State Laws & HIPAA Gaps: Why Exemptions Aren't a Free Pass Anymore

If you're reading this, chances are you've dismissed state privacy laws as someone else's problem. You’ve got HIPAA. You're a covered entity. You're exempt. Right?

Not so fast. In June 2024, a Texas federal court ruled that HHS overstepped in its web-tracking guidance—specifically, in trying to classify IP addresses and visits to public-facing health pages as "individually identifiable health information." That part of the guidance? Invalidated. The rest still stands. But the bigger message is that HIPAA doesn't always cover as much as you think.

HIPAA is foundational—but not comprehensive. It protects PHI handled by covered entities and business associates, but it doesn't reach everything you touch. Website traffic, ad data, employee info—those fall through the cracks. That's where state privacy laws step in.

In this article, we'll break down:

• The three common types of HIPAA exemptions
• The growing influence of the NAIC
• Why federal law still feels like a fever dream

Not All HIPAA Exemptions Are Created Equal

State consumer privacy laws are multiplying, and with them, a web of exemption rules that don't line up neatly with HIPAA. Most states with privacy legislation include some kind of carveout for HIPAA—but how they do it matters. These carveouts generally fall into three buckets:

1. Entity-Wide

This is the friendliest model if your organization qualifies as a HIPAA-regulated entity. In this model, the state privacy law doesn't apply to you. Full stop. Unfortunately, not every state takes this approach.

2. Data-Based (PHI-Only) Exemptions

Other states focus on the type of data rather than the type of entity. In these jurisdictions, only your PHI is exempt. So, if you're handling data that's not considered PHI—say, tracking users on a public-facing benefits page—you could be subject to state law even as a HIPAA-covered entity.

3. Compliance-Conditional Exemptions

Some state attorneys general are arguing that HIPAA exemptions only apply if you're actively compliant. So if you fumble a breach or misuse data, they may claim you've voided your exemption entirely. “What the AGs are saying,” notes Jen Pike, Counsel in the Health Care Group of Alston & Bird, “is that when you are using that data inappropriately, you are not compliant with HIPAA—and therefore not exempt.”

The takeaway? Don't assume your HIPAA status protects you in every scenario. That assumption is getting weaker by the month.

The Ever‑Growing Patchwork of State Privacy Laws

State consumer privacy laws are no longer just a California thing. Colorado, Connecticut, Virginia, Oregon, Texas, and others have joined the party—and more are on the way. While many of these laws include HIPAA carveouts, the details (and enforcement priorities) vary wildly.

Even if you're skating by today, that could change soon—especially if you're an insurer. "Health payors have information that’s not always PHI," explains Jen. "And [they] weren’t giving individuals as many rights as we, as a state, think they should."

Enter the NAIC. The National Association of Insurance Commissioners is drafting a model privacy law specifically for health insurers. It’s designed to fill the cracks between HIPAA and existing state privacy frameworks, and it borrows heavily from general consumer privacy laws. 

In other words: even if you’re exempt now, the model law could become your problem tomorrow.

The Federal Fever Dream

Could a national privacy law just fix all this? In theory, yes. In practice? Not yet.

Congress recently issued a Request for Information (RFI) to reboot the idea of a comprehensive federal privacy law. The American Privacy Rights Act stalled, but momentum is picking back up. "They're starting from scratch," said Jen. "And they're seeking feedback from stakeholders across all industries."

A federal law with true preemption power—one that overrides state patchworks—would simplify life for everyone. But that comes with risk too. Once it’s locked in, it’s locked in. “If that’s something that’s of concern to you,” Jen added, “think about it with your teams and comment on it. They’re going to be doing that for a while.”

Until then, state laws are the reality. As Jen put it, "There's a lot of sensitive health data that isn’t PHI. It’s just out there in the wild west. And the states said: the federal government isn’t protecting it, so we’re going to."

Strategy: Go Higher or Go Modular?

So what do you do with all this? You’ve got two main options:

1. Highest-Bar Compliance

You build your program to meet the strictest state requirements (currently California or Connecticut, depending on the metric). That way, you're covered everywhere. It's simple—but not easy.

2. Modular Compliance

You segment your operations by state or data type and apply different rules depending on jurisdiction. It’s more cost-efficient up front, but requires airtight operations and constant vigilance.

For now, many payors are leaning toward modular plans with an eye on the highest-bar states. But as more laws pass—and the NAIC model gains traction—that highest bar could keep rising.

How to Stay Ahead (While Staying Sane)

This stuff moves fast, and being a HIPAA-covered entity isn’t the shield it used to be. State laws, federal flirtations, and industry-specific model rules are closing the gaps. Don’t wait for enforcement actions to catch up with your ops.

Want a faster way to stay in the loop? Sign up for the Freshpaint 5: our weekly newsletter with the need-to-knows for healthcare marketing in a privacy-first world—delivered in five minutes or less.