STLT Limits on Access

How STLT Laws Can Limit Public Health Access to EHI

State, Tribal, local, and territorial (STLT) laws affect and, in some cases, limit what PHAs can access, even when HIPAA permits such access. While HIPAA provides a federal baseline for privacy and data sharing, STLT laws may be more restrictive, and public health professionals must be aware of these variations Some public health authorities (PHAs) might not be subject to HIPAA, and instead might have public health laws that govern privacy and data sharing within their jurisdiction. 

HIPAA is a Floor, not a Ceiling

HIPAA establishes minimum federal standards for privacy and access to health information. It does not override more protective state or local laws.  

If a state law: 

  • Provides greater privacy protections, or 
  • Grants patients more control over their health data, 

…then the state law takes precedence (DHHS, 2025). 

Common Types of STLT Variations

 

  • Narrower Definitions of PHA – Not all state laws define Tribal or local entities as “public health authorities” in the same way HIPAA does. In these cases, even if HIPAA permits sharing, the state law may not authorize that data flow. 
    • Tribal facilities on Tribal lands are not subject to state law but follow Tribal laws and regulations which may have additional limitations or considerations. 
  • Limitations Based on Health Information Type – Some health data types (e.g., reproductive health, behavioral health, genetic testing, HIV status, testing, and care) may have additional privacy protections under state law that restrict public health access without special approval or circumstances. 
    • One state provides an extra layer of privacy protection for behavioral health records beyond HIPAA, specifying that these data cannot be disclosed without an individual’s written consent, except under very limited circumstances.  
    • If a PHA is investigating an uptick in opioid overdoses, they could review emergency department records to understand how many visits involve patients with a diagnosed substance use disorder, as these data are aggregated and deidentified. However, they could not access identifiable individual-level behavioral health information from patient records without written patient authorization. 
  • Data Sharing Prohibitions Across Jurisdictions – Certain jurisdictions limit or require agreements before cross-jurisdictional sharing (e.g., between a hospital and a PHA outside the same jurisdiction). 
    • A major metropolitan area, spanning several states in the eastern U.S., requires a data use agreement (DUA) before sharing specific types of healthcare data (e.g., behavioral health, communicable diseases, and syndromic surveillance) with neighboring PHAs. 
Recommendations for Public Health Practitioners

Public health professionals should: 

  • Consult legal counsel or privacy experts on applicable STLT laws. 
  • Consider establishing formal agreements, such as memorandums of understanding or DUAs that clarify data use parameters, requirements, and limitations. The Network for Public Health Law provides templates for data sharing agreements and DUAs on their website. 
  • Engage in education and outreach with clinical partners to reduce misunderstanding and risk-aversion stemming from perceived legal barriers. 
  • Consider operating on the concept of the minimum necessary requirement detailed by HIPAA (DHHS, 2003). 
  • Stay informed on evolving state laws, especially those related to reproductive health (Lazzarotti and Silver, 2025, DHHS, 2025), substance use data (NASHP, 2021), and behavioral health (Sullivan and Strobel, 2025), and immunization registry reporting (Kolman, 2025). 

Toolkit Navigation

what Is EHI

Training and Capacity Building

Benefits and Rationale

Accessing EHI

Understanding hipaa

Operationalizing EHI Access

Partner Engagement Strategies

Resources

References

Department of Health and Human Services. (2025, March). Summary of the HIPAA Privacy Rule. Retrieved May 2025, from Health Information Privacy: https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html 

Department of Health and Human Services. (2003, April). Minimum Necessary Requirement. Retrieved June 2025, from Health Information Privacy: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/minimum-necessary-requirement/index.html 

Department of Health and Human Services. (2025, July). HIPAA Privacy Rule Final Rule to Support Reproductive Health Care Privacy: Fact Sheet. Retrieved July 2025, from Health Information Privacy: https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html 

Kolman S. Vaccine Policy Remains a Topic of Interest for State Legislatures. May 29, 2025. National Council of State Legislatures. https://www.ncsl.org/state-legislatures-news/details/vaccine-policy-remains-a-topic-of-interest-for-state-legislatures Accessed June 30, 2025 

Lazzarotti JL, Silver DW. States Move Forward with Privacy Protections to Close HIPAA Gaps for Health, Reproductive Health Info. May 27, 2025. National Law Review. https://natlawreview.com/article/states-move-forward-privacy-protections-close-hipaa-gaps-health-reproductive-health. Accessed June 26, 2025. 

National Academy for State Health Policy (NASHP). Report: How States Access and Deploy Data to Improve Substance Use Disorder Prevention, Treatment, and Recovery. January 29, 2021. https://nashp.org/how-states-access-and-deploy-data-to-improve-sud-prevention-treatment-and-recovery/. Accessed June 26, 2025. 

Sullivan JA , Strobel T. Behavioral Health Law Leger. March, 2025. National Law Review. https://natlawreview.com/article/behavioral-health-law-ledger-march-2025. Accessed June 26, 2025.