The 50-State Healthcare Compliance Atlas.
HIPAA is the federal floor. Every state adds something on top — a shorter breach window, a named statute, an Attorney General notification step, a private right of action. This atlas catalogues that overlay for all 50 states: the breach clock, the named laws (CMIA, BIPA, MHMDA, SHIELD, HB 300, 201 CMR 17.00), and links into the relevant compliance guides. Research aid, not legal advice.
Interactive Map
Jump to state index →Click any state to open its compliance overlay. Keyboard: Tab moves between states alphabetically, Enter activates. Pika color on hover and focus.
The interactive map renders on larger screens. Use the alphabetical index below.
All 50 states.
The named statutes and the shortest breach-notification clock that applies to PHI in that state. Click through for the full overlay page, regulator links, and the related compliance guides.
A
Alabama
45dAlabama was the last U.S.
Data Breach Notification Act of 2018
Alaska
60dAlaska has no state-specific medical-information privacy statute beyond HIPAA, and no health-data-only breach rule.
Information Protection Act
Arizona
45dArizona broadened its breach statute in 2018 to add medical information, health insurance identifiers, biometric data, and online credentials.
Data Breach Notification Statute
Arkansas
60dArkansas's Personal Information Protection Act adds 'medical information' to the categories triggering breach notification but does not impose health-information-specific privacy rules beyond HIPAA.
Information Protection Act
C
California
15bdCalifornia is the most demanding state for healthcare data.
of Medical Information Act · Medical Information Breach Notice
Colorado
30dColorado pairs one of the strictest general breach-notification windows in the country (30 days) with the Colorado Privacy Act, which classifies health data as sensitive consumer data requiring opt-in consent — but only for data outside HIPAA's PHI scope.
Data Breach Notification Statute · Privacy Act
Connecticut
60dConnecticut's healthcare overlay sits in two places: a 60-day breach window aligned with HIPAA's federal clock plus AG notice, and the Connecticut Data Privacy Act, which covers consumer-health data falling outside HIPAA.
Data Breach Notification Statute · Data Privacy Act
D
F
G
H
I
Idaho
60dIdaho has no state-specific medical-information privacy statute beyond HIPAA.
Identity Theft Statute
Illinois
60dIllinois has two statutes that put healthcare-adjacent practices in the country's most litigated privacy environment: BIPA for biometrics (fingerprint timeclocks, facial-recognition check-in, voiceprint authentication) and GIPA for genetic information.
Information Privacy Act · Information Privacy Act
Indiana
60dIndiana has no comprehensive state-specific medical-information privacy statute beyond HIPAA.
Disclosure of Security Breach Statute
Iowa
60dIowa has no state-specific medical-information privacy statute beyond HIPAA.
Personal Information Security Breach Protection
K
L
M
Maine
30dMaine pairs a 30-day breach notice clock — one of the shortest in the country — with required regulator and consumer reporting agency notice.
Notice of Risk to Personal Data Act
Maryland
45dMaryland is one of the handful of states that maintain a free-standing healthcare confidentiality statute alongside HIPAA — the Maryland Confidentiality of Medical Records Act creates a private right of action that HIPAA itself does not.
Confidentiality of Medical Records Act · Personal Information Protection Act
Massachusetts
60dMassachusetts is the state most often cited as having gone furthest on prescriptive cybersecurity rules.
for the Protection of Personal Information of Residents of the Commonwealth · Data Breach Notification Statute
Michigan
60dMichigan has no state-specific medical-information privacy statute beyond HIPAA.
Identity Theft Protection Act
Minnesota
60dMinnesota's Health Records Act runs alongside HIPAA and in some scenarios — particularly release-of-records consent — is stricter than the federal Privacy Rule.
Health Records Act · Breach Notification Statute
Mississippi
60dMississippi has no state-specific medical-information privacy statute beyond HIPAA.
Breach Notification Statute
Missouri
60dMissouri has no comprehensive state-specific medical-information privacy statute beyond HIPAA.
Personal Information Breach Notification Statute
Montana
60dMontana has no comprehensive state-specific medical-information privacy statute beyond HIPAA.
Impediment of Identity Theft Statute
N
Nebraska
60dNebraska has no state-specific medical-information privacy statute beyond HIPAA.
Financial Data Protection and Consumer Notification of Data Security Breach Act
Nevada
60dNevada's SB 370 (often referenced in early press coverage as SB 538) is a Washington MHMDA-style law that captures consumer health data sitting outside HIPAA's PHI scope — wellness app data, fitness data, certain employer health programs.
Security and Privacy of Personal Information · Consumer Health Data Privacy Law
New Hampshire
60dNew Hampshire has no state-specific medical-information privacy statute beyond HIPAA.
Hampshire Right to Privacy / Notice of Security Breach
New Jersey
60dNew Jersey has no comprehensive state-specific medical-information privacy statute beyond HIPAA but does have an unusual procedural quirk: breach notice to the New Jersey State Police is required before individual notice.
Jersey Identity Theft Prevention Act
New Mexico
45dNew Mexico has no comprehensive state-specific medical-information privacy statute beyond HIPAA but does impose a 45-day breach notice clock — one of the shorter ones in the country.
Mexico Data Breach Notification Act
New York
30dNew York's overlay is two related but separate obligations.
York Information Security Breach and Notification Act · Hacks and Improve Electronic Data Security
North Carolina
60dNorth Carolina has no state-specific medical-information privacy statute beyond HIPAA.
Carolina Identity Theft Protection Act
North Dakota
60dNorth Dakota has no state-specific medical-information privacy statute beyond HIPAA.
Dakota Notice of Security Breach
O
Ohio
45dOhio is one of the few states to use a carrot-and-stick approach.
Breach of Security Statute · Data Protection Act
Oklahoma
60dOklahoma has no state-specific medical-information privacy statute beyond HIPAA.
Security Breach Notification Act
Oregon
45dOregon has no state-specific medical-information privacy statute beyond HIPAA but does impose a 45-day breach notice clock with a 250-resident AG notice threshold.
Consumer Information Protection Act
P
R
S
T
Tennessee
60dTennessee imposes a 45-day breach notice clock generally, but explicitly defers to HIPAA's 60-day window for covered entities — making it one of the cleaner state-federal interlocks.
Identity Theft Deterrence Act / Breach Notification
Texas
60dTexas HB 300 broadens HIPAA in three notable ways: a wider definition of covered entity that catches Texas businesses HIPAA itself would not, mandatory biennial training, and a stricter 15-business-day patient access window for electronic records.
Medical Records Privacy Act / HB 300 · Identity Theft Enforcement and Protection Act
U
V
Vermont
45dVermont pairs a 45-day individual notice clock with one of the shortest regulator-notice windows in the country: preliminary AG notice within 14 business days of discovery.
Security Breach Notice Act
Virginia
60dVirginia was the second state in the country to pass a comprehensive consumer privacy law.
Breach of Personal Information Notification · Consumer Data Protection Act
W
Washington
30dWashington's MHMDA is the most aggressive consumer-health privacy regime in the country — opt-in consent for collection and sharing of any consumer health data outside HIPAA's scope, a geofencing prohibition around healthcare facilities, and a private right of action.
Data Breach Notification Statute · My Health My Data Act
West Virginia
60dWest Virginia has no state-specific medical-information privacy statute beyond HIPAA.
Virginia Breach of Security of Consumer Information
Wisconsin
45dWisconsin's Patient Health Care Records statute runs alongside HIPAA and is stricter on release-of-records consent in some scenarios.
Patient Health Care Records · Notice of Unauthorized Acquisition of Personal Information
Wyoming
60dWyoming has no state-specific medical-information privacy statute beyond HIPAA.
Breach of Security Notification
Stop juggling 50 state checklists.
The free Security Risk Analysis is where the federal HIPAA program plus the state overlays each of your locations triggers gets assembled into a review-ready binder — training-logged and ready for payer, BAA, or internal review. Administrative documentation aid, not legal advice.