Data Privacy Laws

Understanding privacy regulations across the United States and around the world

Privacy Regulatory Library

Enterprise compliance requires understanding the full regulatory landscape. I have compiled comprehensive information about privacy laws in the United States and internationally to support your compliance audits and due diligence. View Regulatory Hubs for implementation guides and criteria checklists.

Last updated: May 13, 2026

US State & International Privacy Laws By Region

United States Laws

Comprehensive coverage of state-level privacy laws including CCPA, MHMDA, and emerging legislation across all 50 states.

20+ States with enacted laws
20+ States with pending legislation

Featured Laws:

  • California: CCPA, CPRA
  • Washington: My Health My Data Act
  • Virginia: VCDPA
  • Colorado: CPA
  • Connecticut: CTDPA
View State Laws Guide

International & European Laws

Global privacy regulations including GDPR, PIPEDA, LGPD, and comprehensive frameworks from over 144 countries worldwide.

144+ Countries with data laws
6 Major global frameworks

Featured Regulations:

  • EU: GDPR (General Data Protection Regulation)
  • UK: UK GDPR & Data Protection Act
  • Canada: PIPEDA
  • Brazil: LGPD
  • Japan: APPI
View International Laws

Regulatory Hubs

Evidence-based implementation guides and criteria checklists for key mandates.

All Regulatory Hubs Washington MHMDA Engineering HTI-1 through HTI-4 & USCDI v3/v4 Implementation

Regulatory & Privacy Standards

Federal compliance and technical implementation guidance for health-tech and payers.

ONC FINAL RULE USCDI v3 US CORE 6.1.0

HTI-1 Algorithm Transparency

The Health Data, Technology, and Interoperability (HTI-1) rule mandates that all certified Health IT must provide transparency for "Decision Support Interventions" (DSI) by March 1, 2026 (per ONC enforcement discretion). View ONC certification deadlines.

Key Requirements:

  • (b)(11) Decision Support: Disclosure of source attributes for algorithms.
  • USCDI v3 Migration: Mandatory support for new data classes including SDOH and Provenance.
  • Predictive AI: Specialized transparency for AI-driven clinical tools.

Consultant Implementation

I perform technical audits to ensure your predictive models meet transparency mandates without compromising intellectual property.

  • Clinical Logic Validation: Auditing Sepsis/MEWS triggers for data parity.
  • Mapping USCDI v3: Ensuring "Social Determinants" are technically mapped to FHIR profiles.
  • Algorithm Traceability: Documenting training data provenance for federal review.
45 CFR PART 160 SAFE HARBOR MINIMUM NECESSARY

HIPAA Technical Safeguards

Beyond the paperwork, HIPAA compliance requires rigorous technical controls for Protected Health Information (PHI) in cloud environments.

Key Focus Areas:

  • Technical Access Control: Identity management for AWS/Azure environments.
  • Audit Controls: Recording every instance of PHI access in Databricks/SQL.
  • Transmission Security: Enforcing TLS 1.3 for all FHIR endpoints.

Consultant Implementation

I architect the Technical Safeguards that prevent data breaches in non-production environments.

  • Test Data De-ID: Automated scrubbing of 18 identifiers (Safe Harbor).
  • Lower Env Hydration: Safe daily refreshes of Microsoft CRM with non-PHI data.
  • BAA Technical Scoping: Defining the technical boundaries of "In-Scope" systems.

Privacy engineering principles TAP applies

Every TAP engagement applies Privacy by Design as a baseline, not as a bolt-on. We test these principles against your implementation and surface gaps as findings.

Data minimization

We test whether your endpoints expose only the clinical fields strictly necessary for the stated purpose, flagging over-collection as a finding.

Purpose limitation

We verify that data flows match the consent and disclosed-purpose record, and surface mismatches between what your app says it does and what it actually does.

Access controls and audit logging

We test SMART on FHIR scopes, role-based access, and audit-log completeness against your stated authorization model.

De-identification posture

For non-production environments and analytics pipelines, we test Safe Harbor and Expert Determination compliance and flag re-identification risk.

Common Privacy Rights Worldwide

While specific laws vary, most modern privacy regulations grant individuals these fundamental rights:

Right to Access

Request and receive a copy of your personal data that organizations hold about you.

Right to Correction

Request correction of inaccurate or incomplete personal information.

Right to Deletion

Request deletion of your personal data under certain circumstances ("right to be forgotten").

Right to Portability

Receive your data in a structured, commonly used, machine-readable format.

Right to Opt-Out

Opt out of data sales, targeted advertising, and certain automated processing.

Right to Security

Expect appropriate security measures to protect your personal information.

How Your Data Health Helps You Achieve Compliance

Your Data Health helps enterprises map their data pipelines to regulatory requirements and architect solutions that meet the strictest global privacy standards.

Multi-Jurisdiction Audits

I audit against GDPR, CCPA, HIPAA, MHMDA, HTI-1, and other major privacy regulations worldwide.

De-Identification Architecture

Zero-Trust pipelines, HIPAA Safe Harbor, and automated scrubbing for FHIR, HL7, and unstructured data.

Right-to-Deletion Workflows

MHMDA "Hard Deletion" compliance: architecting immutable audit logs and backup propagation.

Data Parity & Migration

Legacy vs. modern validation, ingestion QA, and vendor pipeline audits (CMS-9115).

USCDI & HTI-1 Readiness

US Core 6.1.0 migration audits, Algorithm Transparency (b)(11), and USCDI v3 data class mapping.

Cloud-Native Compliance

AWS, Azure, GCP: I help architect compliant pipelines within your existing infrastructure.

Ready to Audit Your Pipeline?

Enterprise compliance auditing for HTI-1, USCDI v3, MHMDA, and clinical data quality.

Book a Call