State Laws Expand Health Data Privacy Beyond HIPAA Limits

Joseph J. Lazzarotti

Email

908-795-5205

Bio and Articles

Damon W. Silver

Email

212-545-4063

Bio and Articles

Find Your Next Job !

Attorney Represented Bodily Injury Adjuster I, II or Sr

Early Career Trial Attorney - Las Vegas, Nevada (Remote)

Legal Secretary / Typist

Explore More Job Openings

States Move Forward with Privacy Protections to Close HIPAA Gaps for Health, Reproductive Health Info

by: Joseph J. Lazzarotti, Damon W. Silver of Jackson Lewis P.C. - Publications

Tuesday, May 27, 2025

Print Mail Download info_icon_img

/>i

Takeaways

Multiple state laws are strengthening protections for health data, increasingly going beyond HIPAA, healthcare providers and health plans.
Certain categories of health information, such as reproductive health, have greater privacy protections.
Organizations cannot look solely to HIPAA when assessing privacy compliance.

Related links

Article

When it comes to safeguarding health data, the Health Insurance Portability and Accountability Act (HIPAA) is paramount. HIPAA’s extensive reach encompasses nearly all healthcare providers and all health plans, affecting just about every American. However, its coverage is not complete. States are stepping in to address the gaps and tackle specific areas of concern, such as reproductive health information.

Businesses will want to closely monitor state law developments even if they are not healthcare providers or health plans covered by HIPAA. This is especially important for businesses operating across multiple states. Even for covered entities or business associates under HIPAA, certain aspects of state laws still may raise compliance issues to consider.

To illustrate, consider the laws of Washington, Nevada, Virginia, and New York.

Washington

Washington’s My Health, My Data Act is considered one of the first comprehensive state laws addressing certain health data not covered by HIPAA. The legislative findings explain part of the thinking:

Washingtonians expect that their health data is protected under laws like the health information portability and accountability act (HIPAA). However, HIPAA only covers health data collected by specific healthcare entities, including most healthcare providers. Health data collected by noncovered entities, including certain apps and websites, are not afforded the same protections. This act works to close the gap between consumer knowledge and industry practice by providing stronger privacy protections for all Washington consumers’ health data.

The Washington law applies to “regulated entities” — entities that

Conduct business in Washington, or produce or provide products or services targeted to consumers in Washington; and
Alone or jointly with others, determine the purposes and means of collecting, processing, sharing, or selling consumer health data.

The law’s application is not limited to providers or plans. Further, although the law covers the typical categories of health information, such as health condition or diagnosis, it also addresses more specific categories of health information, including:

Gender-affirming care information.
Reproductive or sexual health information.
Biometric data.
Genetic data.
Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services and supplies.

Violations are enforceable by the prosecution by the state’s Attorney General’s Office or by private actions brought by affected consumers.

Nevada

In 2023, Nevada enacted protections like those under Washington’s My Health, My Data Act. However, the Nevada law does not include a private right of action.

Virginia

Virginia recently amended its Consumer Protection Act (VCPA), effective July 1, 2025, focusing on safeguarding reproductive and sexual health information. The VCPA regulates “suppliers,” defined as a “seller, lessor, licensor, or professional that advertises, solicits, or engages in consumer transactions, or a manufacturer, distributor, or licensor that advertises and sells, leases, or licenses goods or services to be resold, leased, or sublicensed by other persons in consumer transactions.” Based on this definition, the compliance obligations, along with litigation and enforcement risks, extend beyond HIPAA in several respects. The amendments to the VCPA aim to bolster consumer protection, particularly in managing reproductive and sexual health information.

Key points for businesses:

Prohibition on Collection and Disclosure Without Explicit Consent: The law strictly prohibits the collection, disclosure, sale, or dissemination of consumers’ reproductive or sexual health information unless explicit consent is obtained. “Consent” means “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.”

Broad Definition: The definition of “reproductive or sexual health information” is broad and includes data related to past, present, or future reproductive or sexual health, such as efforts to obtain reproductive health services, use of contraceptives, health status (e.g., pregnancy and menstruation), and treatments or surgeries.
Exclusions: The law excludes HIPAA-protected data and records related to substance use disorder treatment.
Private Right of Action and Enforcement: Individuals may bring an action for violations and can potentially recover the greater of actual damages or $500. The state attorney general may also investigate violations and seek civil penalties of up to $2,500 for willful violations.

New York

Earlier this year, New York passed Senate Bill 929, the “New York Health Information Privacy Act” or “New York HIPA.” (If it becomes law, referring to these laws will become a little more confusing: HIPAA, HIPPA, HIPA, and so on.) HIPA generally follows the approaches taken by the state laws discussed above. It does not provide a private right of action but grants the state attorney general authority to seek civil penalties of up to $15,000 per violation or 20% of revenue obtained from New York consumers within the past fiscal year, whichever is greater, as well as other forms of relief.

Comprehensive State Privacy Laws

Many states have adopted comprehensive privacy laws that protect personal information in general, including health-related data. While the definitions of covered entities may vary, they should be considered when assessing compliance.

The California Privacy Rights Act (CPRA), for example, has a broad definition of sensitive data that includes mental or physical health conditions and sexual orientation. Similar to Virginia, the CPRA aims to protect consumers' personal information, but it expands the scope to include sex life, which Virginia’s VCPA does not. The Colorado Privacy Act also includes “sex life” in its definition of sensitive data. These a just a few differences in how states define and protect categories of sensitive data.

Even before the Trump Administration began to reimagine the federal government’s role in regulatory and enforcement activities, states had already identified gaps in HIPAA’s protections for health information and begun to address them. Consequently, a broader range of entities must now revisit their handling of health information, especially if they have been outside of HIPAA’s reach.