NPP and State Laws Stricter Than Federal HIPAA
Several states (California, New York, Massachusetts) impose stricter privacy notice requirements than federal HIPAA. Here's how state-law overlays interact with the HHS model NPP.
By NPP Generator Research Team · Published Mar 15, 2026 · Last reviewed Apr 23, 2026
HIPAA is a floor, not a ceiling
HIPAAs § 164.203 preemption rule preempts state laws that are less protective than HIPAA. It does not preempt state laws that are more protective. Several states have enacted privacy rules that impose stricter requirements than HIPAA, and covered entities in those states must comply with both — using the more protective rule.
California — CMIA and related laws
California Confidentiality of Medical Information Act (CMIA) and related laws impose stricter requirements around:
- Mental-health record disclosure (LPS Act § 5328)
- HIV test results (Health & Safety Code § 120975)
- Genetic test results (Civil Code § 56.17)
- Breach notification thresholds for CMIA breaches (Civil Code § 56.36)
New York — Mental Hygiene Law
New York Mental Hygiene Law § 33.13 imposes stricter disclosure rules for mental-health records than HIPAA. Article 29-E (SHIELD Act) and Article 27-G (genetic information) also impose additional protections. Covered entities in New York may need state-specific NPP language beyond HIPAAs minimums.
Massachusetts — Chapter 123 § 36
Massachusetts General Laws chapter 123 § 36 applies to mental-health records. The states data security regulations (201 CMR 17.00) impose technical safeguard requirements on anyone holding personal information of Massachusetts residents.
Other states with notable overlays
Texas (Medical Records Privacy Act — chapter 181), Florida (various), Illinois (Mental Health and Developmental Disabilities Confidentiality Act), Washington (UBIT and state breach laws), and others. The landscape is inconsistent.
What to do about it
Our generator includes a generic state-law disclaimer in the NPP — stating that state law may impose stricter requirements and the patient may have additional rights under state law. For state-specific NPP language, engage healthcare counsel licensed in your state. State-specific overlays are on our v2 roadmap.
Generate your NPP in under 5 minutes
Answer a few questions and download a HIPAA-compliant Notice of Privacy Practices based on the HHS February 2026 revised model.
Start your NPP — $49First-time question? See if your practice actually needs an NPP: Does my practice need a Notice of Privacy Practices? →