The State Privacy Patchwork: Why HIPAA Is No Longer Enough
For decades, the Health Insurance Portability and Accountability Act (HIPAA) has served as the federal floor for health data protection in the United States. However, the emergence of state-level health privacy laws has fundamentally altered the compliance calculus for multi-state health systems. California's Confidentiality of Medical Information Act (CMIA) and Washington State's My Health MY Data Act (MHMD Act) represent a critical evolution: they establish privacy standards that exceed HIPAA's requirements and introduce consumer rights, consent models, and enforcement mechanisms that demand immediate organizational attention.
Unlike HIPAA, which applies narrowly to covered entities and business associates, state laws typically apply to any entity that collects, maintains, or uses health information—including non-traditional players like digital health platforms, retail pharmacies, and fitness applications. This broader scope fundamentally expands the regulatory perimeter for health systems operating in these states and creates cascading compliance obligations that flow downstream to vendors, third-party developers, and data partners.
California's CMIA: Structure, Requirements, and Enforcement Evolution
California's CMIA, codified primarily in California Civil Code Section 56 et seq., predates HIPAA and remains one of the nation's most stringent state health privacy regimes. The law defines "medical information" expansively to include records related to physical or mental health, treatment, or payment. Critically, CMIA applies to healthcare providers, health plans, and a broad category of "providers of health care" that may fall outside traditional HIPAA definitions.
Key CMIA obligations include explicit consent requirements before medical information can be used or disclosed, with limited exceptions. Unlike HIPAA's authorization framework, CMIA requires specific, written, and often separate authorizations for different uses—particularly for psychotherapy notes, HIV/AIDS status, substance abuse treatment records, and genetic testing results. The law imposes strict minimum necessary principles and requires health systems to implement administrative, physical, and technical safeguards aligned conceptually with HIPAA's Security Rule but often exceeding its specifications.
Recent amendments, including California Consumer Privacy Act (CCPA) carve-outs and the expansion of consumer deletion rights, have complicated CMIA interpretation. Health systems must now reconcile CMIA's retention standards with CCPA's deletion-on-demand requirements—a technical and governance challenge that demands careful policy design. The California Attorney General's Office has become increasingly active in enforcement, issuing guidance documents and conducting investigations that signal heightened scrutiny of consent practices and security incident response protocols.
Practical Implementation for CISOs
Organizations operating in California should conduct a detailed CMIA inventory audit: identify all data flows, use cases, and third-party processors that handle medical information. Map each use case to specific CMIA authorization requirements and assess whether current consent forms and workflows meet the law's explicit, separate authorization mandate. Engage legal counsel to clarify applicability in gray-zone scenarios—telehealth platforms, wearable integrations, and patient-facing mobile applications frequently trigger unanticipated CMIA obligations.
Washington's My Health MY Data Act: Consumer Rights and Technical Controls
Enacted in 2023 and effective February 2024, Washington's My Health MY Data Act represents a new generation of state privacy law specifically designed to apply to health data. Unlike CMIA, which evolved from healthcare-specific roots, MHMD draws heavily from consumer privacy frameworks and emphasizes individual rights over operational safeguards.
The MHMD Act establishes five fundamental consumer rights: the right to access health information in portable, human- and machine-readable formats; the right to request correction of inaccurate data; the right to delete health information (with narrow exceptions); the right to request restriction of use or disclosure; and critically, the right to direct health data to a third-party application or service without obstruction—a requirement known as "interoperability without gatekeeping."
The law explicitly prohibits certain business practices: denial of care or insurance based on a consumer's exercise of MHMD rights, discrimination in pricing or benefits, and discriminatory use of algorithms in health-related decision-making. Entities are required to implement reasonable technical safeguards, though the law does not prescribe specific standards. The Washington Attorney General has indicated that compliance assessment will reference industry standards including the NIST Cybersecurity Framework and HITRUST Common Security Framework (CSF).
Data Portability and Interoperability Challenges
The MHMD Act's interoperability mandate creates operational complexity. Health systems must establish technical capabilities to transmit health information to third-party applications upon consumer request—potentially including Personal Health Records (PHRs), direct-to-consumer genomics services, and patient-controlled data repositories. This requirement necessitates investment in API infrastructure, secure data exchange protocols (SFTP, REST with encryption, FHIR-compliant interfaces), and audit logging to track data egress requests and fulfillment.
Organizations should establish a cross-functional governance structure including legal, clinical informatics, security engineering, and compliance teams to operationalize these rights. Develop standard operating procedures for data access requests, implement automated fulfillment workflows where feasible, and establish retention schedules that balance legal holds, regulatory requirements, and deletion obligations.
Comparative Analysis and Compliance Strategy
CMIA and the MHMD Act differ significantly in scope, enforcement mechanisms, and consumer remedies. CMIA imposes civil liability and Attorney General enforcement with statutory damages of up to $250,000 per violation. MHMD allows individual civil actions and includes an additional private right of action with penalties of $100-$750 per consumer per violation—creating material financial exposure.
For multi-state health systems, a layered compliance approach is essential. Establish a baseline that exceeds HIPAA requirements by incorporating CMIA's authorization standards and MHMD's consumer rights architecture. Use NIST CSF's Identify, Protect, Detect, Respond, and Recover functions as an organizational framework. Map state-specific requirements to CSF implementation guidance and document compliance artifacts within existing audit and governance infrastructure.
Conduct regular gap assessments, engage vendors in compliance due diligence, and establish metrics for tracking consumer rights requests, data portability fulfillment, and security control effectiveness. As additional states enact health-specific privacy legislation, organizations that establish robust state-agnostic compliance foundations today will reduce future remediation costs and operational disruption.