When Maryland enacted its strict genetic information privacy law and California expanded patient access rights beyond what federal rules require, many healthcare organizations asked the same question: do we follow HIPAA or state law? The answer hinges on a foundational legal concept that trips up compliance officers every year. HIPAA regulations establish a floor of patient rights, which means that HIPAA sets the minimum standard of privacy protection — and states are free to build higher.

What "HIPAA Regulations Establish a Floor of Patient Rights" Actually Means in Practice

Under the HIPAA Privacy Rule (45 CFR Part 164, Subpart E), patients are guaranteed a baseline set of rights regarding their protected health information (PHI). These include the right to access their medical records, request amendments, receive an accounting of disclosures, and obtain a Notice of Privacy Practices from every covered entity.

But Congress never intended these rights to be the ceiling. The preemption doctrine codified at 45 CFR §160.203 makes this explicit: where a state law provides greater privacy protections or more expansive patient rights than HIPAA, that state law survives and must be followed. HIPAA only preempts — or overrides — state laws that are less protective.

This is the floor-not-ceiling framework. Your organization must meet every HIPAA requirement, and then look to the state laws where you operate to determine whether additional obligations apply.

Why the Floor Concept Creates Real Compliance Challenges

In my work with covered entities operating across multiple states, this is where confusion turns into risk. A hospital system headquartered in Texas with clinics in California and New York must track three different layers of patient rights — HIPAA's federal floor, plus any state-specific additions in each jurisdiction.

Consider a few concrete examples:

  • Access timelines: HIPAA gives covered entities 30 days (with a possible 30-day extension) to fulfill a patient's records request. Several states impose shorter deadlines. California's Confidentiality of Medical Information Act requires responses in 15 days.
  • Substance abuse records: Federal regulation 42 CFR Part 2 historically imposed stricter protections on substance use disorder treatment records than HIPAA alone. Many states layer on additional consent requirements.
  • Minor consent and reproductive health: State laws frequently grant adolescents privacy rights that exceed HIPAA's baseline, particularly around reproductive health and mental health treatment.
  • Genetic information: States like Maryland and Illinois have enacted genetic privacy statutes that go well beyond what HIPAA's Privacy Rule requires.

If your compliance program treats HIPAA as the only rulebook, you are almost certainly missing state-level obligations that carry their own penalties.

OCR Enforcement and the Preemption Analysis Your Team Needs

The HHS Office for Civil Rights (OCR) has consistently emphasized that covered entities and business associates cannot use HIPAA compliance as a shield against more protective state laws. In resolution agreements and technical guidance, OCR has reinforced that organizations must conduct a preemption analysis — a systematic comparison of HIPAA requirements against applicable state law — for every jurisdiction where they handle PHI.

This is not optional. A preemption analysis should be a documented component of your broader risk analysis, which is itself a requirement under the Security Rule at 45 CFR §164.308(a)(1). Yet healthcare organizations consistently struggle with this step because it demands legal expertise and ongoing monitoring as state legislatures act.

Between 2020 and 2024, OCR resolved over 150 enforcement actions involving Privacy Rule violations. Many of these cases involved patient access failures — precisely the type of right that state laws frequently expand beyond HIPAA's floor.

Three Steps to Build Above the Floor in Your Organization

1. Map Your State Obligations

Identify every state and territory where your covered entity or business associate creates, receives, maintains, or transmits PHI. For each jurisdiction, document the patient rights that exceed HIPAA's baseline. Update this mapping annually or whenever significant legislation passes.

2. Update Policies and Your Notice of Privacy Practices

Your Notice of Privacy Practices must accurately reflect the actual rights patients hold — not just the federal minimum. If your state grants patients a shorter access timeline or broader amendment rights, your notice and internal policies need to say so. A generic, HIPAA-only notice in a state with stronger protections is a compliance gap waiting to become a complaint.

3. Train Your Workforce on State-Specific Requirements

The HIPAA Privacy Rule requires workforce training under 45 CFR §164.530(b), but that training must go beyond reciting federal rules. Staff who handle patient requests need to understand which state standards apply to their facility. Investing in comprehensive HIPAA training and certification programs that incorporate the floor-versus-ceiling concept ensures your team doesn't default to the federal minimum when patients are entitled to more.

The Minimum Necessary Standard and State Law Overlap

One area where the floor concept intersects with daily operations is the minimum necessary standard (45 CFR §164.502(b)). HIPAA requires covered entities to limit PHI use and disclosure to the minimum necessary for a given purpose. Several states go further, restricting specific categories of information — such as HIV status, mental health records, or genetic data — with heightened consent or disclosure requirements.

When a state law imposes a narrower disclosure standard than HIPAA's minimum necessary rule, the state law controls. Your workforce must be trained to recognize these situations and apply the more restrictive standard.

Business Associates Are Not Exempt from the Floor

Since the Omnibus Rule of 2013, business associates have been directly liable for HIPAA compliance. That includes respecting the floor-of-rights framework. If your business associate agreement (BAA) references only federal HIPAA obligations but your state law requires more, the BAA has a gap. Review your BAAs to ensure they incorporate compliance with applicable state privacy laws — not just 45 CFR Part 164.

Stop Treating HIPAA as the Ceiling

The single most common mistake I see in compliance programs is treating HIPAA as a checklist that, once completed, guarantees legal safety. That assumption ignores the entire design of the statute. HIPAA regulations establish a floor of patient rights, which means your real compliance obligation is often higher than what the federal rule says on its face.

Building a culture that understands this distinction starts with leadership and extends to every member of your workforce who touches PHI. If your team hasn't completed a rigorous, up-to-date compliance program, explore the resources at HIPAA Certify for workforce HIPAA compliance to close the gap before OCR — or a state attorney general — finds it first.