HIPAA State Law Compliance Checklist

A structured checklist for 10 high-priority states covering state-specific breach notification deadlines, additional consent requirements beyond HIPAA, mental health records protections, genetic information restrictions, and state AG contact information. Helps multi-state and single-state practices identify where their HIPAA program needs state-specific additions.

Short answer

A state-by-state compliance checklist covering breach notification deadlines, additional consent requirements, mental health and genetic information protections, and AG contact information for CA, TX, NY, FL, IL, WA, CO, MA, VA, and NJ.

What is inside

State-specific breach notification deadlines for 10 high-priority states — ranging from 30 to 90 days — with the exact statutory citations for each
Additional patient consent requirements that go beyond HIPAA's minimum: states where authorization is required for disclosures HIPAA would permit without consent
Mental health records protections — several states impose stricter confidentiality rules for behavioral health records than the federal baseline
Genetic information restrictions by state, including states that prohibit insurer access to genetic test results more broadly than GINA
State Attorney General contact information and the AG's health privacy enforcement history, so you know who to call and what to expect if an incident occurs

We publish the same practical templates and decision tools that clinics use to structure recurring HIPAA work. No enterprise gate. No resource-library gimmicks. Just practical material delivered quickly.

Editorial details

Written by: Angel Campa

Reviewed by: PHIGuard Compliance Research

Updated: April 28, 2026

Best next step: Open the matching product path

Sources

HIPAA Preemption of State Law | HHS
45 CFR § 160.203 — General Rule and Exceptions | eCFR

Download the PDF

Know which state privacy laws apply to your clinic — without hiring a compliance consultant

Enter your email and we will send the PDF.

Questions

If we already comply with HIPAA, why do we need to check state law?

HIPAA sets a federal floor. Under the preemption framework at 45 CFR § 160.203, state laws that are more protective of patient privacy are not preempted — they apply on top of HIPAA. A clinic in California, New York, or Illinois may face breach notification deadlines shorter than the 60-day federal window and consent requirements that are stricter than the minimum necessary standard.

We only operate in one state. Do we still need this?

Yes. Your single-state checklist entry will show whether your state's rules differ from HIPAA's baseline on breach timing, consent, mental health records, or genetic information. For many states, the differences are significant enough to require policy updates.

How often do state privacy laws change?

Frequently. Several states in this checklist updated their breach notification laws within the past two years. This resource was reviewed as of its publication date. We recommend treating state law requirements as a living element of your compliance program, reviewed annually or after any state legislative session.

Is this free?

Yes. Enter your email and we will send the full resource to your inbox.

Why do you need my email?

We send the resource directly to your inbox. We will not add you to a marketing list without your consent.