NPP and State Laws Stricter Than Federal HIPAA

Several states (California, New York, Massachusetts) impose stricter privacy notice requirements than federal HIPAA. Here's how state-law overlays interact with the HHS model NPP.

Family resources. ComplyCreate publishes the canonical HIPAA vs state privacy laws guide for cross-state context.

By NPP Generator Research Team · Published Mar 15, 2026 · Last reviewed Apr 28, 2026 · 2 min read

Need to update your NPP?

Update → Generate new →

HIPAA is a floor, not a ceiling

HIPAAs § 164.203 preemption rule preempts state laws that are less protective than HIPAA. It does not preempt state laws that are more protective. Several states have enacted privacy rules that impose stricter requirements than HIPAA, and covered entities in those states must comply with both — using the more protective rule.

California: CMIA and related laws

California Confidentiality of Medical Information Act (CMIA) and related laws impose stricter requirements around:

Mental-health record disclosure (LPS Act § 5328)
HIV test results (Health & Safety Code § 120975)
Genetic test results (Civil Code § 56.17)
Breach notification thresholds for CMIA breaches (Civil Code § 56.36)

New York: Mental Hygiene Law

New York Mental Hygiene Law § 33.13 imposes stricter disclosure rules for mental-health records than HIPAA. Article 29-E (SHIELD Act) and Article 27-G (genetic information) also impose additional protections. Covered entities in New York may need state-specific NPP language beyond HIPAAs minimums.

Massachusetts: Chapter 123 § 36

Massachusetts General Laws chapter 123 § 36 applies to mental-health records. The states data security regulations (201 CMR 17.00) impose technical safeguard requirements on anyone holding personal information of Massachusetts residents.

Other states with notable overlays

Texas (Medical Records Privacy Act — chapter 181), Florida (various), Illinois (Mental Health and Developmental Disabilities Confidentiality Act), Washington (UBIT and state breach laws), and others. The landscape is inconsistent.

What to do about it

Our generator includes a generic state-law disclaimer in the NPP — stating that state law may impose stricter requirements and the patient may have additional rights under state law. For state-specific NPP language, engage healthcare counsel licensed in your state. State-specific overlays are on our v2 roadmap.

Generate a compliant NPP in 5 minutes

HHS Feb 2026 model · Part 2 SUD language · Section 1557 taglines · whether you're updating or starting fresh.

Update my existing NPP → Generate a new NPP →

No subscription · PDF + Word · Free watermarked preview · See sample →

First-time question? See if your practice actually needs an NPP: Does my practice need a Notice of Privacy Practices? →

Related: NPP compliance & rules

2026 requirements HHS model walkthrough Website posting Acknowledgment of receipt Effective vs supersede date When to update Material change notice