Legal
State Privacy Law Compliance Matrix
Effective Date: February 2026
Document Version: 1.0
This State Privacy Law Compliance Matrix (“Matrix”) documents how Rymeda, Inc. (“Rymeda,” “we,” “us”) complies with applicable state privacy, data protection, and healthcare laws across the jurisdictions in which we operate. As a healthcare technology platform processing Protected Health Information (PHI), Rymeda is subject to overlapping federal and state requirements. Where state law provides greater protections than HIPAA, we comply with the more protective standard.
This Matrix is organized by jurisdiction, with California receiving detailed treatment as Rymeda’s principal place of business and the jurisdiction with the most extensive healthcare privacy requirements.
1. California
California imposes the most comprehensive and stringent set of privacy, healthcare, and AI regulations in the United States. Rymeda complies with all of the following California laws.
1.1 California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA)
Cal. Civ. Code §1798.100 et seq.
| Requirement | Rymeda Compliance |
|---|---|
| Right to Know (§1798.100) | Consumers may request disclosure of categories and specific pieces of personal information collected. Requests fulfilled within 45 days via legal@rymeda.com |
| Right to Delete (§1798.105) | GDPR-compliant deletion endpoint anonymizes user data. HIPAA-mandated clinical records are exempt per §1798.105(d)(4). Deletion record with email hash preserved for audit |
| Right to Correct (§1798.106) | Users may request correction of inaccurate personal information through account settings or privacy request |
| Right to Opt-Out of Sale (§1798.120) | Rymeda does not sell personal information. No “Do Not Sell” link is required, but we disclose this in our Privacy Policy |
| Sensitive Personal Information (§1798.121) | Health data, biometric data, and precise geolocation are classified as sensitive PI. Processing limited to purposes disclosed at collection. No secondary use without explicit opt-in consent |
| Non-Discrimination (§1798.125) | Consumers exercising CCPA rights receive equal service and pricing. No denial, different pricing, or degraded service for privacy requests |
| Service Provider Obligations (§1798.140(ag)) | Rymeda acts as a Service Provider under CCPA. Customer data processed only per written instructions. No combining, selling, or retaining beyond service purpose |
| Automated Decision-Making (AB 1008 / §1798.185(a)(16)) | AI-generated clinical content is flagged as AI draft requiring human review. No fully automated decision-making for clinical care. Right to opt out of profiling for decisions with legal or similarly significant effects |
HIPAA Exemption
Medical information governed by CMIA and PHI governed by HIPAA are exempt from CCPA per §1798.145(c). However, Rymeda applies CCPA rights to all personal information not otherwise subject to HIPAA/CMIA, and extends equivalent rights voluntarily where feasible.
1.2 Confidentiality of Medical Information Act (CMIA)
Cal. Civ. Code §56 et seq.
Stricter Than HIPAA
CMIA is more restrictive than HIPAA in several key areas. Where CMIA and HIPAA conflict, Rymeda applies the more protective CMIA standard.
| CMIA Provision | Rymeda Compliance |
|---|---|
| Written Authorization (§56.11) | Disclosure of medical information requires patient’s written authorization specifying: information to be disclosed, purpose, recipients, expiration date, and right to revoke. Platform enforces explicit consent capture before any inter-organization sharing |
| Automatic Recording (§56.101) | The audit system automatically records every access to, and change of, medical information including: who accessed it, when, what was accessed, and from where. Immutable append-only audit trail retained for 6 years |
| Employee Training (§56.101(b)) | Annual CMIA-specific training for all workforce members with access to medical information |
| Penalties (§56.36) | Unauthorized disclosure: $1,000 nominal damages + actual damages + attorneys’ fees. Willful disclosure: $5,000. CMIA provides a private right of action independent of HIPAA enforcement |
| Employer Restrictions (§56.20) | Medical information of employees is handled separately from patient clinical data with additional access restrictions |
1.3 Two-Party Recording Consent
Cal. Penal Code §632, §632.01
Criminal Statute
Violation of §632 is a criminal offense punishable by a fine of up to $2,500 and/or imprisonment for up to one year. §632.01 extends criminal liability to the knowing distribution of healthcare communications recorded without consent.
- §632 — All-Party Consent: Recording of confidential communications (including clinical encounters) requires consent of all parties. Rymeda’s voice recording feature presents a mandatory consent prompt before the recording interface activates. Consent is documented in the patient record and linked to the voice note
- §632.01 — Distribution Prohibition: Knowing distribution of healthcare communications recorded in violation of §632 is a separate criminal offense. Rymeda does not permit bulk export or sharing of voice recordings outside the platform without authorization and audit logging
- Telehealth Sessions: 100ms video sessions incorporate recording consent into the session initiation workflow. No recording occurs without prior consent acknowledgment
1.4 AI Healthcare Regulations
| Law | Requirement | Rymeda Compliance |
|---|---|---|
| AB 3030 | Disclosure when AI is used in patient communications or clinical content generation | All AI-generated clinical content is flagged with ai_generated: true and prominently labeled “AI DRAFT — REQUIRES PROVIDER REVIEW.” AI Transparency & Ethics Policy published at /ai-transparency |
| AB 489 | Prohibited use of certain terminology implying AI replaces licensed healthcare providers | ORIS AI is described as a “clinical assistant” and “documentation aid” — never as a “doctor,” “provider,” or “clinician.” Marketing and UI copy reviewed for prohibited terminology |
| SB 1120 | AI cannot be the sole basis for healthcare treatment decisions | No AI-generated content enters the medical record without mandatory provider review and signature. AI suggestions include confidence scores and are labeled as suggestions, not directives. The system does not support automatic transition from AI draft to signed status |
1.5 Breach Notification Requirements
| Law | Timeline | Rymeda Compliance |
|---|---|---|
| SB 446 | 30 days | Notification to affected California residents within 30 days of breach discovery — stricter than the 60-day HIPAA Breach Notification Rule |
| HSC §1280.15 | 15 business days | Report to the California Department of Public Health (CDPH) within 15 business days for breaches involving patient medical information. Applies to licensed healthcare facilities |
1.6 Telehealth Regulations
| Law | Requirement | Rymeda Compliance |
|---|---|---|
| BPC §2290.5 | Written informed consent before telehealth consultation | Telehealth appointment type triggers consent workflow. Patient receives and acknowledges telehealth-specific informed consent before session begins |
| HSC §1374.13 | Telehealth reimbursement parity | Billing system supports telehealth-specific CPT codes with parity coding. Invoice and claim models track appointment type for accurate reimbursement |
1.7 Medical Records Retention
- Adults: 7 years from the date of last clinical activity (CA Bus. & Prof. Code §2240.1)
- Minors: 7 years or until age 19, whichever is later (CA Health & Safety Code §123145)
- Implementation: Retention periods enforced by the data retention system with
date_of_birthcalculation for minor patients. See Data Retention & Destruction Policy
1.8 California Three-Consent Model
Rymeda implements California’s three-tier consent framework for healthcare data processing:
| Consent Tier | Scope | Legal Basis | Platform Implementation |
|---|---|---|---|
| 1. Treatment Consent | Consent to receive healthcare services via the platform | CMIA §56.11; BPC §2290.5 (telehealth) | Captured at patient registration and telehealth session initiation. Covers standard clinical use, treatment, and care coordination |
| 2. Recording Consent | Consent to record clinical encounters (voice, video) | Penal Code §632 (all-party consent, criminal) | Separate, explicit consent obtained before every voice recording or telehealth recording. Documented per-encounter and linked to the specific recording |
| 3. AI Processing Consent | Consent to AI-assisted analysis of clinical data | AB 3030 (disclosure); SB 1120 (no sole AI decisions); CMIA §56.11 | Informed consent disclosing AI use in transcription (Whisper), report generation (GPT/Gemini), and clinical suggestions (ORIS). Patients informed of right to request human-only documentation |
2. Illinois
2.1 Biometric Information Privacy Act (BIPA)
740 ILCS 14/1 et seq.
Private Right of Action — $1,000–$5,000 Per Violation
BIPA is the most aggressive biometric privacy statute in the U.S. It provides a private right of action with statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation, calculated per scan/capture. BIPA has generated billions of dollars in class action settlements.
| BIPA Requirement | Rymeda Compliance |
|---|---|
| Voice as Biometric (§10) | BIPA defines “biometric identifier” to include voiceprints. Voice recordings processed through OpenAI Whisper transcription may constitute biometric data collection under BIPA |
| Written Informed Consent (§15(b)) | Before collecting biometric data from Illinois residents, Rymeda provides written notice of: (a) the fact of collection, (b) the specific purpose, and (c) the retention period. Written consent is obtained before any voice recording |
| Retention & Destruction (§15(a)) | Published biometric data retention schedule (7 years, matching clinical record retention). Biometric data destroyed when the purpose is satisfied or within 3 years of last interaction, whichever comes first |
| No Sale or Profit (§15(c)) | Rymeda does not sell, lease, trade, or profit from biometric data. Voice recordings are used solely for clinical documentation purposes |
| Security (§15(e)) | Biometric data stored with AES-256 encryption (S3 SSE-KMS), per-tenant encryption keys, TLS 1.3 in transit. Security standard meets or exceeds the standard for other confidential and sensitive information |
3. New York
3.1 Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)
N.Y. Gen. Bus. Law §899-aa, §899-bb
| SHIELD Requirement | Rymeda Compliance |
|---|---|
| Reasonable Security (§899-bb) | Rymeda implements reasonable administrative (workforce training, risk assessments), technical (encryption, access controls, intrusion detection), and physical (AWS data center controls) safeguards |
| Expanded Breach Definition | SHIELD expands “private information” to include biometric data, email + password combinations, and health information. Rymeda’s breach detection covers all expanded categories |
| Breach Notification (§899-aa) | Notification to affected New York residents “in the most expedient time possible and without unreasonable delay.” Notification to NY Attorney General, DFS, and DOCS if >5,000 affected |
| Safe Harbor | Data encrypted with AES-256 and per-tenant KMS keys qualifies for the SHIELD Act safe harbor (encrypted data not “acquired” if key not compromised) |
4. Texas
4.1 Texas Medical Records Privacy Act (HB 300)
Tex. Health & Safety Code §181.001 et seq.
- Authorization: Disclosure of PHI requires written authorization with specific form requirements. Training required within 60 days of hire and every 2 years thereafter
- No Sale: Prohibited from selling, transferring, or exchanging PHI for direct or indirect remuneration. Rymeda does not sell PHI
- Enforcement: Texas AG enforcement with penalties up to $250,000 per violation. Private right of action for actual damages + $100,000 statutory damages
4.2 Capture or Use of Biometric Identifier Act (CUBI)
Tex. Bus. & Com. Code §503.001
- Informed consent required before capturing biometric identifiers (including voiceprints)
- Destruction required within a reasonable time (no later than 1 year after purpose achieved)
- No sale, lease, or disclosure without consent. AG enforcement with $25,000 per violation
5. Washington
5.1 My Health My Data Act
RCW Ch. 19.373
Broader Than HIPAA
Washington’s My Health My Data Act applies to “consumer health data,” which is broader than HIPAA’s PHI definition and includes data that is not covered by HIPAA. It includes a private right of action under Washington’s CPA.
- Consent: Affirmative, voluntary consent required before collecting or sharing consumer health data. Separate consent for each category of data and each purpose
- Access & Deletion: Right to access and delete consumer health data. Rymeda supports both via existing GDPR-compliant mechanisms
- No Sale Without Consent: Valid authorization required before any sale of consumer health data. Rymeda does not sell health data
- Geofencing Prohibition: Prohibited from geofencing healthcare facilities to collect or infer health data. Not applicable to Rymeda’s platform model
6. Comprehensive State Privacy Laws
The following states have enacted comprehensive consumer privacy laws. While most exempt HIPAA-covered entities or PHI, Rymeda applies their principles to non-HIPAA personal information where applicable.
| State | Law | Key Requirements | HIPAA Exemption | Rymeda Compliance |
|---|---|---|---|---|
| Colorado | Colorado Privacy Act (CPA), C.R.S. §6-1-1301 | Consumer rights (access, correct, delete, portability, opt-out). Data protection assessments for processing that presents heightened risk | Yes — PHI under HIPAA exempt | Rights supported via existing infrastructure. DPAs conducted for high-risk processing |
| Virginia | Virginia Consumer Data Protection Act (VCDPA), Va. Code §59.1-575 | Consumer rights (access, correct, delete, portability, opt-out). Consent for sensitive data processing. Data protection assessments | Yes — HIPAA-covered entities and PHI exempt | Rights supported. Sensitive data consent implemented. AG enforcement only (no private right of action) |
| Connecticut | Connecticut Data Privacy Act (CTDPA), Conn. Gen. Stat. §42-515 | Consumer rights similar to CPA/VCDPA. Opt-out of targeted advertising and profiling. Universal opt-out mechanism recognition | Yes — HIPAA-covered entities exempt | Rights supported. No targeted advertising. Universal opt-out signals honored |
| Massachusetts | Standards for Protection of Personal Information, 201 CMR 17.00 | Written information security program (WISP) required. Encryption of PI on portable devices and transmitted over public networks. Access controls, monitoring, and incident response | No HIPAA exemption — applies alongside HIPAA | Comprehensive WISP maintained. AES-256 encryption, TLS 1.3, access controls, monitoring, and incident response exceed 201 CMR 17.00 requirements |
7. 50-State Breach Notification Summary
All 50 states, the District of Columbia, and U.S. territories have enacted breach notification laws. The following table summarizes key variations. Rymeda complies with the most restrictive applicable timeline for each affected individual.
| Jurisdiction | Notification Timeline | AG / Regulator Notice | Notable Provisions |
|---|---|---|---|
| California | 30 days (SB 446); 15 bus. days CDPH (HSC §1280.15) | AG if >500 CA residents | Most restrictive timeline. CDPH reporting for healthcare. Specific content requirements |
| Florida | 30 days | FDLE within 30 days; AG if >500 | Penalties up to $500,000. 30-day hard deadline |
| New York | “Most expedient time possible” | AG, DFS, DOCS | SHIELD Act expanded definitions. Encryption safe harbor |
| Texas | 60 days | AG if >250 residents | HB 300 healthcare-specific provisions. Up to $250K per violation |
| Illinois | “Most expedient time possible, without unreasonable delay” | AG | BIPA violations reported separately. PI includes medical information |
| Washington | 30 days | AG within 30 days if >500 | My Health My Data Act adds health data requirements |
| Colorado | 30 days | AG within 30 days | Includes health insurance information in PI definition |
| Virginia | 60 days | AG, state police | Includes medical and health insurance information |
| Connecticut | 60 days | AG | Includes health insurance and medical information |
| Massachusetts | “As soon as practicable and without unreasonable delay” | AG and OCABR | 201 CMR 17.00 reasonable security required. No safe harbor for encryption |
| Pennsylvania | “Without unreasonable delay” | AG if >1,000 | Encryption safe harbor |
| New Jersey | “Most expedient time possible” | State police and AG | Includes health insurance, medical information. Strong AG enforcement |
| All Other States | 30–90 days (varies) | AG and/or state agency (varies) | Rymeda tracks per-state timelines and applies the most restrictive applicable deadline for each affected individual |
Federal Floor, State Ceiling
HIPAA’s 60-day breach notification rule (45 CFR §§164.400–414) establishes the federal baseline. Multiple states impose shorter deadlines. Rymeda’s breach response process is designed to meet the most restrictive applicable deadline: 15 business days (California CDPH) for healthcare data and 30 days (California SB 446, Florida, Washington, Colorado) for general personal information.
8. Rymeda’s Multi-State Compliance Approach
Rather than implementing minimum per-state compliance, Rymeda applies the highest-common-denominator approach:
- Most Protective Standard: Where multiple state laws apply, we comply with the most protective requirement across all applicable jurisdictions
- California as Baseline: California’s laws (CCPA/CPRA, CMIA, §632, AB 3030, SB 1120, SB 446) establish the most comprehensive requirements. We apply California standards to all users as a practical minimum
- HIPAA + State Overlay: HIPAA compliance is the federal foundation. State laws that provide additional protections beyond HIPAA are layered on top
- Consent Maximization: We implement the most rigorous consent requirements (California three-consent model) for all users, regardless of their state of residence
- Breach Response: Our incident response is designed to meet the shortest applicable breach notification timeline across all states
- Ongoing Monitoring: State privacy law landscape is reviewed quarterly. New laws are assessed within 30 days of enactment for applicability and compliance gaps
9. Matrix Updates
- Quarterly Review: This Matrix is reviewed quarterly to incorporate new state laws, amendments, and regulatory guidance
- Legislative Tracking: New state privacy and healthcare legislation is tracked and assessed for applicability within 30 days of enactment
- Version History: Material changes are documented with effective dates and communicated to affected customers
Contact
For questions about state-specific compliance or to inquire about a jurisdiction not listed:
Legal Team