Your medical records don’t stop at state borders, but the laws protecting them do.
When healthcare data sharing happens across state lines, you face a confusing mix of privacy rules that vary dramatically from California to Connecticut.
Over 1 million people in Connecticut learned this the hard way in early 2025 when a data breach exposed their most private health details.
What Makes State Privacy Laws So Different?
HIPAA sets the federal baseline, but states can add stricter protections on top of it. This creates a situation where your health data gets more protection in some states than others.
As of 2024, 21 states have passed comprehensive privacy laws, and many of them define health data differently.
Washington’s My Health My Data Act went into effect on March 31, 2024, and covers “consumer health data” much more broadly than HIPAA does.
The law includes things like information from fitness apps, period tracking software, and even data that suggests you’re trying to get healthcare services. Nevada’s law kicked in on the same day with similar but not identical rules.
Connecticut took a different route. The state amended its existing privacy law to add health protections just before implementation.
This means Connecticut follows one framework while Washington follows another, even though both laws address the same basic concern.
Here’s where it gets tricky for you. If you live in Kansas but get treatment in Colorado, which state’s laws apply? What about telehealth appointments with a doctor in a different state? The answer isn’t always clear.
How Do Consent Requirements Change Between States?
Some states require explicit consent before collecting or sharing your health data, while others let providers share for treatment purposes without asking first.
This inconsistency creates real problems when your information crosses state lines.
Under federal HIPAA rules, healthcare providers can share your protected health information for treatment without getting your consent.
But some states require authorization before mental health information can be disclosed, even for treatment.
If your therapist in Vermont wants to coordinate your care with a psychiatrist in New York, they might need different permissions depending on each state’s specific rules.
Washington’s law requires separate consent before collecting or sharing consumer health data unless you specifically requested the service.
Nevada follows a similar approach. But many other states don’t have these requirements at all—they rely on HIPAA’s looser standards.
This becomes even more complicated with telehealth. Healthcare providers must be licensed in each state where they provide services to patients, and each state may have different privacy requirements for telehealth encounters.
Your video appointment with a doctor might require one type of consent in Alabama and a completely different form in Oregon.
What Patient Rights Actually Transfer Across Borders?
Your rights to access, correct, or delete your health data depend heavily on where you live and where your data lives.
Nevada and Washington give consumers the right to delete covered health information, and businesses must notify all recipients they previously shared data with so those recipients can also delete it. This goes way beyond what HIPAA requires.
But most states don’t offer deletion rights. HIPAA and traditional health care privacy laws allow you to dispute accuracy and add corrections to your records, but providers aren’t permitted to delete your information just because you ask.
Here’s a comparison of what you can typically do with your health data in different regulatory environments:
| Patient Right | Under HIPAA Alone | Under Washington/Nevada Laws |
| Access your records | Yes, within 30 days | Yes, plus list of who received data |
| Correct errors | Request amendments | Request amendments |
| Delete your data | No deletion rights | Full deletion with third-party notification |
| Know who has your data | Limited accounting | Complete list of recipients |
| Stop future sharing | Limited options | Withdraw consent anytime |
Washington is the first state to give consumers a private right of action for health data violations, meaning you can sue directly if someone mishandles your information. Most other states leave enforcement to attorneys general.
What Happens With Healthcare Data Sharing in Practice?
When health entities in different states want to share patient information, privacy laws and policies that vary between states complicate the situation.
The Office of the National Coordinator for Health Information Technology recognizes this problem, but solutions remain incomplete.
Healthcare organizations operating across multiple states must adhere to the most restrictive applicable standard in each jurisdiction.
This means if you operate a hospital system with locations in five states, you effectively need to follow the strictest law among those five states for all your operations—or implement different procedures at each location.
Real-world example: A hospital in Texas treats a patient from California. The patient’s information gets shared with a specialist in Washington for a second opinion. Now three states’ laws potentially apply.
Texas follows basic HIPAA. California has its own comprehensive privacy law. Washington has specific health data rules. The hospital needs to figure out which law governs this particular data transfer.
Currently, 16 state privacy laws have been signed, with healthcare-specific laws in Nevada and Washington taking effect in March 2024, followed by Tennessee, Florida, and Oregon in July 2024, then Montana in October 2024. Each new law adds another layer of complexity.
Do Reproductive and Mental Health Records Get Extra Protection?
Recent legislation, effective July 1, 2024, underscores the need for special protections around data related to abortion, contraception, or gender-affirming care, especially across state lines.
These protections emerged after the Dobbs decision changed the legal landscape around reproductive healthcare.
Maryland’s definition of sensitive information specifically includes consumer health data for gender affirming treatment and reproductive or sexual health care.
Controllers in Maryland can’t collect, process, or share this sensitive data unless it’s strictly necessary to provide a service you requested.
Mental health records face similar but different restrictions. Most uses and disclosures of psychotherapy notes require authorization even for treatment, payment, and healthcare operations. This applies nationally under HIPAA, but some states add even more protection.
The problem is that these extra protections don’t consistently cross state lines. If you received reproductive healthcare in Massachusetts but now live in Texas, the protections that applied when you got care might not protect that same data now.
How Can You Protect Your Data When It Crosses States?
You can’t control where your health data goes, but you can take some steps to understand what’s happening with it. First, read privacy notices carefully.
Entities must develop privacy policies containing categories of health data collected, purposes for collection, sources from and to which data is collected and shared, and how you can exercise your rights.
Ask questions before you get care. When scheduling appointments, especially for telehealth, ask which state’s laws will govern your information. Find out if the provider shares data across state lines and what protections apply.
Both Washington and Nevada laws give you rights to know about collection and sharing, access and review your data, get a list of third parties who received your information, withdraw consent, and delete your data.
If you live in or get care in these states, actually use these rights. Don’t just assume your data is protected—verify it.
For sensitive conditions, consider where you seek care. Getting treatment in a state with stronger privacy laws might give you more control over your information, especially if you’re concerned about that data being shared with states with weaker protections.
Keep your own records. When possible, maintain copies of your health information.
This gives you a reference point if you need to dispute what’s shared or if you want to control what gets transferred to new providers.
Where Do Healthcare Data Sharing Laws Go From Here?
Without harmonized standards, the risk of data breaches, algorithmic bias, and re-identification all lead to loss of public trust and threaten both individual rights and ethical advancement of healthcare innovation.
The current patchwork system isn’t sustainable as healthcare becomes more digital and more interstate.
Until Congress passes a national consumer data protection act, states continue to fulfill their role as laboratories of democracy.
We’re likely to see more states pass health data laws in 2025 and beyond. Each one will add new requirements that healthcare organizations must navigate.
Companies face a complex regulatory landscape, navigating multiple state-specific regulations.
This complexity costs money, slows down data sharing that could help with your care, and increases the risk that someone will make a mistake and violate one of dozens of different rules.
The reality is that truly fixing healthcare data sharing across state lines requires either federal action that creates one standard for everyone, or interstate compacts where states agree to recognize each other’s rules. Neither seems likely soon.
Until then, you’re stuck navigating this confusing landscape where your health data rights depend on geography as much as they depend on the law.
