Thursday, July 16, 2026
EN FR
Admin
Privacy

Beyond HIPAA: State Health Privacy Laws and Your Organization's Data Governance Strategy

Beyond HIPAA: State Health Privacy Laws and Your Organization's Data Governance Strategy

The Regulatory Landscape Has Shifted: What CISOs and Compliance Officers Need to Know

For decades, HIPAA has served as the primary regulatory framework for health data protection in the United States. Yet the landscape has fundamentally changed. California's Confidentiality of Medical Information Act (CMIA) and Washington's My Health MY Data Act (MHMD) now impose requirements that often exceed HIPAA's baseline protections—and organizations operating across state lines face the burden of compliance with overlapping, sometimes contradictory rules.

Unlike HIPAA, which applies uniformly nationwide, state health privacy laws create fragmented compliance obligations that demand sophisticated governance models. A health system operating in California and Washington must simultaneously meet HIPAA requirements, state-specific data handling rules, and consumer rights provisions that HIPAA does not mandate. This post-HIPAA era requires strategic rethinking of data governance, security architecture, and risk management practices aligned with frameworks like the NIST Cybersecurity Framework and HITRUST CSF.

California's CMIA: Stricter Standards for Data Handling and Consumer Rights

The CMIA, codified in California Civil Code §56 et seq., predates HIPAA but has evolved through legislative amendments that now impose obligations exceeding federal standards in several critical areas. Unlike HIPAA's "minimum necessary" principle, CMIA requires explicit authorization for many uses and disclosures of medical information. More significantly, California has expanded consumer rights through amendments requiring healthcare providers to honor patient requests to restrict uses of health data for marketing, research, and other secondary purposes—rights not explicitly guaranteed under HIPAA.

For CISOs, the compliance challenge centers on three areas: access controls and audit logging, authorized uses documentation, and breach notification timelines. California's breach notification law (Civil Code §1798.82) requires notification "without unreasonable delay" and without unreasonably delaying law enforcement investigations—language less prescriptive than HIPAA's 60-day standard but potentially more stringent in practice. Organizations must implement enhanced monitoring capabilities aligned with CIS Controls 3 (Data Protection), 6 (Access Control Management), and 8 (Audit Logging) to demonstrate compliance. Additionally, CMIA's expansion of patient deletion rights under California Consumer Privacy Act (CCPA) amendments requires metadata management systems that track authorization states and use restrictions—a technical burden that HIPAA-only systems may not support.

Washington's My Health MY Data Act: Consumer Control and Data Minimization

Washington's MHMD Act (RCW 19.255), effective in 2024, introduces a consumer-centric model centered on individual autonomy and data minimization. The law grants patients explicit rights to access their data, correct inaccuracies, and—critically—restrict how covered entities use or disclose their health information. Unlike HIPAA's broad "permitted uses" framework, MHMD restricts secondary uses such as marketing, research, and analytics unless the patient affirmatively consents or the use is clinically necessary.

This creates a fundamentally different data governance model. Organizations must implement granular consent and preference management systems that honor patient restrictions on a use-by-use basis. From a technical perspective, this demands integration of consent databases with clinical workflows, analytics platforms, and research systems. CISOs should evaluate how patient preferences propagate through their data ecosystems—particularly in integrated delivery networks where data flows across multiple systems. NIST CSF's Govern function and HITRUST's control around information governance become essential design requirements, not compliance checkboxes.

Practical Compliance Guidance for Multi-State Health Systems

1. Audit Your Current Data Handling Practices Against State-Specific Requirements

Begin with a detailed mapping exercise comparing your current policies against CMIA, MHMD, and HIPAA requirements. Use a FAIR-based risk assessment methodology to prioritize gaps. For example, if your consent management system allows broad authorization for "research and public health," you are likely non-compliant with MHMD's restriction model. Document this gap formally and develop remediation timelines.

2. Implement Granular Access Controls and Enhanced Audit Logging

Both laws require demonstrated control over who accesses medical information and for what purpose. Implement role-based access controls (RBAC) with attributes tied to clinical necessity and state-specific authorization states. CIS Control 6 (Access Control Management) and NIST CSF controls on access management must be operationalized beyond policy documents into technical implementations. Audit logs should capture not just "access occurred" but justification context: was access for treatment, billing, operations, or a restricted secondary use?

3. Redesign Consent and Preference Management Systems

MHMD requires systems capable of honoring granular patient restrictions. Evaluate whether your electronic health record (EHR) and consent management platform (CMP) can enforce restrictions on specific secondary uses (e.g., marketing, certain research). This may require vendor engagement, custom development, or replacement of legacy systems. The investment is substantial but unavoidable.

4. Establish Clear Breach Notification and Incident Response Protocols

Both laws impose strict notification requirements. California's standard is "without unreasonable delay"; Washington's is "as expeditiously as possible." Document your incident response plan to specify investigation timelines, notification triggers, and coordination with law enforcement. Ensure your security operations center (SOC) and incident response team understand these timelines differ from HIPAA's 60-day standard and may be more restrictive.

5. Build Vendor Management Requirements into Contracts

Your business associates and vendors must also comply with state privacy laws. Update business associate agreements (BAAs) and data processing agreements (DPAs) to explicitly require compliance with CMIA and MHMD. Conduct vendor assessments against CIS Controls and HITRUST CSF frameworks to ensure your third parties meet the same standard you're building internally.

The Broader Strategic Imperative

State health privacy laws signal a permanent shift toward stronger consumer protections and organizational accountability. Rather than viewing CMIA and MHMD as isolated compliance burdens, forward-thinking health system leaders should leverage these requirements as drivers for maturity improvements. Organizations that implement robust data governance, granular access controls, and transparent audit practices aligned with NIST CSF and HITRUST will find themselves better positioned not only for current compliance but for future regulation.

The compliance deadline is here. The strategic opportunity is now.

📚 Recommended Reading

Books our AI recommends to deepen your knowledge on this topic.

📚
Data Privacy: A Runbook for Engineers
by Nishant Bhajaria
"Data Privacy: A Runbook for Engineers" by Nishant Bhajaria provides practical, implementation-focused guidance on translating privacy requirements into technical controls and architecture decisions—directly applicable to CMIA and MHMD compliance engineering.
View on Amazon →
📚
HIPAA Plain & Simple: A Healthcare Professional's Handbook
by Carolyn P. Hartley and Erin Dempsey-Clifford
"HIPAA Plain & Simple" by Carolyn P. Hartley and Erin Dempsey-Clifford establishes the baseline HIPAA knowledge healthcare professionals require to understand how state laws like CMIA and MHMD expand or diverge from federal standards.
View on Amazon →
📚
AI Ethics
by Mark Coeckelbergh
"AI Ethics" by Mark Coeckelbergh addresses the ethical dimensions and governance implications of data use restrictions and consumer control rights—core principles embedded in MHMD's design and increasingly relevant as health systems deploy AI/ML systems constrained by state privacy laws.
View on Amazon →