bit.ly/4akbNlW; (2)(b), https://bit.ly/407nHuB. 
• 28. 6 R.I. Gen. Laws §§ 6-48.1-3(d) and (e)(1),https://webserver.rilegislature.gov/Statutes/ TITLE6/6-48.1/6-48.1-3.htm ; 6-48.1-4(a)(1), https://webserver.rilegislature.gov/ Statutes/TITLE6/6-48.1/6-48.1-4.htm ; 6-48.1-10(c), https://webserver.rilegislature. gov/Statutes/TITLE6/6-48.1/6-48.1-10.htm . 
• 29. Tenn. Code Ann. §§ 47-18-3303, https://bit.ly/4at9du4; 47-18-3311(a)(4), (5) and (7), https://bit.ly/4a7XORo . 
• 30. Tex. Bus. & Comm. Code §§ 541.002(a), (b)(3), (4), and .003(1) https://statutes.capitol.texas.gov/?tab=1&code=BC&chapter=BC.541&artSec= . 
• 31. Utah Code Ann. § 13-61-102(1), (2)(d)–(f), and (g)(i), https://le.utah.gov/xcode/Title13/Chapter61/13-61-S102.html . 
• 32. Va. Code Ann. § 59.1-576(A), (B)(iii)–(iv), and (C)(1), https://law.lis.virginia.gov/vacode/title59.1/chapter53/section59.1-576/ . 

Takeaways

• State consumer privacy laws increasingly overlap with HIPAA, meaning covered entities and business associates may face new obligations for personal information that is not protected health information (PHI). 
• Some states provide broad entity-level HIPAA exemptions, while others exempt only PHI, requiring careful, state-specific applicability analysis. 
• HIPAA-regulated entities should assess nonprofit status, revenue, and resident thresholds to determine whether state consumer privacy laws apply. 
• When applicable, obligations may include privacy policies, consumer rights handling, data minimization, opt-out mechanisms, security safeguards, and new vendor agreement requirements. 
• Consumer health data laws are strict, but usually exempt HIPAA PHI; organizations should still monitor gray areas such as website data and geofencing risks. 

March 2026 | Compliance Today 21

View all articles          Read the next article