State mental health privacy laws stricter than HIPAA: what cloud AI scribes miss in California, New York, and Illinois

HIPAA as the floor: what federal preemption actually preserves

Most therapists learn HIPAA as the primary framework governing the confidentiality of patient records. It is a comprehensive federal statute — the covered entity, business associate, and minimum necessary standards are widely understood at least in outline, and the BAA framework for delegating protected health information processing to vendors has become a routine part of clinical practice administration. What is less widely understood is that HIPAA's preemption structure was specifically designed to allow states to be more protective, not to displace state mental health privacy laws that were already in force.

HIPAA's preemption provision at 45 CFR § 160.203 establishes that a "contrary" state law is preempted — but immediately carves out an exception for state laws that are "more stringent" than HIPAA's requirements. A state law is more stringent under 45 CFR § 160.202 if it provides greater privacy rights for individuals, imposes stricter conditions on disclosure, or provides greater restrictions on uses of protected health information. The practical consequence is that HIPAA requires compliance with both the federal standard and any applicable state standard that is more protective — and wherever the state standard is stricter, the state standard controls.

Mental health records have been treated by states as a special category warranting heightened protection since long before HIPAA was enacted in 1996. California, Illinois, and New York each have statutes that address mental health record confidentiality specifically — statutes that reflect legislative judgments about the sensitivity of mental health information that predate and coexist with HIPAA's general health privacy framework. These state laws were not preempted by HIPAA because they are more stringent. They continue to impose obligations on therapists in these states independently of whatever HIPAA compliance looks like.

The relevance to cloud AI scribes is direct. A cloud AI scribe vendor operating under a federal HIPAA business associate agreement has committed to meeting HIPAA's standards. It has not necessarily committed to meeting California CMIA, Illinois MHDDCA, or New York Mental Hygiene Law standards — and a BAA that references only HIPAA compliance does not, by itself, ensure state-law compliance. For background on what a HIPAA business associate agreement does and does not cover, see our foundational analysis of what a BAA covers and what it doesn't.

California: the CMIA and Welfare & Institutions Code § 5328

California imposes two overlapping mental health privacy frameworks that exceed HIPAA in significant respects: the Confidentiality of Medical Information Act and the mental health confidentiality provisions of the Welfare and Institutions Code.

The California Confidentiality of Medical Information Act

The CMIA, codified at California Health and Safety Code § 56.10 et seq., applies to any "provider of health care" and to any "business associate" as defined by HIPAA. On its face, this suggests alignment with the federal framework — but CMIA imposes requirements that differ from HIPAA's in several key areas.

Most significantly, CMIA requires specific written authorization before a provider may disclose "medical information" to most categories of recipients — including business associates performing certain functions. CMIA's authorization requirements are more prescriptive than HIPAA's authorization standards. CMIA prohibits disclosure of medical information to an employer without explicit patient authorization and without specification of the categories of information to be disclosed — a restriction that goes beyond what HIPAA requires in the treatment-payment-operations context. California patients have a private right of action under CMIA at Health and Safety Code § 56.36, which provides for actual damages, statutory damages of $1,000 per violation, and reasonable attorney fees against unauthorized disclosers.

The CMIA's application to cloud AI scribe vendors is not definitively resolved as of 2026. The critical question is whether a vendor that receives, processes, and retains session audio and transcripts from California patients — under a contractual relationship with a California-licensed therapist — is "maintaining medical information" in a way that subjects the vendor to CMIA's independent obligations, or whether the vendor's obligations flow entirely through the HIPAA BAA framework. California courts have applied CMIA broadly in some contexts, and the statute's language is broad enough to reach third-party service providers in certain circumstances. Vendors whose terms of service and BAAs are written solely with reference to federal HIPAA compliance may not have analyzed their California obligations.

Welfare and Institutions Code § 5328: Lanterman-Petris-Short protections

California Welfare and Institutions Code § 5328 is part of the Lanterman-Petris-Short Act, which governs involuntary psychiatric treatment in California. Section 5328 prohibits disclosure of "information and records obtained in the course of providing services" under the LPS Act to anyone without the patient's written authorization, except in a narrow set of enumerated circumstances. The statute applies to "any person" providing mental health treatment in LPS-covered contexts and to the records of those services.

The § 5328 framework is more restrictive than HIPAA in its enumerated exceptions for permissible disclosure. HIPAA's 12 categories of permissible disclosure without authorization are broader than § 5328's enumerated exceptions. For LPS-covered mental health services in California, § 5328 provides the stricter standard — and because it is more stringent under the HIPAA preemption analysis, it controls. A cloud AI scribe vendor that retains verbatim content from LPS-covered California mental health encounters holds content that is subject to § 5328's disclosure restrictions independent of any HIPAA analysis. The vendor's BAA — which obligates the vendor to meet HIPAA standards — does not establish that the vendor has analyzed or committed to meeting § 5328 standards.

California has also enacted the Consumer Privacy Act (CPRA, effective 2023) and its associated sensitive personal information categories, which include health information. CCPA/CPRA's healthcare exemption largely tracks HIPAA coverage, but the intersection of CCPA/CPRA and CMIA for entities that are not HIPAA-covered entities and are providing services to therapists is a legally complex area that vendors operating purely under a federal BAA framework may not have fully navigated.

Illinois: the Mental Health and Developmental Disabilities Confidentiality Act

Illinois's Mental Health and Developmental Disabilities Confidentiality Act (740 ILCS 110/1 et seq.) is frequently cited as one of the most protective state mental health privacy statutes in the country. It applies to records created by any "therapist" — defined broadly to include psychiatrists, psychologists, social workers, counselors, and a range of other mental health professionals — and to "any person" employed by or consulting with a therapist in connection with the therapist's provision of services.

Narrower permissible disclosure than HIPAA

HIPAA permits disclosures without patient authorization in twelve categories, including treatment, payment, and healthcare operations — a framework that gives providers and their business associates significant latitude to share PHI for routine operational purposes. The MHDDCA's permissible disclosures are enumerated at 740 ILCS 110/9-12, and they are substantially narrower. The MHDDCA requires written patient consent for disclosures to most categories of third parties and does not have a general "healthcare operations" permission that would allow a therapist's vendor to use session content for purposes beyond the specific services the vendor provides to the therapist.

The MHDDCA specifically limits what a therapist's agent or vendor can do with information received in the course of providing services on the therapist's behalf. A cloud AI scribe vendor that uses session transcripts for model training, quality improvement, or internal analytics may be receiving information from an MHDDCA therapist for purposes beyond the specific service being provided — creating potential MHDDCA exposure if those uses are not independently authorized by patients. Under HIPAA, such uses might be permissible as healthcare operations under a properly executed BAA; under MHDDCA, the narrower framework may reach the same activity differently.

Civil and criminal penalties

MHDDCA violations carry civil damages for actual harm and punitive damages in cases of intentional violations (740 ILCS 110/15). The statute also provides for attorney fees and creates criminal liability under 740 ILCS 110/16 for intentional violations — making it a more consequential compliance requirement than HIPAA's civil money penalty framework for most categories of violation. A therapist who uses a cloud AI scribe whose vendor violates MHDDCA through unauthorized disclosure of Illinois patient records faces the prospect of being named in civil claims under both HIPAA and MHDDCA — claims that arise from the same underlying unauthorized disclosure but that involve different legal standards and different damages frameworks.

The vendor's potential independent liability

MHDDCA at 740 ILCS 110/3 applies to "any person" who receives information about a recipient of mental health services "in the course of providing services on behalf of" a therapist. This language is broad enough to reach a cloud AI scribe vendor as an entity receiving patient information in the course of providing transcription and note-drafting services on behalf of an Illinois-licensed therapist. Whether the vendor has independently analyzed its MHDDCA obligations — separate from its HIPAA BAA obligations — is a question that most vendors operating under federal HIPAA compliance frameworks have not publicly addressed.

The MHDDCA does not have a preemption clause that would displace a HIPAA BAA's obligations; the two frameworks operate in parallel. A vendor operating under a HIPAA BAA has not thereby satisfied its MHDDCA obligations if MHDDCA imposes additional or different requirements in the specific context of Illinois mental health service records.

New York: Mental Hygiene Law § 33.13 and legal process protections

New York Mental Hygiene Law § 33.13 governs the confidentiality of clinical records at mental health, developmental disability, and chemical dependency facilities licensed under Article 31 of the Mental Hygiene Law. It imposes a set of protections that differ from HIPAA's primarily in the context of legal process — the procedures by which subpoenas and court orders can compel production of mental health records.

Court-supervised disclosure under § 33.13

Under HIPAA's legal process exception at 45 CFR § 164.512(e), PHI may be disclosed in response to a subpoena or other legal process if satisfactory assurances are provided that the patient has been notified or that reasonable efforts to provide notice have been made. The standard is procedural: was notice given, and did the patient have an opportunity to object?

New York Mental Hygiene Law § 33.13(c) creates a more substantive standard. Clinical records covered by the statute may be disclosed pursuant to legal process only if the court in the proceeding independently finds that: the disclosure is relevant and material to the proceeding; that the need for disclosure outweighs the privacy interests at stake; and that the patient's rights will be adequately protected. Courts applying § 33.13 have the authority to conduct in camera review of records before ordering disclosure and to limit disclosure to specific portions of the record that meet the relevance and necessity standard. This judicial balancing requirement goes beyond HIPAA's procedural approach — it requires a substantive court determination that the specific disclosure is justified, not merely that the notice procedures were followed.

New York courts have applied § 33.13 to resist and limit civil discovery demands that would have been permissible under HIPAA's framework. In cases governed by New York law, this protection can operate even in federal court proceedings, where Erie doctrine requires application of state substantive law. For an analysis of how subpoenas reach therapy records and how these protections operate in practice, see our post on whether AI therapy notes and scribe archives can be subpoenaed.

The scope question: "facilities" versus private practice

Mental Hygiene Law § 33.13's protections apply to clinical records at "facilities" licensed under Article 31 — a category that includes licensed outpatient mental health clinics, hospitals with psychiatric units, and Article 31-licensed treatment programs. Private practice therapists who are not operating through a licensed facility may not fall within § 33.13's coverage in the same way — they are instead subject to HIPAA and to professional licensing obligations under New York Education Law, as well as to HIPAA's preemption-preserving framework that would pick up any more stringent state requirements that apply to their practice.

The scope question matters for cloud AI scribe vendors because it affects which framework applies to records held by the vendor. If § 33.13 applies to a therapist's records — because the therapist practices at an Article 31 facility — then the court-supervised disclosure procedure that § 33.13 requires applies to the therapist's records. It does not necessarily apply independently to a cloud vendor's retained session content, which the vendor holds as its own business record under its own contractual framework. This is precisely the gap that makes cloud AI scribe data custody concerning in the New York legal context: § 33.13's protections secure the therapist's records at the facility, but the vendor's verbatim archive — maintained separately under the vendor's own terms of service — may not be subject to the same court-supervised disclosure procedures.

This creates a situation where a mental health patient's strongest legal protections apply to the formal clinical record at the covered facility, while the more complete verbatim account of what was said in the session — held by the cloud AI scribe vendor as a separate business record — may be reachable through ordinary civil subpoena without § 33.13's judicial oversight requirement. For an analysis of how vendor-held records differ from facility-held clinical records in legal proceedings, see our post on psychotherapy notes versus progress notes under HIPAA.

The multi-state telehealth compliance layer

Telehealth practice creates a layered compliance problem for state mental health privacy laws that does not arise in the same way in in-person practice. A therapist licensed in California who treats a patient located in Illinois via telehealth may be simultaneously subject to California CMIA and Illinois MHDDCA — and a cloud AI scribe vendor processing that session may hold records that implicate both states' frameworks.

PsyPACT, which has enabled cross-state telehealth practice across participating states, has expanded the geographic scope of practice for licensed psychologists and — through state compact legislation — for other mental health professionals. A PsyPACT therapist with a California license treating patients in Illinois or New York is practicing under their home state's licensure authority and is subject to the professional obligations of their home state, but the therapeutic relationship involves a patient in another state whose state law may impose independent protections on records about that patient's mental health treatment.

The conflict-of-laws questions that arise when state mental health privacy laws with differing standards apply to the same records are not fully resolved in case law as of 2026. What is clear is that the more protective standard is likely to control under any analysis — which means that a multi-state telehealth therapist using a cloud AI scribe may face the most restrictive requirements of every state in which their patients are located, all of which the vendor's BAA may address only at the federal HIPAA level.

For our analysis of the cross-state data custody questions that arise in PsyPACT practice more generally, see our post on PsyPACT telehealth and cloud data custody.

What cloud AI scribe vendors typically address (and what they don't)

Most cloud AI scribe vendors operating in the therapy market offer a HIPAA business associate agreement as the primary compliance documentation for therapists. The BAA commits the vendor to safeguarding PHI in accordance with HIPAA's privacy and security rules, to reporting breaches, to using PHI only for the purposes specified in the agreement, and to satisfying the other requirements of 45 CFR § 164.504(e). This is the standard framework for HIPAA-compliant healthcare SaaS, and most established vendors in the therapy documentation market have implemented it.

What is significantly less common is a cloud AI scribe vendor that has specifically analyzed and contractually committed to California CMIA compliance, Illinois MHDDCA compliance, or New York Mental Hygiene Law compliance. These state laws impose different obligations — narrower permissible disclosure categories, specific authorization requirements, civil liability frameworks — that are not fully addressed by a HIPAA BAA commitment. Therapists reviewing their vendors' compliance documentation rarely ask specifically about state mental health privacy law compliance, and vendors rarely volunteer the analysis.

The practical consequence for a California LMFT, an Illinois LPC, or a New York LCSW using a cloud AI scribe is that the vendor's BAA — while addressing the federal compliance baseline — may not constitute a complete compliance answer for their state. The more protective state standard controls under HIPAA's preemption framework, but whether the vendor has independently addressed that more protective standard in its product design, its data retention policies, and its contractual commitments is a different question.

For context on the general compliance framework and what a BAA does and does not commit a vendor to, see our analysis of what cloud AI scribes actually transmit and retain.

On-device processing: resolving the state-law compliance question at the architecture level

When AI inference runs on a therapist's local device — session audio captured locally, transcription performed by a local model, note drafting generated by a local model — the vendor receives no session content. The threshold question for California CMIA, Illinois MHDDCA, and New York Mental Hygiene Law is whether the vendor is "maintaining" or "receiving" protected information about mental health patients. On-device processing removes the vendor from that analysis entirely: there is no California medical information at the vendor, no MHDDCA-covered records at the vendor, no Mental Hygiene Law § 33.13 records at the vendor.

This architectural resolution is not a legal technicality — it is the substantive answer to the compliance question. The state mental health privacy laws described in this post create obligations for entities that hold patient information. When the vendor holds nothing, those obligations do not arise at the vendor level. The therapist's own obligations under these state laws continue to apply to the therapist's own records — but the therapist controls those records, has reviewed their contents, and can make compliance decisions about them. The therapist is not dependent on a third party's state-law compliance analysis for records the third party holds.

For an analysis of the full architecture of on-device processing and why it eliminates the vendor archive that creates HIPAA and state-law exposure, see our post on HIPAA for private practice therapists: 2026 edition.

Practical steps for therapists in California, Illinois, and New York

Identify your state's specific mental health privacy law obligations. California CMIA, Illinois MHDDCA, and New York Mental Hygiene Law are among the most protective state frameworks, but other states have equivalent statutes — Montana's Mental Health Records Act, Texas Health and Safety Code § 611, and Florida's Baker Act records provisions are examples of state-specific mental health privacy regimes that exceed HIPAA in specific respects. HIPAA's framework is the floor; your state's framework is the ceiling you must meet. The two requirements coexist, and you must satisfy the more demanding of the two in every specific compliance decision.

Review your vendor's state-law compliance documentation — not just the BAA. A HIPAA BAA is necessary but not sufficient for compliance with state mental health privacy laws that impose more stringent requirements. Ask your vendor specifically whether it has analyzed and committed to California CMIA compliance, Illinois MHDDCA compliance, or the state law applicable to your practice. If the vendor cannot point to a specific state-law compliance analysis, the BAA alone does not close the compliance gap.

Audit what your vendor retains and where. Most state mental health privacy laws impose obligations tied to who "maintains" or "receives" patient information. Understanding precisely what your vendor receives — session audio, real-time transcripts, AI-generated notes, session metadata — and how long it retains each category is the factual foundation for a state-law compliance analysis. Many vendors retain session content significantly longer and in more complete form than their marketing materials suggest.

Consult qualified legal counsel in your jurisdiction. State mental health privacy law is a specialized area where the analysis is jurisdiction-specific and where the interaction between state law and the federal HIPAA framework creates complexity that general HIPAA compliance guidance does not address. A California attorney with experience in CMIA, an Illinois attorney with MHDDCA experience, or a New York attorney with Mental Hygiene Law experience can provide analysis tailored to your specific practice context and vendor relationship. This analysis is more valuable before a compliance issue arises than after.

Frequently asked questions

Does HIPAA preempt California's CMIA or Illinois's MHDDCA?

No. HIPAA's preemption provision at 45 CFR § 160.203 explicitly preserves state laws that are "more stringent" than HIPAA's requirements. Both California CMIA and Illinois MHDDCA qualify as more stringent in specific respects — narrower permissible disclosures, stricter authorization requirements, and in California's case a private right of action that HIPAA does not provide. HIPAA preempts only state laws that are less protective. Where state law is more restrictive, HIPAA requires compliance with both frameworks, and the more restrictive requirement controls.

Can a cloud AI scribe vendor be held liable under California CMIA or Illinois MHDDCA separately from HIPAA?

Potentially, yes. CMIA at Health and Safety Code § 56.10(a) applies to any provider of health care and potentially to entities that "maintain medical information" about California patients. Illinois MHDDCA at 740 ILCS 110/3 applies to "any person" receiving information about a mental health service recipient in the course of providing services on behalf of a therapist. Whether specific vendors qualify as subject to these statutes depends on the facts of their operations and how California and Illinois courts apply these frameworks to AI documentation services — an area where definitive precedent does not yet exist. Both statutes provide civil remedies against unauthorized disclosers, including statutory damages under CMIA and both civil and criminal penalties under MHDDCA.

What does "more stringent" mean when comparing state mental health privacy laws to HIPAA?

Under 45 CFR § 160.202, a state law is more stringent if it provides individuals with greater rights to access PHI, imposes stricter requirements on authorizations for disclosure, or provides greater restrictions on uses and disclosures. California CMIA is more stringent in its authorization requirements and its private right of action. Illinois MHDDCA is more stringent in that its permissible disclosure categories are narrower than HIPAA's twelve. New York Mental Hygiene Law § 33.13 is more stringent in legal proceedings, where it requires judicial balancing of the need for disclosure against privacy interests before records can be produced pursuant to subpoena.

How does New York Mental Hygiene Law § 33.13 differ from HIPAA's approach to legal process?

HIPAA's legal process exception at 45 CFR § 164.512(e) permits disclosure in response to subpoenas if procedural requirements — primarily notice to the patient — are satisfied. New York Mental Hygiene Law § 33.13(c) requires that the court in the proceeding independently find that disclosure is relevant, that the need outweighs the patient's privacy interests, and that the patient's rights will be protected — a substantive judicial determination that goes beyond HIPAA's procedural requirements. New York courts have used § 33.13 to limit or refuse civil discovery of mental health records in cases where HIPAA's procedural framework alone would have permitted production. The § 33.13 protections apply to records at Article 31 licensed facilities and may not apply in the same way to a cloud vendor's independently held session archives.

Does on-device processing satisfy both HIPAA and state mental health privacy laws?

On-device processing eliminates the vendor's possession of patient information, which resolves the core compliance question for state mental health privacy laws. If the vendor does not receive, maintain, or transmit session content, the threshold question of whether the vendor is subject to California CMIA, Illinois MHDDCA, or New York Mental Hygiene Law obligations does not arise — there is no vendor-held information to regulate. The therapist's own obligations under these state laws continue to apply to the therapist's formal records, which remain in the therapist's control. The compliance gap that arises from a third party holding a more complete verbatim account of patient sessions under a framework that may not address state mental health privacy law obligations is eliminated when the third party holds nothing.