Your Health Data Rights in Every US State: A 2026 Guide

Every time you see a doctor, fill a prescription, or use a health app, data about your body, your diagnoses, and your treatments is generated, stored, and in many cases shared. The federal Health Insurance Portability and Accountability Act — HIPAA — has governed that data since 1996, and most Americans assume it provides comprehensive protection. It does not. HIPAA applies only to a defined set of covered entities: healthcare providers who conduct electronic transactions, health plans, and healthcare clearinghouses, plus their business associates. The explosion of health apps, direct-to-consumer genetic tests, wellness wearables, and AI diagnostic tools has created a vast ecosystem of health data that HIPAA simply does not reach.

The gap has not gone unnoticed. Over the past several years, individual states have enacted their own health data privacy laws — some substantially stronger than federal law, others merely restating it. Where you live determines the legal protections surrounding some of the most sensitive information about you. This guide maps those protections state by state as of mid-2026, explains what HIPAA actually guarantees, and tells you what to do when you think those rights have been violated. If you want to understand how HIPAA actually works in plain language, that is a useful companion to this article.

What HIPAA Actually Guarantees — and What It Does Not

The Federal Floor

HIPAA's Privacy Rule, finalized in 2000, gives patients a set of baseline rights with respect to their protected health information (PHI). You have the right to access and obtain a copy of your medical records. You have the right to request corrections to inaccurate information. You have the right to receive a notice of privacy practices explaining how your information may be used. You have the right to request an accounting of certain disclosures. And you have the right to restrict certain uses and disclosures, though covered entities are not always required to agree to those restrictions.

These rights sound robust. In practice, the enforcement mechanism is weaker than patients expect. HIPAA does not give individual patients a private right of action — you cannot sue a hospital or insurer directly for a HIPAA violation. Instead, you must file a complaint with the Department of Health and Human Services Office for Civil Rights (OCR), which investigates and can impose civil monetary penalties. OCR is chronically underfunded and resolves only a fraction of the tens of thousands of complaints it receives each year. The practical effect is that HIPAA violations are significantly under-deterred.

The HHS Office for Civil Rights received more than 50,000 HIPAA complaints in 2024 alone. The scale of health data breaches has only accelerated in recent years, making the gap between legal protections and real-world data security increasingly consequential.

The Leaders: States With the Strongest Protections

Washington: The My Health MY Data Act

Washington State's My Health MY Data Act (MHMD Act), signed in 2023, is the most aggressive state-level health data privacy law in the country as of 2026. Its reach extends far beyond HIPAA's covered-entity framework. Any entity that does business in Washington or targets Washington consumers and collects "consumer health data" must comply — regardless of whether it is a hospital, an insurer, a tech company, or a retail pharmacy chain.

The definition of consumer health data under the MHMD Act is intentionally broad. It includes data that identifies a consumer's past, present, or future physical or mental health condition; reproductive or sexual health; precise geolocation data that could infer health status; health-related purchases; and biometric or genetic data. Collection or sharing of this data requires affirmative opt-in consent — not the familiar opt-out mechanism most privacy laws use. Washington residents can also sue violators directly in state court, bypassing the slow federal complaint process. The private right of action is arguably the most powerful enforcement mechanism any state has created for health data.

California: Layered Protections Under CMIA and CPRA

California has two complementary frameworks. The Confidentiality of Medical Information Act (CMIA) has existed since 1981 and applies to healthcare providers, health service plans, contractors, and employers who receive medical information. It requires written authorization for most disclosures and creates civil liability (up to $1,000 per violation plus actual damages) plus potential criminal penalties. The 2024 CMIA amendments extended the law's reach to app developers who offer software to assist consumers in managing their medical information — a direct response to the unregulated health app ecosystem.

The California Privacy Rights Act (CPRA), which substantially amended the California Consumer Privacy Act, adds another layer. Sensitive personal information — which includes health and medical data, genetic data, and precise geolocation — carries heightened protection. Consumers can direct businesses to limit the use of sensitive personal information. The California Privacy Protection Agency (CPPA) enforces the CPRA and has authority to impose fines of up to $7,500 per intentional violation. California also mandates a 15-calendar-day response time for medical record requests, tighter than HIPAA's 30-day (plus 30-day extension) window.

State-by-State Snapshot: Where You Stand

Tier 1: Comprehensive Protection Beyond HIPAA

Washington, California, Nevada, Connecticut, and Colorado offer the most substantive protections beyond the federal baseline. Washington's MHMD Act and California's CMIA/CPRA combination are the gold standard. Colorado's Privacy Act classifies health data as sensitive personal information requiring opt-in consent and is enforced by the attorney general with civil penalties. These states cover a meaningful portion of the health app ecosystem that HIPAA ignores entirely.

Tier 2: Meaningful Additions to the Federal Baseline

New York, Texas, Minnesota, and Illinois add meaningful protections in specific domains without creating the broad consumer health data frameworks of Tier 1 states. New York's SHIELD Act and Health Law Section 18 impose specific medical record access timelines and fee caps. Illinois is notable for the Biometric Information Privacy Act (BIPA), which requires informed written consent before collecting biometric data — including retinal scans, fingerprints, and voiceprints — and creates a private right of action. BIPA has generated significant litigation and is the most litigated state biometric law in the country. Texas requires opt-in consent for the collection of biometric identifiers under a similar framework. Minnesota's health data statute imposes strict requirements on health maintenance organizations and certain other entities, with patient rights that in some respects exceed HIPAA.

Tier 3: HIPAA-Equivalent or Near-Equivalent States

The majority of US states — including Florida, Georgia, Ohio, Pennsylvania, Arizona, and others — rely primarily on HIPAA for health data protection and have not enacted comprehensive consumer health data laws. Some have breach notification laws that require faster notification than HIPAA's 60-day window, and some have specific mental health, HIV, or substance abuse confidentiality laws that are stricter than HIPAA in those domains. But for the broad category of consumer health data, residents of these states have limited recourse beyond federal law. This means health apps and wellness platforms operating in these states face fewer constraints on how they use and share data about those residents.

Understanding who legally owns your medical records — which is different from who controls access to them — is a separate but related question with its own state-by-state complexity.

Special Categories: Mental Health, Reproductive Data, and Genetics

Mental Health Confidentiality

Mental health records receive heightened protection in most states, typically stricter than general medical records under HIPAA. Psychotherapy notes — the term HIPAA uses to describe notes a mental health professional records in the process of counseling — are excluded from most routine disclosures even under HIPAA and require explicit authorization. Many states go further: California requires specific written authorization for mental health records even in circumstances where HIPAA might permit disclosure. New York's mental health confidentiality law similarly restricts disclosure without patient authorization except in narrowly defined emergency circumstances. If you are seeking or have received mental health treatment, you generally have stronger legal protections than for other medical records, though the applicable rules vary by state.

Reproductive Health Data After Dobbs

The Supreme Court's 2022 decision in Dobbs v. Jackson Women's Health Organization changed the landscape for reproductive health data significantly. In states where abortion is restricted or criminalized, law enforcement may seek health records related to reproductive care. HIPAA permits disclosure of PHI in response to a court order or law enforcement request in certain circumstances, and the intersection of state abortion law and federal health privacy law has created substantial legal complexity. Washington's MHMD Act and California's CMIA explicitly restrict the disclosure of reproductive health data and prohibit cooperation with out-of-state investigations targeting reproductive care. The HHS OCR issued a rule in 2024 — the HIPAA Privacy Rule to Support Reproductive Health Care — that limits when covered entities may disclose PHI related to reproductive health to law enforcement, though that rule has faced legal challenges.

Genetic Data

The Genetic Information Nondiscrimination Act (GINA) prohibits health insurers and employers from discriminating based on genetic information but does not restrict how direct-to-consumer genetic testing companies like 23andMe or AncestryDNA handle your data. State laws fill some of that gap. California's CMIA amendments and CPRA both cover genetic data. Washington's MHMD Act explicitly covers genetic data within its consumer health data definition. Several states — including Florida, Georgia, and Arizona — have enacted laws specifically governing genetic privacy, but their scope varies widely. If you have used or are considering a direct-to-consumer genetic test, assume that your results may be shared with or sold to third parties unless the company's privacy policy explicitly prohibits it and your state law enforces such restrictions.

The Commercial Health Data Ecosystem: What the Law Permits

Data Brokers and Health Information

Data brokers — companies that aggregate and sell personal information — operate a largely unregulated market in health-adjacent data. This includes data derived from prescription drug purchases, over-the-counter purchases (menstrual products, diabetes test strips, antidepressants bought with a loyalty card), location data that can infer medical visits, and browsing data related to health topics. None of this is PHI under HIPAA because it is not collected by covered entities. It is, however, remarkably revealing. Researchers have demonstrated that de-identified prescription purchase records can be re-identified with high accuracy using other commercially available data. Understanding who is buying and selling your health data and how is essential context for any discussion of your legal rights.

California and Vermont have enacted data broker registry laws requiring companies that buy and sell personal information to register with the state. California's Delete Act (SB 362, 2023) goes further, requiring data brokers to honor deletion requests made through a state-run portal by 2026. These are meaningful steps, but they do not prohibit data brokers from operating — they create transparency and give consumers an opt-out mechanism, not an opt-in requirement.

AI and Health Data

Artificial intelligence systems trained on health data present a distinct set of privacy concerns. Many hospitals and health systems have entered into agreements with AI companies that involve sharing de-identified patient records to train diagnostic algorithms. HIPAA's Safe Harbor de-identification standard — which removes 18 specified identifiers — was designed in an era before modern re-identification techniques. Studies have shown that HIPAA-de-identified datasets can frequently be re-identified using external data sources. The use of federated learning — a technique that trains models on data that never leaves the institution — is a promising alternative, and understanding how federated learning protects health data privacy is increasingly relevant for patients concerned about how their records contribute to AI training.

How to Exercise Your Rights: A Practical Guide

Requesting Your Medical Records

Under HIPAA, you have the right to access your designated record set — which includes medical records, billing records, and other records used to make decisions about your care — within 30 days of a written request (extendable by 30 more days with notice). The covered entity may charge a reasonable, cost-based fee but cannot charge for the labor of locating your records or simply because you choose to receive them electronically. If you are in California, that 30-day window shrinks to 15 calendar days for most records. For a detailed walkthrough of the request process, including template language, see our guide on how to get copies of your medical records.

If a covered entity denies your request — which is permitted in limited circumstances, such as when access would endanger you or another person — they must provide a written denial explaining the basis. You then have the right to request a review of that denial by a licensed healthcare professional designated by the covered entity. If you believe the denial is improper, you can file a complaint with OCR.

Filing a Complaint

For HIPAA violations, file a complaint with the HHS Office for Civil Rights at hhs.gov/ocr within 180 days of discovering the violation (OCR has discretion to extend this). The complaint should identify the covered entity, describe the violation, and include any supporting documentation. OCR will notify the covered entity and conduct an investigation. If it finds a violation, it may pursue a corrective action plan, civil monetary penalties, or — in egregious cases — refer the matter for criminal prosecution. Washington State residents can also bring a civil action under the MHMD Act. California residents can complain to the California Privacy Protection Agency under the CPRA or, for CMIA violations, pursue a civil lawsuit. Consulting a health privacy attorney in your state is advisable before pursuing litigation.

The Case for Federal Consumer Health Data Legislation

The patchwork of state laws — strong in Washington and California, weak or absent in most of the country — creates a profoundly unequal system. Whether your health data is protected by meaningful legal rights depends largely on your zip code. A resident of Seattle using a health app has opt-in consent rights and can sue a violator in state court. A resident of Atlanta using the same app has neither. Both may have the same sensitive health condition, but one has substantially more legal control over what happens to their data.

Congress has considered federal consumer health data legislation at various points, including the Health Data Use and Privacy Commission Act and several bills modeled on Washington's MHMD Act, but none has become law as of mid-2026. The FTC has used its Section 5 unfair or deceptive practices authority to take enforcement action against some health apps for deceptive data practices, but this is a blunt instrument that does not create affirmative rights for consumers.

The direction of travel in the states suggests that the norm is moving toward opt-in consent, private rights of action, and coverage of entities outside the traditional HIPAA framework. Whether federal law catches up — and what it will look like when it does — remains an open question. In the meantime, knowing which state you are in and what your state law provides is the most practical thing you can do to protect your health data rights in 2026. The future of patient health data ownership is being written right now, largely at the state level.