Which states should Medicare programs prioritize for compliance?

Priority tier: Washington (MHMDA — most rigorous, private right of action, opt-in consent, extraterritorial) and Nevada (SB 370 — health-specific, opt-in consent, AG enforcement). Second tier: California (CPRA — large market, sensitive data protections, HIPAA exemption is narrow), Colorado (CPA — opt-in for health data), Connecticut (CTDPA), and Virginia (VCDPA). Third tier: all other states with general consumer privacy laws that include health data as a sensitive category. Programs that achieve MHMDA and NV SB 370 compliance will generally satisfy the requirements of lower-tier states.

State Consumer Health Privacy Laws: A Medicare Program Guide

Q: Why do state privacy laws matter if we comply with HIPAA?

HIPAA preempts state law only where the state law is less protective than HIPAA. More protective state laws are not preempted and must be satisfied independently. For data categories that HIPAA does not cover — health information collected outside the traditional healthcare system, consumer health data on apps, websites, or SMS platforms — HIPAA provides no protection, and state laws like Washington's MHMDA fill that gap. Nationally-marketed Medicare programs that collect health-related data from consumers in multiple states must comply with the strongest applicable state law in addition to HIPAA.

Q: Which state has the strongest consumer health privacy law?

Washington's My Health My Data Act (MHMDA), effective July 23, 2023, is the most comprehensive state consumer health data law in the US. It covers the broadest definition of consumer health data, requires opt-in consent before any health data collection, prohibits geofencing near healthcare facilities, and includes a private right of action. Nevada SB 370 (effective October 1, 2023) is the second-most restrictive law specifically targeting consumer health data, though with a narrower definition than MHMDA and no private right of action.

Q: Does California's CPRA apply to health data?

Yes. The California Privacy Rights Act (CPRA) classifies health and medical information as 'sensitive personal information' and gives California residents enhanced rights over this category — including the right to limit its use and disclosure beyond what is necessary for the primary service purpose. CPRA does not require opt-in consent for health data collection, but does require opt-out rights and specific notice. HIPAA-covered entities are largely exempt from CPRA for PHI, but non-covered-entity health data collectors — including Medicare marketing programs — are subject to CPRA for California residents' health data.

Q: Does Nevada SB 370 apply to Medicare programs?

Yes, if the program collects consumer health data of Nevada residents. Nevada SB 370, effective October 1, 2023, applies to regulated entities and processors that collect consumer health data of Nevada consumers. It requires affirmative consent before collecting consumer health data (opt-in), prohibits sale of consumer health data without authorization, and requires data processing agreements with third-party processors. Unlike MHMDA, Nevada SB 370 does not include a private right of action — enforcement is by the Nevada Attorney General.

Q: Does Texas HB 300 affect Medicare programs?

Texas HB 300, enacted in 2011 and amended in 2012, imposes privacy requirements on any entity — including non-covered entities — that assembles or maintains protected health information of more than 50 individuals. It applies extraterritorially to any entity that handles health information of Texas residents. Its requirements include notice, consent for certain uses, and a private right of action. Texas HB 300 is less comprehensive than MHMDA but its extraterritorial reach and private right of action make it a meaningful compliance consideration for Medicare programs with significant Texas exposure.

Q: What is the practical compliance strategy for national Medicare programs?

The most efficient approach: build consent flows and data handling practices to MHMDA and Nevada SB 370 standards — the most demanding currently enacted frameworks — then verify that the resulting practices satisfy remaining state requirements. MHMDA's opt-in consent, data processing agreement requirements, and individual rights framework, when fully implemented, exceeds the requirements of most other state laws. A compliant MHMDA program will satisfy the health data obligations of CA CPRA, CO CPA, CT CTDPA, and VA VCDPA with minimal additional customization.

Why State Laws Matter Beyond HIPAA

Executive Answer

HIPAA preempts state law only where state law is less protective — it does not preempt more stringent state requirements. For data categories that HIPAA does not cover (health information collected outside the traditional healthcare system, including via SMS lead intake, websites, and wellness apps), state consumer health privacy laws fill the gap entirely. A nationally-marketed Medicare program that collects health-related data from consumers in multiple states must comply with the most protective state law applicable to each consumer — in addition to HIPAA. As of mid-2026, at least seven states have enacted consumer health data laws or broad privacy laws with strong health data provisions.

The practical trigger is straightforward: if your Medicare program collects any data that could be characterized as "consumer health data" — including Medicare eligibility status, health conditions, current medication, or even healthcare-seeking behavior — from residents of states with consumer health data laws, those laws apply. You cannot opt out of state law by choosing not to serve a particular state, unless you technically restrict access (which is operationally impractical for SMS programs).

The HIPAA preemption framework

Under 45 CFR § 160.203, HIPAA's privacy standards preempt "contrary" state law — but only where state law is less protective of individual privacy. State laws that impose more protective requirements are not preempted and must be followed alongside HIPAA. This creates a patchwork compliance obligation: federal floor (HIPAA) plus the highest applicable state ceiling for each consumer's state of residence.

Who is affected

Any organization that: (1) collects health-related data from individuals who are residents of states with consumer health data laws, AND (2) is not covered by a HIPAA exemption in the applicable state law for that specific data. This includes lead generation companies, marketing platforms, Medicare broker organizations, general agents, and technology vendors — including those that are not HIPAA covered entities in the traditional sense.

Washington: My Health My Data Act (MHMDA)

Executive Answer

Washington's MHMDA is the most comprehensive state consumer health data law enacted as of mid-2026. It requires opt-in consent before collecting consumer health data, prohibits geofencing near healthcare facilities, requires data processing agreements with third parties, and includes a private right of action. It applies extraterritorially to any organization that collects health data of Washington residents. For Medicare programs, MHMDA's consent requirement must be satisfied before any health-related data is collected via intake flows that reach Washington residents.

Effective: July 23, 2023 (large entities); March 31, 2024 (small businesses)
Statute: WA ESHB 1155; codified at RCW chapter 70.372
Consent standard: Opt-in before any consumer health data collection
Private right of action: Yes — individuals can sue directly
Geofencing prohibition: Yes — 2,000 feet from healthcare facilities
Extraterritorial: Yes — applies to any entity collecting WA consumer health data
HIPAA exemption: Partial — covers PHI held by covered entities; broader data categories are not exempt

See the dedicated Washington MHMDA guide for full analysis.

Nevada: Consumer Health Data Privacy Law (SB 370)

Executive Answer

Nevada SB 370, effective October 1, 2023, is the second health-specific state consumer privacy law in the US. It closely mirrors Washington's MHMDA in structure — opt-in consent, data processing agreements, consumer rights — but with a narrower definition of consumer health data and no private right of action. Enforcement is by the Nevada Attorney General. Like MHMDA, it applies extraterritorially to any organization collecting health data of Nevada residents.

Effective: October 1, 2023
Statute: Nevada SB 370 (2023 Session); codified at NRS chapter 629
Consent standard: Opt-in before collecting consumer health data
Private right of action: No — AG enforcement only
Data definition: Consumer health data — narrower than MHMDA but still broader than HIPAA PHI
Extraterritorial: Yes — applies to entities collecting data of Nevada residents
HIPAA exemption: Yes for HIPAA-covered PHI; non-PHI health data is within scope

Key differences from MHMDA

Nevada SB 370 does not include MHMDA's geofencing prohibition or the same breadth of "healthcare-seeking behavior" in its data definition. Nevada's definition focuses more narrowly on data that directly reveals a health condition, whereas MHMDA also covers data that could be used to infer a health condition. Both laws require opt-in consent and data processing agreements, making MHMDA-compliant consent language generally sufficient for Nevada as well.

California: CPRA Sensitive Personal Information

Executive Answer

California's Privacy Rights Act (CPRA) classifies health and medical information, as well as genetic data, as "sensitive personal information" (SPI). California consumers have enhanced rights over SPI: they can direct businesses to limit the use of their SPI to purposes necessary for the primary service, and they have the right to opt out of its sale or sharing. CPRA does not impose opt-in consent for health data collection (unlike MHMDA and NV SB 370), but it requires explicit notice and opt-out mechanisms. HIPAA-covered entities are largely exempt from CPRA for PHI, but non-covered-entity Medicare marketing organizations are subject to CPRA for California residents' health data.

Effective: January 1, 2023
Statute: California Civil Code § 1798.100 et seq. (CCPA as amended by Prop 24)
Consent standard: No opt-in required; opt-out of sale/sharing and right to limit SPI use
Private right of action: Limited — only for data breaches involving personal information; general violations are AG/CPPA enforcement
Market size consideration: Largest state population in the US — CPRA compliance is essential for any national program
HIPAA exemption: For PHI held by covered entities and BAs; broader health data is within scope

CPRA's "limit use" right for health data

Under California Civil Code § 1798.121, consumers may direct a business to limit its use of sensitive personal information — including health data — to uses necessary to provide the requested service. Businesses must honor this request and provide a clear mechanism (typically a link saying "Limit the Use of My Sensitive Personal Information") for California residents. Medicare programs must include this mechanism in their privacy notices and web interfaces.

Colorado: Colorado Privacy Act (CPA)

Executive Answer

Colorado's Privacy Act (CPA), effective July 1, 2023, classifies health data as sensitive personal data and requires opt-in consent before collecting or processing it. The CPA applies to controllers that collect data of 100,000 or more Colorado residents annually, or 25,000+ residents where data is sold or shared for commercial benefit. It is enforced by the Colorado Attorney General, with no private right of action. For Medicare programs with meaningful Colorado exposure, CPA's opt-in consent requirement for health data is the primary obligation to address.

Effective: July 1, 2023
Statute: CRS § 6-1-1301 et seq. (Colorado Privacy Act)
Threshold: 100,000 CO residents/year or 25,000 where data is sold
Consent standard: Opt-in for sensitive data (including health data)
Private right of action: No — AG enforcement only
HIPAA exemption: Yes for PHI held by covered entities

State-by-State Comparison Table

Executive Answer

Seven states have enacted laws with meaningful health data obligations beyond HIPAA as of mid-2026. Washington and Nevada have health-specific laws with opt-in consent. California, Colorado, Connecticut, and Virginia have general privacy laws with strong health data provisions. Texas has a broader-than-HIPAA health privacy law predating the current wave. The table below summarizes the key dimensions for Medicare program compliance planning.

State	Law	Effective	Consent for Health Data	Private Right of Action	HIPAA Exemption	Extraterritorial
Washington	MHMDA (ESHB 1155)	Jul 2023	Opt-in	Yes	Partial	Yes
Nevada	SB 370 (NRS 629)	Oct 2023	Opt-in	No	Partial	Yes
California	CPRA (Civil Code §1798)	Jan 2023	Opt-out / Limit	Breach only	Partial	Yes
Colorado	CPA (CRS §6-1-1301)	Jul 2023	Opt-in	No	Yes (PHI)	Yes
Connecticut	CTDPA (PA 22-15)	Jul 2023	Opt-in	No	Yes (PHI)	Yes
Virginia	VCDPA (§59.1-571)	Jan 2023	Opt-in	No	Yes (PHI)	Yes
Texas	HB 300 (HSC §181)	2012 (amended)	Consent required	Yes	Partial	Yes

Table reflects major enacted state laws with health data provisions as of June 2026. State laws evolve; verify current requirements with legal counsel before relying on this summary.

Priority Framework for Medicare Programs

Executive Answer

The most efficient compliance approach for a nationally-marketed Medicare program: build consent flows and data handling practices to Washington MHMDA and Nevada SB 370 standards — the most demanding currently enacted frameworks. MHMDA's opt-in consent, data processing agreement requirements, and consumer rights framework exceeds the requirements of most other state laws. A program compliant with MHMDA will generally satisfy CO CPA, CT CTDPA, and VA VCDPA with minimal additional customization. California CPRA requires specific "Limit the Use of My SPI" mechanisms in addition to MHMDA compliance — those should be added for California-facing interfaces.

Address first — highest obligation and litigation risk

Washington

MHMDA / ESHB 1155

Opt-in consent, private right of action, broadest data definition, extraterritorial. Build your baseline compliance to this standard.

Nevada

SB 370 / NRS 629

Opt-in consent, AG enforcement, health-specific law. Narrower definition than MHMDA; WA-compliant consent generally satisfies NV requirements.

Texas

HB 300 / HSC §181

Broader than HIPAA, private right of action, extraterritorial. Large Medicare market — requires consent for health data use beyond primary purpose.

Address as part of MHMDA build-out — incremental work

California

CPRA

Opt-out / Limit SPI mechanism required. Add "Limit the Use" link for CA residents. Largest state — essential for national programs.

Colorado

CPA

Opt-in for health sensitive data. MHMDA-compliant consent generally satisfies CO requirements. AG enforcement only.

Connecticut

CTDPA

Opt-in for sensitive data including health. Structurally similar to CO CPA. MHMDA-compliant consent covers core obligations.

Virginia

VCDPA

Opt-in for sensitive data. Similar to CO and CT. MHMDA baseline generally satisfies requirements.

Monitor — evolving legislation in additional states

Florida, Indiana, Iowa, Montana, Oregon, Tennessee, Texas (TDPSA)

General CPAs enacted 2023–2024

Most classify health data as sensitive and require opt-in consent. Review each as effective dates approach.

Primary Sources

1. WA ESHB 1155 — My Health My Data Act
app.leg.wa.gov → RCW 70.372

2. Nevada SB 370 (2023) — Consumer Health Data Privacy Law — Codified at NRS chapter 629.
leg.state.nv.us → NV SB 370 (PDF)

3. California Privacy Rights Act (CPRA) — California Civil Code §§ 1798.100–1798.199.100.
leginfo.legislature.ca.gov → CA Civil Code §1798.100

4. Colorado Privacy Act (CPA) — CRS §§ 6-1-1301 to 6-1-1313.
leg.colorado.gov → SB 21-190 (CPA)

5. 45 CFR § 160.203 — HIPAA Preemption Framework — Federal preemption analysis; HIPAA preempts only less protective state laws.
ecfr.gov → 45 CFR § 160.203

Frequently Asked Questions

Why do state privacy laws matter if we comply with HIPAA?

HIPAA preempts state law only where state law is less protective — more protective state laws still apply. For health data outside HIPAA's PHI definition (collected by non-covered entities or in non-covered contexts), state laws provide the entire compliance framework. Nationally-marketed Medicare programs must comply with the highest applicable state law for each consumer's state of residence.

Which state has the strongest consumer health privacy law?

Washington's MHMDA — the broadest data definition, opt-in consent, private right of action, geofencing prohibition, and extraterritorial reach. Nevada SB 370 is the second-most restrictive health-specific law, with opt-in consent but no private right of action and a narrower data definition.

Does California's CPRA apply to health data in Medicare programs?

Yes, for non-covered-entity Medicare marketing organizations. CPRA classifies health information as sensitive personal information (SPI) and requires businesses to honor requests to limit SPI use and offer opt-out of sale/sharing. HIPAA-covered entities are largely exempt for PHI, but the exemption is narrow — broader health data collected in marketing contexts is within CPRA scope.

Does Nevada SB 370 apply to Medicare programs?

Yes, for programs collecting consumer health data of Nevada residents. NV SB 370 requires opt-in consent before collecting health data, prohibits sale without authorization, and requires data processing agreements with third-party processors. It applies extraterritorially — no Nevada presence required. Enforcement is by the Nevada AG; no private right of action.

What is Colorado's approach to consumer health data?

Colorado's Privacy Act classifies health data as sensitive personal data and requires opt-in consent before collecting or processing it. It applies to organizations collecting data of 100,000+ Colorado residents annually or 25,000+ where data is sold. AG enforcement only; no private right of action. MHMDA-compliant consent generally satisfies CO CPA health data requirements.

What states should Medicare programs prioritize?

Priority 1: Washington (MHMDA — opt-in, private right of action), Nevada (SB 370 — opt-in, AG enforcement), Texas (HB 300 — extraterritorial, private right of action). Priority 2: California (CPRA — largest market, "Limit SPI" mechanism needed), Colorado, Connecticut, Virginia (all opt-in for health data). Build to MHMDA/NV standards as your baseline — it will satisfy most other states' requirements with incremental California-specific additions.

Does Texas HB 300 affect Medicare programs?

Yes. Texas HB 300 applies to any entity that assembles or maintains protected health information of more than 50 individuals, including non-covered entities. It has extraterritorial reach and a private right of action — making it the most consequential state health privacy law for Texas residents outside of MHMDA. Consent is required for uses of health information beyond the primary purpose.

What is the most efficient compliance strategy for a national program?

Build consent flows and data practices to MHMDA (Washington) standards — the most demanding currently enacted framework. A MHMDA-compliant program will generally satisfy CO CPA, CT CTDPA, VA VCDPA, and NV SB 370 with minimal customization. Add California-specific "Limit the Use of My SPI" mechanisms for CA-facing interfaces. Monitor other states' laws as effective dates approach.