To Close HIPAA Gaps, More States Pass Consumer Privacy Laws

For nearly three decades, HIPAA has served as the cornerstone of health information protection in the United States. Yet, the explosive growth of digital health tools—from mobile apps and wearables to virtual care platforms and consumer wellness sites—has pushed the boundaries of what “health data” really is. The result? A modern ecosystem generating enormous volumes of deeply personal information that often falls outside HIPAA’s protection.

States have noticed. And they are acting.

From Washington to Texas to Colorado and beyond, a sweeping wave of consumer privacy laws is reshaping how health-related data must be handled. These laws are closing long-standing gaps in HIPAA and forcing organizations across the healthcare and tech industries to rethink their privacy strategies from the ground up.

This is not a slow evolution.

It’s a nationwide privacy reset.

Why HIPAA Can No Longer Stand Alone

HIPAA was crafted in a different era—long before smartphones, fitness trackers, fertility apps, home DNA kits, digital pharmacies, virtual therapists, or telehealth platforms became everyday tools. HIPAA protects medical records held by hospitals, physicians, clinics, and health plans. But today’s consumers generate equally sensitive health data outside traditional clinical settings—data that can reveal physical conditions, life decisions, behavioral patterns, reproductive health details, and even mental health indicators.

What HIPAA does not cover has become just as important as what it does.

A calorie-tracking app, a menopause support community, a smartwatch analyzing your sleep, or a pharmacy discount site collecting medication search history can hold data more personal than any clinical chart. Yet these companies often operate without HIPAA obligations—making consumer data vulnerable to broad sharing, profiling, targeted advertising, and sometimes even sale to unknown third parties.

State lawmakers now view this gap as unacceptable—and they’re responding with sweeping legislation.

The Rise of State Privacy Laws Filling HIPAA’s Blind Spots

Over the past few years, the United States has entered one of the most significant privacy law expansions in history. States like California, Connecticut, Colorado, Virginia, Utah, Oregon, Texas, Montana, Tennessee, Delaware, and others have passed comprehensive consumer privacy laws. Each adds new layers of protections for data that traditional healthcare regulations failed to address.

What’s striking is how these state laws redefine health data. No longer limited to medical charts or diagnostic codes, the modern definition now includes everything from biometric readings and reproductive health decisions to geolocation patterns near healthcare facilities. These laws fundamentally expand the categories of information that must be handled with heightened sensitivity.

One of the boldest moves came from Washington State with its My Health My Data Act—a law so sweeping and influential that privacy experts consider it a blueprint for the future. It protects nearly any data that could relate to a person’s physical or mental health, whether explicitly provided or inferred by technology. It applies not just to healthcare providers but to almost any business touching consumer health data in any way.

This marks a watershed moment in U.S. privacy regulation.

A New Regulatory Reality for Healthcare and Health-Adjacent Businesses

The impact of these state laws is far-reaching. Traditional healthcare providers suddenly find themselves navigating a dual compliance landscape—HIPAA on one side, and a growing collection of state privacy laws on the other. Meanwhile, digital health startups, wellness platforms, tracking tools, and even marketing vendors must adopt privacy practices previously reserved for hospitals and health systems.

This shift brings several key consequences.

First, consent is no longer optional. Many states now require clear, affirmative, opt-in authorization before a business can collect or use sensitive health data. Second, transparency becomes far stricter. Organizations must explain exactly what they collect, why they collect it, who they share it with, how long they keep it, and how consumers can opt out. Third, tracking for advertising—especially for individuals seeking reproductive or mental health services—faces heightened scrutiny and legal exposure.

Companies that once operated in a regulatory gray zone now face clear responsibilities and serious penalties for failure to comply. Some states even allow private lawsuits, broadening the liability landscape beyond state attorneys general.

Privacy Risks Are Expanding—and So Are Legal Consequences

State privacy laws are responding to real-world risks that go beyond clinical data. The concern is not just unauthorized access to medical records—it’s the invisible ecosystem of digital tracking, data brokerage, AI-driven inference, and cross-platform profiling.

A fitness app can infer heart conditions.

A location ping can expose visits to clinics.

A search query can reveal pregnancy status.

A click on a mental health ad can reveal emotional vulnerability.

A genetic test submitted out of curiosity can become permanent, unregulated data.
Without legal guardrails, these insights can be shared with advertisers, analytics platforms, or data brokers in ways consumers never intended or understood.

State lawmakers argue that the most intimate data a person possesses—information about their body, health, mind, family planning, and genetics—should not be collected, sold, or monetized without explicit permission.

This philosophical shift is now reshaping compliance expectations nationwide.

How Organizations Should Adapt—Now, Not Later

Any business that touches consumer health-related data—whether directly or indirectly—must rethink its data lifecycle. That means understanding every data source, every third-party relationship, every analytic tool, and every marketing technology in use.

Organizations must take steps such as mapping data flows, strengthening consent processes, minimizing data retention, rewriting privacy notices, restricting sensitive data collection, and ensuring that analytics or advertising technologies do not inadvertently capture protected health information.

Equally important is workforce awareness. Staff across clinical, operational, marketing, and technical roles must understand the difference between HIPAA obligations and state privacy requirements. Ignorance is no longer a defense.

The stakes are rising, and proactive compliance is now a competitive advantage.

The Bigger Picture: Is the U.S. Moving Toward a New National Privacy Framework?

The rapid adoption of state privacy laws is sending a clear message: the country is ready for stronger, broader health data protection. With every new law, pressure grows on federal lawmakers to modernize HIPAA or create a national framework that accommodates the realities of digital health.

Until that happens, businesses must navigate a patchwork of state rules that grow more complex every year. Some organizations will adjust quickly and earn consumer trust. Others will try to maintain the status quo—and pay the price in legal risk, financial penalties, and reputational damage.

The future of privacy is already here.

Health data can no longer hide behind outdated regulatory boundaries.

States have stepped in—and they are rewriting the rules.