Call Us Today! 877-659-2467

HIPAA vs State Privacy Laws

Many cash practices have the misconception that HIPAA does not apply to them. Well, that maybe true in some aspects, BUT… state privacy laws may actually be more stringent. In the coming years, more states will implement privacy laws to protect consumers from privacy and security failures due to the rise in cybercrime.

So, when practices compare HIPAA vs State Privacy laws, HIPAA sets a federal floor for covered entities. Cash practices escape HIPAA’s reach but land directly in a patchwork of state laws that can be equally or more demanding. The absence of HIPAA liability is not the absence of privacy liability.

What is HIPAA and Who Must Comply?

HIPAA (Health Insurance Portability and Accountability Act) applies to covered entities. This includes health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically in connection with certain standard transactions (like billing insurance).

If you never bill insurance and never transmit health information electronically for covered transactions, you are likely not a HIPAA covered entity.

Cash-Only or Direct-Pay Practices and HIPAA

Although a cash only or direct pay practice may not fall under the HIPAA rule guidelines there are other laws they must follow and still have significant legal obligations to protect patient information.

Specialized Federal Privacy Laws

Depending on the services provided, additional federal laws may apply, such as:

  • 42 CFR Part 2 for certain substance use disorder treatment records.
  • Federal protections for certain research records.
  • Privacy requirements related to employment or occupational health records.

Federal Trade Commission (FTC) Health Breach Notification Rule

The FTC Health Breach Notification Rule may apply to certain health apps, telehealth providers, and businesses that are not covered by HIPAA if they experience a breach of individually identifiable health information

Federal Trade Commission (FTC) Act

The Federal Trade Commission can investigate businesses that:

  • Misrepresent their privacy practices.
  • Fail to safeguard consumer information after promising to do so (this includes posting a HIPAA Compliant Seal on a website).
  • Engage in unfair or deceptive acts involving personal information.

State Privacy Laws Fill the Gap

  • Govern how long records must be retained (varies: 5–10+ years by state)
  • Define patient rights to access and amend their records
  • Authorized disclosures
  • Apply to all providers regardless of insurance billing status
  • Civil penalties for unauthorized disclosures
  • Protection of electronic health records

These laws often apply regardless of whether the provider accepts insurance.

State Medical or Dental Practice Licensing Boards
State licensing boards generally require licensed healthcare providers to:

  • Maintain confidential patient records.
  • Secure electronic records.
  • Maintain complete and accurate documentation.
  • Retain records for the required period.
  • Protect patient information from unauthorized access.

Failure to do so can result in disciplinary action, including license suspension or revocation.

State Consumer Health Privacy Laws
Several states have enacted broader health privacy laws that apply beyond HIPAA. Examples include:

  • California (CMIA) – California Confidentiality of Medical Information Act applies broadly, including to providers not covered by HIPAA. California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
  • Colorado – Outlines five key rights for Colorado consumers, right to access, right to correction, right to delete, right to data portability, right to opt out.
  • Connecticut – The Connecticut Data Privacy Act (CTDPA) includes stronger data protections for children.
  • Florida, Texas, New York – each have specific statutes governing patient records, breach notification, and consent requirements.
  • Washington My Health MY Data Act (2023) – extends beyond HIPAA to cover consumer health data broadly.

Most states have implemented similar state privacy laws, some are more stringent, while others apply to larger entities. Keep in mind, these laws may apply even when HIPAA does not.

State Data Breach Notification Laws
All 50 states have breach notification laws. If an EHR containing patient information is accessed, stolen, or compromised, the provider may have to notify:

  • Affected patients.
  • The state attorney general (in some states).
  • Consumer reporting agencies (for large breaches).

The notification requirements vary by state.

Contracts with the EHR Vendor
Nearly every EHR agreement requires the practice to:

  • Maintain account security.
  • Control user access.
  • Protect passwords.
  • Report security incidents.
  • Use the software appropriately.

Violating these contractual obligations can create liability.

Does using an EHR create security obligations?

Even if HIPAA does not apply, using an EHR means the practice should implement reasonable safeguards such as:

  • Unique user accounts
  • Strong passwords or passkeys
  • Multi-factor authentication, when available
  • Encryption of devices and backups
  • Automatic screen locking
  • Audit logs
  • Routine software updates
  • Staff confidentiality training
  • Procedures for responding to security incidents

These measures are often considered evidence of reasonable care if a privacy dispute or data breach occurs.

Class Action Lawsuits

Medical data breaches carry significant class action lawsuit risk, as a single incident can expose personal health information. Plaintiffs’ attorneys have increasingly targeted healthcare providers, insurers, and their vendors following breaches, alleging failures to implement reasonable and appropriate security measures, violations of state privacy statutes, and in some cases HIPAA-adjacent state law claims. Even cash-pay practices that fall outside HIPAA’s reach are not immune: state consumer protection laws, medical records statutes, and common law negligence theories can all support class action claims when patient data is compromised. Courts have become more receptive to standing arguments in data breach cases, and the cost of defending, let alone settling a class action, can be devastating for a and size of practice. Inadequate data security is not just a regulatory risk; it’s a litigation risk that no practice can afford to ignore.

Smart practice even if not required:
Many cash-pay providers voluntarily adopt HIPAA-like privacy practices because:

  • It builds patient trust.
  • It provides a defensible compliance standard.
  • State laws often parallel HIPAA requirements anyway.
  • It simplifies operations if the practice ever accepts insurance later.

Protect Your Organization Before It’s Too Late

HIPAA compliance isn’t a one-time project, it’s an ongoing process. At Aris Medical Solutions, our HIPAA Keeper system simplifies compliance with a cloud-based platform that walks you through each requirement, step by step. From risk analysis to training and documentation, you’ll have everything you need to stay protected, compliant, and audit ready.

Protect your practice — and your patients.


Schedule a free HIPAA checkup today at Aris Medical Solutions. Your HIPAA Compliance Officer will have a HIPAA security analyst to guide and assist them every step of the way.

Can a Medical Practitioner be sued for a HIPAA Violation or a Data Breach?

With so many data breaches in the news many medical practitioners are asking if they can be sued over HIPAA violations or from a data breach.

HIPAA rules state there is no private right of action, therefore, a patient cannot sue for a HIPAA violation. With that said, it is possible if there were privacy violations under state law, legal action may be taken. All states have their own set of privacy laws that encompasses more than just the healthcare sector. State privacy laws vary from state to state and define what is considered private information. HIPAA and state laws require covered entities to secure protected health information (PHI) with administrative, physical, and technical safeguards. Business associates and subcontractors are required to do the same.

If a patient wants to file a lawsuit, the patient must be able to prove negligence and damage caused harm by the violation or data breach. The Omnibus Rule removed the harm threshold when it came to covered entities reporting data breaches, but a patient has the right to claim harm. On another note, if a patient joins a class action lawsuit, it may make a stronger case. However, many class action lawsuits are filed based on the exposure to future harm. Without evidence of harm this may reduce the case. This can be a costly endeavor and patients should consider this and review what they hope to gain before taking legal action. Keep in mind, this is not a quick lawsuit. In the end, there is no guarantee of any monetary gain for the patient.

Many times, the practice can discuss the issues with the patient and avoid legal action altogether. It is recommended that if a practice has a disgruntled patient, the HIPAA privacy officer should talk to the patient if given the opportunity. Sometimes, an upset patient merely wants to be heard. Depending on the circumstances, the practice may be required to report the incident to the Department of Health and Human Services Office for Civil Rights (OCR).

If a patient feels as though their protected health information has been violated, they do have the right to file a complaint with the OCR. The complaint from the patient must be filed within 180 days of the incident. In some cases, an extension may be permitted. The complaint is reviewed to determine if it is justifiable. If it is, then the OCR will contact the practice and try to resolve the issue in the most suitable manner. This may include technical assistance, a resolution agreement, and/or ongoing compliance documentation. The average investigation timeline for a data breach takes 1½ – 2 years. Of course, for more complex breaches, it may take even longer. The outcome of the investigation will depend on the severity and nature of the violation, if this was a repeated offense, and the number of patients affected. Depending on the documentation of the incident and how it was handled, a practice may be able to avoid a desk audit. Remember, if it’s not documented, it does not exist. The patient may also file a complaint with the State Attorney General. Some complaints are referred to the Department of Justice (DOJ) if the investigation results in criminal violations. I hope this helps you to understand how important it is to keep patient data secure, and the documentation that demonstrates your efforts. If you have any questions on data security, how to handle a patient complaint, or how to handle a security incident, we are here to help.

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

©2026 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC