STLT Limits on Access

How STLT Laws Can Limit Public Health Access to EHI

State, Tribal, local, and territorial (STLT) laws affect and, in some cases, limit what PHAs can access, even when HIPAAĀ permitsĀ such access. While HIPAA provides a federal baseline for privacy and data sharing, STLT laws may be more restrictive, and public health professionals must be aware of these variations.Ā Ā SomeĀ public health authorities (PHAs)Ā might not be subject toĀ HIPAA, andĀ instead might have public health laws that govern privacy and data sharing within theirĀ jurisdiction.Ā 

HIPAA is a Floor, not a Ceiling

HIPAAĀ establishesĀ minimumĀ federal standards for privacy and access to health information. It does not override more protectiveĀ stateĀ or local laws.Ā Ā 

IfĀ a stateĀ law:Ā 

  • Provides greater privacyĀ protections, orĀ 
  • GrantsĀ patients more control over their health data,Ā 

ā€¦then the state law takes precedence (DHHS, 2025).Ā 

Common Types of STLT Variations

 

  • Narrower Definitions ofĀ PHAĀ ā€“ Not all state laws define Tribal or local entities as ā€œpublic health authoritiesā€ in the same way HIPAA does. In these cases, even if HIPAAĀ permitsĀ sharing, the state law may not authorize that data flow.Ā 
    • Tribal facilities on Tribal lands are not subject to state law but follow Tribal laws and regulations which may haveĀ additionalĀ limitations or considerations.Ā 
  • Limitations Based on Health Information Type ā€“ Some health data types (e.g., reproductive health, behavioral health, genetic testing, HIVĀ status, testing, and care) may haveĀ additionalĀ privacy protections under state law that restrict public health access without special approval or circumstances.Ā 
    • One state provides an extra layer of privacy protection for behavioral health records beyond HIPAA, specifying thatĀ theseĀ data cannot beĀ disclosedĀ without an individualā€™s written consent, except underĀ very limitedĀ circumstances.Ā Ā 
    • If a PHA is investigating an uptick in opioid overdoses, they could review emergency department records to understand how many visits involve patients with a diagnosed substance use disorder, as these data are aggregated and deidentified. However, they could not access identifiable individual-level behavioral health information from patient records without written patient authorization.Ā 
  • Data Sharing Prohibitions Across Jurisdictions ā€“ CertainĀ jurisdictionsĀ limit or require agreements before cross-jurisdictional sharing (e.g., between a hospital and aĀ PHAĀ outside the sameĀ jurisdiction).Ā 
    • A major metropolitan area, spanning several states in the eastern U.S., requires aĀ data use agreement (DUA)Ā before sharing specific types of healthcare data (e.g.,Ā behavioral health, communicable diseases, and syndromic surveillance) with neighboring PHAs.Ā 
Recommendations for Public Health Practitioners

Public health professionals should:Ā 

  • Consult legal counsel or privacy experts on applicableĀ STLTĀ laws.Ā 
  • ConsiderĀ establishingĀ formal agreements, such asĀ memorandums of understanding orĀ DUAsĀ that clarify dataĀ useĀ parameters, requirements,Ā and limitations.Ā The Network for Public Health Law providesĀ templatesĀ for data sharing agreements and DUAs on their website.Ā 
  • Engage in education and outreach with clinical partners to reduce misunderstanding and risk-aversion stemming from perceived legal barriers.Ā 
  • ConsiderĀ operatingĀ on the concept of theĀ minimumĀ necessary requirement detailed by HIPAA (DHHS, 2003).Ā 
  • Stay informed on evolving state laws, especially those related to reproductive health (LazzarottiĀ and Silver, 2025, DHHS, 2025),Ā substance use data (NASHP, 2021), and behavioral health (Sullivan and Strobel, 2025), and immunization registry reporting (Kolman, 2025).Ā 

Toolkit Navigation

what Is EHI

Training and Capacity Building

Benefits and Rationale

Accessing EHI

Understanding hipaa

Operationalizing EHI Access

Partner Engagement Strategies

Resources

References

Department of Health and Human Services. (2025,Ā March).Ā Summary of the HIPAA Privacy Rule. Retrieved May 2025, from Health Information Privacy:Ā https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.htmlĀ 

Department of Health and Human Services. (2003,Ā April).Ā MinimumĀ Necessary Requirement. Retrieved June 2025, from Health Information Privacy:Ā https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/minimum-necessary-requirement/index.htmlĀ 

Department of Health and Human Services. (2025, July).Ā HIPAA Privacy Rule Final Rule to Support Reproductive Health Care Privacy: Fact Sheet.Ā Retrieved July 2025, from Health Information Privacy:Ā https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.htmlĀ 

Kolman S. Vaccine Policy Remains a Topic of Interest for State Legislatures. May 29, 2025. National Council of State Legislatures.Ā https://www.ncsl.org/state-legislatures-news/details/vaccine-policy-remains-a-topic-of-interest-for-state-legislaturesĀ Accessed June 30, 2025Ā 

LazzarottiĀ JL, Silver DW. States Move Forward with Privacy Protections to Close HIPAA Gaps for Health, Reproductive Health Info. May 27, 2025. National Law Review.Ā https://natlawreview.com/article/states-move-forward-privacy-protections-close-hipaa-gaps-health-reproductive-health. Accessed June 26, 2025.Ā 

National Academy for State Health Policy (NASHP). Report: How States Access and Deploy Data to Improve Substance Use Disorder Prevention, Treatment, and Recovery. January 29, 2021.Ā https://nashp.org/how-states-access-and-deploy-data-to-improve-sud-prevention-treatment-and-recovery/. Accessed June 26, 2025.Ā 

SullivanĀ JA ,Ā Strobel T. Behavioral Health Law Leger.Ā March,Ā 2025. National Law Review.Ā https://natlawreview.com/article/behavioral-health-law-ledger-march-2025. Accessed June 26, 2025.Ā 

Ā