While there are a number of federal laws governing privacy and access to individual health information, most states have enacted their own laws and regulations pertaining to the use, collection and disclosure of health information. Many states regulate the maintenance of patient medical records through provider-specific licensure laws. These laws not only require providers to maintain patient medical records, but also specify what the medical record must include. States also set standards for the privacy and confidentiality of health information, which may be stricter than federal standards. State law regulates when a provider may disclose personal health information, to whom the information may be disclosed, and for what purpose. States also set standards for private health insurers conducting business within the state.
Since the federal Medicaid program is a joint partnership between states and the federal government, states may also impose their own requirements on participating providers. State Medicaid program regulations can vary in terms of covered benefits, provider reporting requirements, and eligibility criteria. State Medicaid programs may also have their own fraud and abuse laws, in addition to what the federal law requires. States also have their own reporting requirements for diseases and conditions that must be reported to the state health department, and for reporting to disease-specific registries. Similarly, states also require reporting by specific providers and health plans on performance and utilization measures. State laws regarding quality reporting and medical peer review can vary from federal patient safety law. States are also free to set up their own health information technology infrastructure, in conformance with existing federal law. Notably, health insurance exchanges, which are required under the federal Patient Protection and Affordable Care Act, must be established on a state-by-state basis, through some form of authorizing state legislation.
 Social Security Act §1902(a); 42 U.S.C. 1396a(a).
 Patient Protection and Affordable Care Act §1321(b); 42 U.S.C. 18041(b).