HIPAA State-Law Overlay Matrix

A comparison matrix of federal HIPAA requirements versus California CMIA, Texas HB 300, and New York SHIELD Act obligations across training, breach notification, patient rights, and records retention.

Short answer

A side-by-side table comparing federal HIPAA requirements against California's Confidentiality of Medical Information Act (CMIA), Texas HB 300, and the New York SHIELD Act across four compliance dimensions: training obligations, breach notification timing and scope, patient access rights, and records retention. Designed for multi-state practices and telehealth providers serving patients across state lines.

What is inside

Side-by-side matrix: federal HIPAA vs California CMIA vs Texas HB 300 vs New York SHIELD Act
Four dimensions: training requirements, breach notification rules, patient access rights, and records retention
Stricter-standard call-outs — where state law is more demanding than HIPAA, the matrix flags the higher bar
Telehealth multi-state note — what happens when your clinic serves patients in multiple states
Practical action items for each state overlay dimension

We publish the same practical templates and decision tools that clinics use to structure recurring HIPAA work. No enterprise gate. No resource-library gimmicks. Just practical material delivered quickly.

Editorial details

Written by: Angel Campa

Reviewed by: PHIGuard Compliance Research

Updated: April 25, 2026

Best next step: Open the matching product path

Verified: April 25, 2026

Sources

California Confidentiality of Medical Information Act (CMIA) | California Legislature
Texas HB 300 — Health Privacy | Texas Legislature
New York SHIELD Act | New York Department of State
45 CFR § 164.520 — Notice of Privacy Practices | eCFR

Download the PDF

A side-by-side comparison of federal HIPAA requirements and stricter state privacy laws your clinic may also need to follow

Enter your email and we will send the PDF.

Questions

Does HIPAA or state law take precedence?

HIPAA is a federal floor, not a ceiling. When a state law is more protective of patient privacy than HIPAA, the state law's stricter requirement generally applies. When HIPAA is stricter than state law, HIPAA controls. Covered entities operating in states with stricter privacy laws must comply with both — the federal baseline and the state overlay.

We're in Texas — does HB 300 apply to us?

Texas HB 300 applies to covered entities under HIPAA that handle the PHI of Texas residents. It also applies to some entities that HIPAA does not cover. If you are a HIPAA covered entity serving Texas patients, you have HB 300 obligations in addition to HIPAA, most importantly the more demanding training requirements.

We offer telehealth and serve patients in multiple states — which state laws apply?

Generally, state law applies based on where the patient is located, not where the clinic is. A telehealth provider serving patients in California is subject to California law for those patients, even if the clinic is physically located in another state. Multi-state telehealth providers should assess the privacy laws of every state in which they actively serve patients.