In light of the February 16, 2026, deadline for covered entities to update their notice of privacy practices (NPP), covered entities should consider “more stringent” state laws that may apply to these updated forms and require compliance. The federal Health Insurance Portability and Accountability Act (HIPAA) privacy rule sets the floor for privacy protections and individuals’ rights when it comes to their individually identifiable health information but allows for states to enact stronger or more stringent requirements regarding the privacy of patient health information.
Employers’ Obligations
When federal law sets the ground floor for compliance and allows states to set more demanding requirements—as in the case with HIPAA—it’s commonly known as “floor preemption.” So, HIPAA leaves the door open for state law to impose more demanding standards in certain circumstances. (This also stands in contrast to “ceiling preemption,” when federal law sets the maximum standards and precludes any more restrictive—or differently restrictive—state laws from having effect.)
It’s critical for covered entities to understand what state laws, if any, may impose additional obligations and that merely complying with HIPAA isn’t enough. This is made even more important by the raft of state-specific privacy protection laws that states across the country have implemented within the last decade. The examples below illustrate when and where state law may impose burdens more demanding than HIPAA and the privacy rule but also note where HIPAA preempts other, conflicting state laws.
General Rule
Generally, state laws that make it impossible for a covered entity or business associate to comply with both state and federal requirements adopted under HIPAA and stand as an obstacle to accomplishing the purposes and objectives of the administrative simplification provisions of HIPAA are preempted by HIPAA. This general rule comes with certain exceptions, including the “more stringent” standard.
Specifically, if a provision of state law (defined to include a constitution, statute, regulation, rule, common law, or other state action having the force and effect of law) that relates to the privacy of individually identifiable health information is “more stringent” than a requirement under the privacy rule, then the state law provision isn’t preempted by HIPAA.
When comparing a state law provision with a privacy rule requirement, a state law provision is generally considered “more stringent” when there are greater privacy protections for the individual. For example, it may:
- Set more restrictive limits on when protected health information (PHI) can be used or disclosed than what HIPAA allows;
- Expand individuals’ rights to access or correct their PHI;
- Demand more specific consent/authorization standards; or
- Require more detailed accounting of disclosures or longer-lasting recordkeeping.
NPP
Within the privacy rule itself, the “more stringent” standard comes up in the context of NPP for PHI. Specifically, when another applicable law is more stringent than HIPAA—e.g., 42 Code of Federal Regulations (CFR) Part 2 for substance use disorder (SUD) records or a more stringent state law—the NPP must adopt and reflect those more restrictive rules.
As mentioned, given the upcoming NPP deadline to reflect changes for Part 2 records, covered entities need to analyze whether there are more stringent state laws to discuss, as well.
Examples of ‘More Stringent’ State Laws
The following are some examples of state laws that potentially warrant further consideration for covered entities to include in NPP revisions.
Colorado law prohibits providers or facilities licensed by the state from providing information (e.g., patient records) in furtherance of an out-of-state investigation (i.e., state or federal to the extent constitutionally permissible) seeking to impose civil or criminal liability or professional sanction for engaging in certain “legally protected health-care activities” (e.g., seeking, providing, or receiving gender-affirming healthcare services or reproductive health care that’s lawful in Colorado).
New Mexico law prohibits healthcare providers and institutions from using or disclosing health information in an individual’s electronic patient record to another person without the consent of the individual, except as required by state or federal law. As applied to federal law, consent would be required in all cases except when required to be disclosed under HIPAA, which occurs in two scenarios: when a patient requests access to their PHI or an accounting of disclosures of PHI and when the Department of Health and Human Services conducts a compliance investigation, undertakes enforcement action, or conducts a similar review. Previously, the New Mexico law excepted as allowed by state or federal law.
Montana law provides that when patients request to examine or copy all or part of their recorded healthcare information in writing, the healthcare provider must make such information available as promptly as required under the circumstances but not later than 10 days after receiving the request.
Nevada law requires a custodian of healthcare records to make a patient’s records available for physical inspection by the patient, or the patient’s representative designated in the patient’s written authorization, within 10 working days if those records are located within the state of Nevada. For records located outside the state, the records must be made available to the patient or patient’s designated representative within 20 working days of the request. These response times are truncated further in the event of a request by a governmental investigator, grand jury, coroner, or medical examiner to five working days or even less.
Also, state laws governing health information and data privacy generally frequently exempt HIPAA-covered entities, business associates, or PHI from applying under such laws. The variety of state laws that may apply to individuals’ health information require close analysis, including not only their applicability but also whether they impose a more stringent standard than HIPAA that applies in excess of HIPAA’s threshold requirements.
Takeaway
As covered entities make appropriate updates to their NPPs, this analysis is even more important. Conducting it early, and correctly, will ensure your NPPs are up to date and accurate and align with day-to-day practices of the most protective requirements while avoiding complex and potentially costly questions of federal preemption and state control.
Jake Walker is an attorney with Holland & Hart LLP in Denver, Colorado, and can be reached at jswalker@hollandhart.com.