HIPAA is a federal law that protects a person’s private health information (PHI). It limits who can access this information without the patient's permission.
Individual states can enact stricter privacy laws. This means that in some states, patients may have more rights, or providers may face tighter restrictions related to sharing health information (particularly certain types of PHI, like mental health records and HIV status).
Healthcare providers and organizations must comply with both HIPAA and any applicable state laws, following whichever is more protective of patient privacy.