In a fragmented and fast-moving policy environment, state legislatures are taking the lead on issues once governed almost exclusively at the federal level. From new rules on health data access and pricing to evolving legislation on AI in healthcare, 2025 is shaping up to be a defining year for privacy, compliance, and innovation.
In a recent Datavant webinar, State Law Snapshot: Health Privacy, Health AI, Kyle Probst , Deputy General Counsel & Director of Government Relations, and Samuel Roods, Director of Government Affairs & Policy, walked through the key policy trends reshaping health data across the country. Drawing on their experience tracking industry and policy trends, as well as testifying on legislation in all 50 states, they shared where states are stepping in, what’s at stake for HIPAA-regulated entities, and how healthcare organizations can prepare.
Below, we break down the top takeaways from the session.
1. States are Filling Federal Gaps
Despite holding control of Congress and the White House, federal lawmakers continue to struggle with slow-moving legislation, inconsistent enforcement, and evolving regulatory priorities. In that vacuum, states are aggressively advancing their own policies—particularly in areas like reproductive health privacy, AI in healthcare, and consumer data protection.
So far in 2025, Datavant has tracked over 215 state bills across 44 states, with 21 already enacted. These include legislation on record pricing, reproductive health data protections, AI restrictions, and interoperability requirements for provider organizations..
2. Patchwork policies are causing compliance confusion
As more states pass laws, a complex web of varying definitions and carveouts is emerging. For example, what constitutes “de-identified data” or “health information” varies significantly across jurisdictions. This inconsistency is especially challenging for organizations managing data across multiple states.
Even with HIPAA carveouts, providers and business associates must monitor state activity closely. Poorly drafted laws or conflicting standards can increase the burden on HIM, compliance, and privacy teams.
3. AI is a rising priority in healthcare policy
With AI advancing rapidly, state legislators are weighing how to balance innovation and risk. Datavant tracked 20 health AI-related bills in 2025 so far, touching on chatbots for mental health counseling to clinical decision support and patient notification requirements.
One trend to watch: legislation that restricts AI from being used in diagnostic decision-making or allows patients to opt out of AI-supported care. Utah recently became the first state to regulate mental health chatbots, and more may follow.
4. Release of information topics remain hot-button issues
In 2025, several states passed legislation targeting the price of health record requests, including Tennessee, where Datavant worked with stakeholders to support a $90 flat fee for electronic hospital records requested by third parties.
But it is important to note that fulfilling these third party requests isn’t as simple as hitting “send.” Highly trained professionals must validate each request against federal and state privacy laws, review authorizations and legal documents, and ensure records are disclosed only to parties with proper authority.
As states consider laws to expand access for third party requesters—often with good intent—those efforts must also address the growing burden on release-of-information teams and the need for modernized, secure, and scalable infrastructure.
5. How to stay ahead: best practices for tracking and response
With over 200 bills introduced so far this year, proactive tracking and internal coordination are critical. To stay ahead, healthcare organizations should:
- Build cross-functional teams to monitor state legislation and utilize tools such as bill trackers, legal alerts and industry forums
- Join coalitions with state HIMAs, hospital and medical associations, and other specialty groups focused on coordinating advocacy efforts and educating legislators
- Coordinate internal teams (legal, government affairs, privacy, compliance, technology, health information management) and develop escalation workflows to respond quickly to legislative changes
From AI and data privacy to health information access and record fees, the policy landscape is shifting fast. But with the right tools, teams, and partnerships in place, healthcare organizations don’t have to be caught off guard. Whether you’re deep in compliance or just trying to keep your teams aligned, staying proactive is the name of the game.
To access resources, policy updates, or the webinar recording, you can visit datavant.com/resources.
.svg)
