States expand privacy laws to protect sensitive health data beyond HIPAA coverage.
More states are stepping in to give people better control over their health information by upholding data privacy. The federal law known as HIPAA was designed to protect health data, but it doesn’t cover everything. For example, it mostly applies to doctors, hospitals, and insurance companies. It doesn’t always apply to health information collected by fitness apps, period trackers, or online health tools that many people use every day. That’s where new state laws are starting to fill the gaps.
In Washington, the My Health, My Data Act was created to protect health information that falls outside of HIPAA’s reach. This includes data like reproductive care, gender-affirming treatments, and even where someone’s phone goes if they’re seeking care. The law makes it clear that companies can’t gather or share this kind of information without getting permission. It doesn’t just apply to doctors or clinics—it applies to any business that handles consumer health data. If a company breaks the law, Washington allows people to take legal action themselves, not just rely on government enforcement.
Nevada passed a similar law last year. It gives people stronger privacy rights when it comes to their health data, especially information related to reproductive health. However, unlike Washington’s law, it doesn’t allow people to sue companies directly. Only the state’s attorney general can take action.
Virginia is also changing how health data is protected. Starting in July 2025, new rules will take effect under the Virginia Consumer Protection Act. These changes focus on sensitive health topics like pregnancy, birth control, and sexual health. The law says companies must get clear permission before collecting or sharing this type of data. It applies to a wide range of businesses, not just healthcare providers. In some cases, people in Virginia can sue over violations, and companies could be fined if they don’t follow the rules.
New York has introduced a law called the Health Information Privacy Act. While it doesn’t allow individuals to sue, it does give the state power to enforce it. Fines could be steep—up to $15,000 per violation or a portion of the company’s revenue. The goal is to hold businesses accountable for how they handle health information, especially if they do business in New York or serve its residents.
Other states like California and Colorado have also passed broad privacy laws that touch on health-related data. These laws don’t just focus on medical records; they include things like someone’s sexual orientation or mental health status. The definitions of what counts as sensitive data may vary by state, but the message is clear: people want more say in who sees their health information and how it’s used.
As more states move forward with privacy protections, businesses in and outside of healthcare will need to rethink how they collect and use personal health information. These changes show that the days of relying on HIPAA alone are coming to an end. Now, companies must keep up with both federal and state rules—or risk legal trouble.
Sources:
ENGROSSED SUBSTITUTE HOUSE BILL 115
Join the conversation!