State Health Privacy Laws: A Map of What Applies Where
On March 31, 2024, Washington's My Health My Data Act took effect and immediately changed the compliance calculus for every healthcare organization with patients in the state. Unlike HIPAA, this law applies to entities that are not covered entities. Unlike HIPAA, it creates a private right of action. And unlike HIPAA, it defines "consumer health data" broadly enough to encompass website browsing behavior, location data near healthcare facilities, and appointment scheduling information collected through standard marketing tools.
Washington was not the first state to move beyond HIPAA. It was not the last. A wave of state health privacy legislation is reshaping the regulatory landscape for healthcare marketing teams, and the laws differ from each other in scope, definitions, enforcement mechanisms, and applicability. For organizations operating across state lines, which includes nearly every health system with a website, the question is no longer "Are we HIPAA compliant?" It is "Which state laws apply to our data, and are we compliant with all of them?"
Why States Are Legislating Beyond HIPAA
HIPAA was enacted in 1996 and its Privacy Rule took effect in 2003. The law was designed for a world where health data lived in medical records, insurance claims, and fax machines. It applies only to covered entities (health plans, healthcare clearinghouses, and healthcare providers who conduct certain electronic transactions) and their business associates.
That scope left enormous gaps. Health apps, consumer wellness platforms, fertility trackers, telehealth companies that are not covered entities, and marketing technology vendors all collect health-related data outside HIPAA's jurisdiction. When the FTC took action against GoodRx in 2023 for sharing prescription data with advertising platforms, it used the Health Breach Notification Rule because GoodRx was not a HIPAA-covered entity. The $25 million settlement signaled that health data protection was expanding beyond HIPAA's borders. Source
State legislatures noticed. They also noticed that their constituents were increasingly concerned about health data flowing to advertising platforms, data brokers, and tech companies. The result is a new generation of state laws specifically targeting health data, each written to address the gaps that HIPAA leaves open.
The Major State Health Privacy Laws
Washington: My Health My Data Act (MHMDA)
Effective: March 31, 2024 (regulated entities); June 30, 2024 (small businesses) Scope: Any entity that conducts business in Washington or targets Washington consumers and collects, processes, or shares consumer health data. Key provisions:
Defines "consumer health data" broadly: any information that identifies or is reasonably linkable to a consumer and relates to past, present, or future physical or mental health. This includes symptoms, diagnoses, treatments, medications, bodily functions, vital signs, reproductive health, gender-affirming care, biometric data, and location data that could indicate a visit to a healthcare facility.
Requires affirmative, informed consent before collecting or sharing consumer health data. Consent must be obtained separately from general terms of service.
Prohibits the sale of consumer health data without separate, specific consent.
Provides a private right of action under the state Consumer Protection Act, meaning individuals can sue directly.
Applies to entities that are NOT HIPAA-covered, filling the gap that HIPAA leaves.
Impact on marketers: Website analytics that collect IP addresses and browsing behavior on health-related pages may constitute "consumer health data" under MHMDA. Geofencing or location targeting near healthcare facilities triggers the location data provision. Standard consent banners that rely on passive opt-in likely do not meet the "affirmative consent" requirement.
Connecticut: Consumer Health Data Protections (SB 3)
Effective: July 1, 2023 (as part of Connecticut Data Privacy Act amendments) Scope: Entities conducting business in Connecticut that process consumer health data. Key provisions:
Defines consumer health data similarly to Washington but with some differences in scope.
Requires opt-in consent for the sale of consumer health data.
Restricts the use of consumer health data for advertising without explicit consent.
Adds geofencing restrictions: prohibits geofencing within 1,750 feet of a healthcare facility for advertising purposes.
Consumer health data protections apply to entities beyond HIPAA-covered entities.
Impact on marketers: Location-based advertising near clinics, hospitals, or pharmacies requires careful compliance review. Health-related audience segments built from browsing behavior need explicit consent.
Nevada: Consumer Health Data Privacy Law (SB 370)
Effective: March 31, 2024 Scope: Entities conducting business in Nevada or targeting Nevada consumers that collect, process, or share consumer health data. Key provisions:
Defines consumer health data broadly, including data that relates to attempts to obtain health services.
Requires opt-in consent for the sale of consumer health data.
Includes geofencing restrictions near healthcare facilities.
Creates an enforcement mechanism through the state Attorney General.
Other States with Health Data Provisions
Several additional states have enacted or are considering health data protections as part of broader consumer privacy laws:
California (CCPA/CPRA): While not a standalone health privacy law, CCPA treats health data as "sensitive personal information" requiring opt-in consent for certain uses. The California AG has also taken enforcement action related to health data.
Colorado (CPA): Health data is classified as sensitive data requiring opt-in consent for processing.
Oregon (OCPA): Effective July 2024, classifies health data as sensitive and requires opt-in consent.
Texas (TDPSA): Effective July 2024, includes health data as sensitive data with consent requirements.
Montana, Virginia, Indiana, Iowa, Tennessee: Each includes health data provisions in their comprehensive privacy laws, typically classifying it as sensitive data with heightened consent requirements.
How State Laws Differ from HIPAA and from Each Other
The variation across state laws creates complexity that healthcare marketing teams cannot address with a single compliance framework.
Who is covered. HIPAA applies to covered entities and business associates. State health privacy laws typically apply to any entity that collects health data from state residents, regardless of whether the entity is a HIPAA-covered entity. This means your website, your marketing technology vendors, and your advertising partners may all have independent obligations under state laws.
What counts as health data. HIPAA defines PHI as individually identifiable health information created or received by a covered entity. State laws define health data more broadly. Washington's MHMDA includes location data near healthcare facilities, searches for health-related information, and data about attempts to obtain health services. A consumer searching for "addiction treatment near me" on your website generates consumer health data under MHMDA, regardless of whether your organization is a HIPAA-covered entity.
Consent standards vary. HIPAA generally does not require consent for treatment, payment, or healthcare operations, and marketing uses require written authorization. State laws impose consent requirements for collection itself, not just specific uses. Washington requires affirmative consent separate from terms of service. Connecticut requires opt-in for sale and advertising uses. The strictest state's standard effectively becomes the floor for any multi-state organization.
Enforcement mechanisms differ. HIPAA is enforced by OCR at the federal level. State laws are enforced by state attorneys general, and some (notably Washington) provide private rights of action. NewYork-Presbyterian Hospital's $300,000 settlement with the New York Attorney General for using tracking pixels without internal policies demonstrates that state-level enforcement is active and growing. Source
What Multi-State Healthcare Organizations Must Address
For a health system operating across multiple states, or any organization with a website accessible to residents of these states, the compliance challenge is layered.
Apply the strictest standard broadly. When Washington requires affirmative consent for health data collection and Connecticut requires opt-in for health data in advertising, the practical approach is to implement consent mechanisms that meet the most restrictive applicable law. Building separate consent flows for each state is technically possible but operationally fragile.
Audit your data collection for state-specific definitions. Your website may collect data that is not PHI under HIPAA but is "consumer health data" under state law. IP addresses combined with health-page URLs, location data, and appointment inquiry form submissions all potentially qualify. Map every data collection point against the broadest applicable definition.
Ensure vendor coverage extends beyond BAAs. A BAA covers HIPAA obligations. State health privacy laws may impose requirements on your vendors (as "processors" of consumer health data) that go beyond what a standard BAA addresses. Review your vendor agreements to ensure they cover state-specific obligations, including consent requirements, data minimization, and restrictions on secondary use.
Implement server-side consent enforcement. Client-side consent banners can be bypassed, delayed, or rendered incorrectly. When state laws require affirmative consent before health data collection, that consent must be verified server-side before any data flows to downstream systems. Server-side consent gating ensures compliance regardless of browser behavior, ad blockers, or JavaScript timing issues.
Monitor your tracking surface continuously. State health privacy laws apply to every script, cookie, and pixel on your website. A third-party plugin that loads a tracking tag without your knowledge could create state law violations across every jurisdiction where you have visitors. A web scanner that continuously audits your site for unauthorized data collection is not optional in a multi-state compliance environment.
FAQ
Do state health privacy laws apply if my organization is already HIPAA compliant?
Yes. HIPAA and state health privacy laws operate independently. HIPAA compliance does not exempt you from state law requirements. In many cases, state laws impose additional obligations that HIPAA does not address, including consent for data collection (not just marketing use), restrictions on data sale, and geofencing prohibitions. HIPAA sets a floor, not a ceiling.
Which state law applies if my organization is based in one state but has patients in another?
Most state health privacy laws apply based on where the consumer resides, not where the organization is located. If your website is accessible to Washington residents and collects health-related browsing data from those residents, Washington's MHMDA likely applies. For multi-state organizations, the practical approach is to comply with the strictest applicable law for all visitors.
Does my website need different consent flows for different states?
Not necessarily. Building state-specific consent flows is complex and error-prone. Most organizations are better served by implementing a single consent framework that meets the requirements of the most restrictive applicable state law. This typically means affirmative opt-in consent for health data collection, separate from general terms of service, with specific disclosures about how the data will be used.
Are ad platforms like Google and Meta affected by state health privacy laws?
Yes. State laws apply to any entity that collects or processes consumer health data from state residents. When a tracking pixel on your healthcare website sends data to Google or Meta, both your organization and the platform are potentially subject to state health data laws. This reinforces the importance of server-side architecture, where you control exactly what data reaches ad platforms.
How do geofencing restrictions work in practice?
Connecticut and Nevada prohibit geofencing within a specified distance of healthcare facilities for advertising purposes. This means you cannot create location-based ad audiences defined by proximity to hospitals, clinics, or pharmacies. If your advertising platform uses geofencing for targeting and any of those geofences overlap with healthcare facilities, you may be in violation. Audit your location-based campaigns for compliance with each applicable state's geofencing rules.
The state health privacy law landscape is expanding, and healthcare marketing teams can no longer rely on HIPAA compliance alone. Consent management, server-side architecture, and continuous monitoring are the infrastructure needed to operate compliantly across jurisdictions. If your organization serves patients in multiple states, Ours Privacy provides the consent management and server-side data infrastructure that meets both HIPAA and state-level requirements.
Related reading:
Washington My Health My Data Act Explained for Marketers
HIPAA and Marketing: What the Privacy Rule Actually Says About Advertising
FTC Health Breach Notification Rule: Plain English Summary
The December 2022 OCR Guidance on Tracking Technologies: What Changed
Continue Learning
Explore more HIPAA compliance resources for healthcare marketers.
Tool Compliance Reviews
Find out which marketing tools are HIPAA compliant and which ones put your organization at risk.
Server-Side TrackingServer-Side Tracking Guides
Replace risky client-side pixels with secure, compliant data collection that protects patient privacy.
Advertising Platform Guides
Step-by-step guides for running compliant healthcare campaigns on Google, Meta, TikTok, and more.
GlossaryHealthcare Marketing Glossary
Clear definitions for healthcare marketing, privacy, and compliance terms explained for marketing teams.