If we have a HIPAA-grade compliance posture, does that cover state laws too?

No. HIPAA-grade compliance covers HIPAA-scoped activities — research conducted on behalf of Covered Entities, with PHI handling controlled by BAA. State laws have different scope: Washington MHMDA covers consumer health data regardless of whether you're a Covered Entity; California CMIA imposes stricter disclosure restrictions even within HIPAA's scope; state privacy laws (TX, VA, CO, OR, CT, UT) add opt-in consent requirements for sensitive data processing. A research vendor that's HIPAA-compliant but ignores state laws is exposed in the states it's not aware of. The practical solution is layered compliance — HIPAA as floor, state-specific overlays based on participant residency.

What's the highest-risk state law for AI research vendors right now?

Washington's My Health My Data Act, by a meaningful margin. The MHMDA has the broadest scope (any entity collecting consumer health data from Washington residents), the broadest definition of consumer health data (includes mental health, reproductive health, gender-affirming care, biometric data, plus inferences derived from any of those), opt-in consent requirements at multiple processing stages, and a private right of action — meaning Washington residents can sue directly for violations rather than waiting for AG enforcement. AI research vendors with national reach almost certainly process Washington-resident data and need MHMDA-specific compliance posture.

How do we know which state's law applies to a given research participant?

Generally the law of the participant's residence applies, not the vendor's location or the customer's location. A research vendor in California running a study for a sponsor in New York that includes a Washington-resident participant must satisfy Washington's MHMDA for that participant's data, California's CMIA where the vendor's processing occurs, and HIPAA if the underlying engagement is HIPAA-scoped. Mature vendors structure consent flows to satisfy the most restrictive applicable law, then apply the resulting controls uniformly across all participants — operationally simpler than per-state branching.

State Health Privacy Laws Beyond HIPAA for Research Vendors

What are the limits of HIPAA’s regulatory scope?

HIPAA’s privacy and security rules apply to Covered Entities — healthcare providers that conduct certain transactions electronically, health plans, and healthcare clearinghouses — and to their Business Associates that handle PHI on their behalf. The regulatory scope is institutional: HIPAA does not apply to entities outside that definition, even when they collect health information.

This creates a structural gap. A research vendor collecting health-condition data directly from consumers (rather than from a Covered Entity client) is typically not in HIPAA scope. A pharma company collecting health-condition data through a study run by a non-Covered-Entity vendor may not be in HIPAA scope. State health privacy laws fill this gap, and several state laws extend further — adding opt-in consent, private rights of action, and stricter disclosure controls even within HIPAA’s scope.

The practical compliance reality: research vendors operating across state lines must satisfy the most restrictive applicable law, not just HIPAA.

Washington My Health My Data Act (MHMDA)

The Washington MHMDA is the most expansive state health privacy law in effect. Major provisions:

Scope. Applies to “regulated entities” that conduct business in Washington or produce products targeted to Washington residents AND collect, process, share, or sell consumer health data. The definition is intentionally broad — non-HIPAA entities are squarely in scope, and the MHMDA explicitly covers entities that are not Covered Entities under HIPAA.

Consumer health data definition. Far broader than PHI. Includes individually identifiable information about physical or mental health conditions, reproductive or sexual health, gender-affirming care, biometric data, location data revealing health activities (e.g., visiting a clinic), purchase data revealing health activities, and inferences derived from any of the above. Geolocation data within 1,750 feet of a healthcare facility is explicitly listed as consumer health data.

Opt-in consent requirements. Separate consent required at: (a) collection, (b) sharing with third parties, and (c) sale (which the MHMDA generally prohibits without specific authorization). Consent must be clear, specific, and freely given — bundled consent in a generic privacy policy does not satisfy MHMDA.

Private right of action. Washington residents can sue under the Washington Consumer Protection Act for MHMDA violations. Statutory damages and attorney’s fees create meaningful litigation exposure beyond AG enforcement.

Effective date. Most provisions effective March 31, 2024 (March 31, 2025 for small businesses).

For research vendors, the practical implication is that any study including Washington-resident participants needs MHMDA-grade consent flows — at intake, at any third-party data sharing event, and never with a sale provision unless explicitly negotiated.

California Confidentiality of Medical Information Act (CMIA)

California’s CMIA predates HIPAA and is in many ways stricter than HIPAA. Key differences:

Scope. CMIA applies to providers of health care, health care service plans, contractors, and corporations engaged in business with providers. The definition is broader than HIPAA’s Covered Entity scope in some areas (e.g., CMIA explicitly covers software vendors handling medical information, while HIPAA’s Business Associate framework reaches them only when they’re under contract with a Covered Entity).

Disclosure restrictions. Stricter than HIPAA in several respects. CMIA generally prohibits disclosure of medical information without patient authorization, with narrower exceptions than HIPAA’s treatment, payment, and operations carveouts.

Independent enforcement. CMIA is enforceable through California AG action, private rights of action (in some circumstances), and statutory damages. CMIA enforcement is not preempted by HIPAA — both regimes apply concurrently.

For research vendors, CMIA-specific implications: California-resident participant authorization should be obtained even when a HIPAA Authorization or Common Rule research consent already exists, as the CMIA scope and consent specifications differ from HIPAA’s.

New York SHIELD Act

The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act, effective 2020) expanded New York’s data breach notification law to include health information and biometric information in the definition of private information. SHIELD Act provisions:

Reasonable safeguards requirement. Entities holding New York residents’ private information must implement reasonable administrative, technical, and physical safeguards.
Breach notification. Notification required for unauthorized access to or acquisition of private information; the New York AG must also be notified.
No private right of action. Enforcement through New York AG only.

For research vendors, SHIELD Act compliance overlaps significantly with HIPAA Security Rule requirements; HIPAA-grade safeguards generally satisfy SHIELD Act baseline. The breach notification timeline (most expedient time possible, without unreasonable delay) requires operational readiness independent of HIPAA’s 60-day timeline.

State privacy laws with sensitive data provisions

Several states have enacted comprehensive privacy laws with sensitive data categories that include health information. These laws are not health-specific but include health-data protections:

Texas Data Privacy and Security Act (effective July 2024). Health information is sensitive data. Opt-in consent required for processing sensitive data.
Virginia Consumer Data Protection Act (effective January 2023). Mental and physical health diagnosis information is sensitive data. Opt-in consent for processing.
Colorado Privacy Act (effective July 2023). Health condition or diagnosis is sensitive data. Opt-in consent for processing.
Oregon Consumer Privacy Act (effective July 2024). Health condition or diagnosis is sensitive data. Opt-in consent for processing.
Connecticut Data Privacy Act (effective July 2023). Mental or physical health diagnosis is sensitive data. Opt-in consent for processing.
Utah Consumer Privacy Act (effective December 2023). Health information is sensitive data. Notice and opt-out required (less strict than other states).

The common pattern: health information is sensitive data; processing sensitive data requires opt-in consent (opt-out in Utah). Research vendors with national reach typically need opt-in consent flows that satisfy all of these states.

Other notable state-specific provisions

Illinois Genetic Information Privacy Act (GIPA). Stricter than federal GINA; private right of action with statutory damages. Genetic data in research deserves specific consent treatment for Illinois residents.
Illinois Biometric Information Privacy Act (BIPA). Pre-collection written consent required for biometric data including voiceprints. BIPA private right of action with statutory damages has produced significant class action litigation. Voice modality research requires BIPA-compliant consent for Illinois-resident participants.
Nevada SB 220. Sale opt-out requirements; less restrictive than other states.

How should research vendors operationalize multi-state health privacy compliance?

The practical compliance approach for research vendors operating across state lines:

Default to the most restrictive standard. Implement HIPAA + Washington MHMDA + California CMIA + Illinois BIPA-compliant consent flows uniformly across all participants. Operationally simpler than per-state branching.
Layer consent at processing stages. Distinct consents at: (a) intake / screener, (b) recording, (c) data sharing with research sponsors, (d) any storage or retention beyond engagement close. Bundled consent is increasingly insufficient under state law.
Track participant residency at intake. State law applicability follows the participant. Residency at the time of consent should be captured and retained as part of the engagement audit trail.
Document consent flow versioning. When consent flows change (regulatory updates, vendor architecture changes), prior-version consent records remain authoritative for participants who consented under earlier versions. Maintain version history.
Engage state-specific counsel for high-risk engagements. Washington-resident reproductive health research, Illinois voice modality research, California behavioral health research — these specific intersections of state law and study design warrant pre-fielding legal review.

What this means for healthcare research procurement

For healthcare insights teams, pharma compliance, hospital legal, and procurement teams evaluating research vendors, the state-law due-diligence questions:

What’s your consent flow architecture? Single bundled consent indicates HIPAA-only thinking; layered consent at processing stages indicates state-law-aware architecture.
How do you handle Washington-resident data? MHMDA exposure is the highest current state-law risk vector. Vendors that haven’t operationalized MHMDA compliance create direct litigation exposure under MHMDA’s private right of action.
What’s your voice modality consent flow in Illinois? BIPA pre-collection written consent for voiceprints is a binary requirement. Vendors recording voice without BIPA-compliant consent in Illinois face statutory damages exposure.
How do you track participant residency? Residency capture at intake is the foundation of state-law applicability tracking.
What’s your sub-processor exposure across states? Sub-processors (cloud, AI providers, communication tools) extend the vendor’s compliance perimeter. Sub-processor jurisdictional posture matters when participant data crosses borders.

Carevoices’ compliance architecture treats state laws as overlays on the HIPAA baseline, not as exceptions to it. Layered consent at intake, recording, sharing, and retention. Washington MHMDA-compliant consent flows applied uniformly across all participants. Illinois BIPA-compliant pre-collection consent for voice modality engagements. Participant residency captured at intake. We will not claim full state-law parity in every jurisdiction — privacy law continues to evolve quickly — but the architecture is built to absorb new state requirements as they emerge rather than retrofit per engagement.