50 State Survey of Health Care Information Privacy Laws

50-State Survey of Health Care
Information Privacy Laws
2021 Edition
Dear Clients and Friends,
We are pleased to provide you with our 50-State Survey of Health Care Information Privacy Laws.
The world continues to struggle with the impacts of the COVID-19 pandemic, and pressures mount on
health care organizations to properly share personal health information. While resources abound on
how federal rules such as HIPAA may apply to sharing personal health information, there appear few
such resources on how state privacy laws apply. Meanwhile, the challenge to maintain compliance, avoid
data breaches, and make decisions on what can (or should) be shared with others remains ever-present
and more acute than ever. For that purpose, Seyfarth attorneys have created this resource to better
assist you and your business identify and mitigate potential issue areas.
The information contained in this document compliments our attorneys’ experience and expertise
in representing clients across the entire spectrum of the health care industry. Seyfarth’s Health
Care group is a leader in providing legal services in this industry, as demonstrated by our ongoing
recognition as a Tier 1 national Health Law practice by U.S. News & World Report. Our research for this
Survey is condensed and simplified, and thus, while it provides a convenient point of reference, we ask
that you always consult with an attorney before making any decisions, as the law is constantly changing.
Please contact us with questions about this resource or to request additional state-specific
information that may affect your organization. We also encourage you to visit Seyfarth’s Beyond
COVID-19 Resource Center, as well as the firm’s Health Care page to learn more about our cross-
disciplinary industry group. Additionally, to keep you up-to-date on all of the latest health law issues and
trends, Seyfarth has launched its Health Care Beat podcast. Episodes provide listeners with timely and
insightful commentary on a variety of topics from a range of experts and thought leaders in this space.
Jesse M. Coleman Sheryl Tatar Dacso Kevin Mahoney Leon Rodriguez

Partner and Co-Chair, Partner, Corporate Partner, Litigation Co-Managing Partner,
Health Care, Life Sciences Washington, DC Office
& Pharmaceuticals
Industry Group
Project leads and members of Seyfarth’s Health Care, Life Sciences & Pharmaceuticals industry group.
The following individuals contributed to this survey: Jesse Coleman (US - HIPAA); Drew del Junco (Alaska, Arizona,
Idaho, Louisiana, Mississippi, Texas); Garreth DeVoe (Colorado, Kansas, New Mexico, Oklahoma, Utah, Wyoming);
Kay Hazelwood (Delaware, New Jersey, North Carolina, Pennsylvania); Adam Laughton (Arkansas, Iowa, Rhode Island);
Kevin Mahoney (Alabama, Florida, Georgia, Minnesota); Danielle Moore (California, Hawaii, Montana, Nevada, Oregon,
Washington); Kelly Pointer (Maine, Massachusetts, New Hampshire); Candace Quinn (Connecticut, Illinois, Indiana,
New York, Vermont, Wisconsin); Lauren Salas-Mationg (Missouri, Nebraska, North Dakota, South Dakota); and
Robert Terzoli (Kentucky, Michigan, Ohio, Tennessee).
W W W. SEYFARTH .COM | 1
How does the state
How does the state define a covered entity What additional security What rules are there What constitutes a
define protected health (i.e. who is subject to the obligations exist (beyond governing business breach or unlawful
State information? disclosure laws)? HIPAA) for PHI? associates? disclosure?
US
HIPAA
Subject to certain
exceptions, protective
health information (“PHI”)
Includes health plans,
health care clearinghouses,
and health care providers
HIPAA has a security
rule to ensure the
confidentiality of PHI,
Business associates
must adhere to the same
privacy and security rules
A breach of the HIPAA
Privacy Rule is an
impermissible use
includes individually who transmit health protect against threats applicable to covered or disclosure that
identifiable health information in electronic and unanticipated entities, and must notify compromises the security
information, transmitted form. 45 C.F.R. § 160.103 prohibited uses or the covered entity in the of the protected health
or maintained in any disclosures, and ensure event of a discovered information; such uses and
form or medium, that compliance by a covered breach. 45 C.F.R. disclosures are presumed
relates to the provision entities’ work force. 45 §§ 164.410, .502(e), .504(e), to breach unless covered
of health care (or payment C.F.R. § 164.306 .532(d)-(e) entity shows there is
for health care) to an low probability PHI was
individual. 45 C.F.R. compromised based
§ 160.103 on comprehensive risk
assessment. 45 C.F.R.
§ 164.402
AL
Alabama
State administrative
code adopts HIPAA in
its entirety, including
None beyond HIPAA. Ala.
Dept. of Public Health
Policy #2018-001
For general medical
records, none beyond
HIPAA. Heightened non-
None beyond HIPAA. “The unauthorized
acquisition of data in
electronic form containing
definition of PHI. Ala. Dept. disclosure obligations for sensitive personally
of Public Health Policy medical records regarding identifying information
2018-001 sexually-transmitted [including health records].”
diseases. Ala. Code 1975 Ala. Code 1975 § 8-38-1
§ 22-11A-22
AK
Alaska
No comprehensive
statute governing PHI
beyond HIPAA; privacy
Restrictions on disclosure
specific to certain entities:
specific to certain
conditions:
None beyond HIPAA. Breach of unencrypted
personal information,
if there is reasonable
• EMTs. Alaska Stat.
is addressed in separate § 18.08.087 • Substance abuse. Alaska likelihood that harm to
statutes governing specific Stat. § 47.37.210 the affected individual
types of entities and • Home health agencies. will result. Alaska Stat.
conditions. Alaska Admin. Code, tit. 7, • Cancer. Alaska Stat. § 45.48.010
§ 12.534. § 18.05.042
• Pharmacists. Alaska Stat. • Genetic testing. Alaska
§ 8.80.315 Stat. § 18.13.010
• Community health • Infectious diseases.
facilities. Alaska Admin. Alaska Stat. § 18.05.042
Code, tit. 7, § 13.130 • Mental health. Alaska
• Nursing homes. Alaska Stat. § 47.30.845
Admin. Code, tit. 7, Certain insurers must
§ 12.890 implement an information
• State agencies. Alaska security program to
Stat. § 40.25.120. safeguard confidential
information. Alaska Admin.
Code, tit. 3, § 26.705.
2 | 50 -STATE SURVEY OF HEALTH CARE INFORMATION PRIVACY L AWS

What form may an What are the reporting and
What safe harbors or authorization for disclosure remediation requirements What penalties exist for
exceptions exist (e.g., close take (e.g., written, verbal, in the event of a breach/ failure to report an unlawful What rules are there for
family, death, etc.) duration)? unlawful exposure? exposure? responding to subpoenas?
Per authorization, treatment Must include in written plain HIPAA requires a covered Failure to properly timely A covered entity may
payment, health care language: description of entity to notify the affected report a HIPAA breach to the produce PHI, pursuant to
operations, personal information, name of person, party of a breach, as well as correct entities (individual, a valid subpoena, only with
representatives (including name of disclose, purpose, the media and Secretary of media, Secretary) may result proper authorization of the
parents/guardians for expiration date, signature Health and Human Services, in civil penalties beyond those individual or upon seeking
unemancipated minors), estate of authorizing party, and depending on the number associated with the breach. and/or obtaining a qualified
executors, whistleblowers, acknowledgment of ability to of health records subject to HHS may consider the failure protective order from a court
certain government functions, revoke. 45 C.F.R. § 164.508 unauthorized disclosure. 45 to report when assessing of competent jurisdiction, and
certain law enforcement C.F.R. § 164.404-.410 other penalties. 45 C.F.R. only as much as necessary for
purposes, and per valid § 160.402, 408 purposes of the litigation. 45
court subpoena and qualified C.F.R. § 164.512(e)
protective order. 45 C.F.R.
§§ 164.502, .512
None beyond HIPAA. None beyond HIPAA. Report to affected individuals Penalties of up to $5,000 per Subpoena must be HIPAA-
in most expedient manner day for violation of notification compliant before response
possible and without provisions. Ala. Code 1975 authorized. Particularized
unreasonable delay. If more § 8-38-9. Alabama Supreme rules for responding to
than 1,000 affected individuals, Court recognizes tort claims subpoenas seeking mental
notify Attorney General of invasion of privacy for health records. Ala. Code 1975
within 45 days. Ala. Code 1975 unlawful disclosure of medical § 34-26-2
§ 8-38-1 records.
Child and elder abuse: Written or electronic form. After discovering the None beyond HIPAA. None beyond HIPAA.
• Licensed counselors. Alaska No duration limitation. Alaska breach, the covered person
Stat. § 08.29.200 Admin. Code, tit. 3, § 26.685 must notify each affected
state resident in the most
• Licensed family therapists. expeditious time possible.
Alaska Stat. § 08.63.200 Alaska Stat. § 45.48.010
• Psychologists. Alaska Stat.
§ 08.86.200
Threat of imminent serious
physical harm:
• Licensed counselors. Alaska
Stat. § 08.29.200
• Licensed family therapists.
Alaska Stat. § 08.63.200
How does the state
AZ
Arizona
All medical and payment
records may not
be disclosed unless
Hospitals and health
care professionals must
have written protocols
None beyond HIPAA. Unauthorized access that
materially compromises
the confidentiality of
• Health care provider
authorized by law or for safeguarding medical unencrypted computerized
written authorization. Ariz. • Health care institution records to prevent personal information
Rev. Stat. Ann. § 12-2292(A) • Ambulance service unauthorized access. Ariz. maintained as part of
“Medical records” means • Health care services Rev. Stat. Ann. § 32-3211; a database of personal
all communications related organization Ariz. Admin. Code § R9-10- information. Ariz. Rev.
to a patient’s health 213(B)(1). Failure to comply Stat. Ann. § 18-551(1)
Ariz. Rev. Stat. Ann. § 12- may result in a civil action
that are maintained for 2291(5)
diagnosis or treatment. for damages or disciplinary
Ariz. Rev. Stat. Ann. § 12- action. Ariz. Rev. Stat. Ann.
2291(6) § 12-2296; id. § 20-2118; id.
§ 32-3211
“Payment records” means
all communications related
to payment for health care
that contain individually
identifiable information.
Ariz. Rev. Stat. Ann. § 12-
2291(7)
The Arizona Insurance
Information and Privacy
Protection Act applies
to insurance entities
and includes a provision
governing disclosure
of “medical record
information.” Ariz. Rev.
Stat. Ann. § 20-2113
“Medical record
information” is any
personal information that
relates to an individual’s
medical condition and is
obtained from a medical
professional or medical
care institution. Ariz. Rev.
Stat. Ann. § 20-2102(18)
AR
Arkansas
All records “catalogued
and maintained by
the medical records
Hospitals, doctors’ offices,
medical clinics, or any
other medical facility. Ark.
None beyond HIPAA. None beyond HIPAA. Any “unauthorized
acquisition of
computerized data that
department of a hospital, Code § 16-46-402 compromises the security,
doctor’s office, medical confidentiality, or integrity
clinic, or any other medical of personal information
facility.” Ark. Code § 16- maintained by a person
46-402 or business.” Ark. Code
§ 4-110-113

Medical and payment records Written and signed by patient Affected individuals must The Attorney General may Subpoenas to health care
may be disclosed by health or patient’s health care be notified within 45 days of impose a civil penalty of up practitioners seeking medical
care practitioners without decision maker. Ariz. Rev. Stat. breach determination and to $10,000 for each affected or payment records must be
patient authorization, as Ann. §§ 12-2292, 12-2294(B); id. provide certain information. individual up to $500,000. served with 10 days notice
permitted by HIPAA or to: § 20-2113; Ariz. Admin. Code Ariz. Rev. Stat. Ann. § 18- Ariz. Rev. Stat. Ann. § 18- and be accompanied by signed
another current or former § R9-10-212(B)(3)(f). No 552(B). This statute does 552(L). This statute does written authorization or court
treating provider; ambulance duration limitation unless not apply to HIPAA-covered not apply to HIPAA-covered order that satisfies HIPAA
attendant; health care authorization for insurance entities. Ariz. Rev. Stat. Ann. entities. Ariz. Rev. Stat. Ann. qualified protective order
provider accrediting agency; transaction. Ariz. Rev. Stat. § 18-552(N)(2) § 18-552(N)(2) requirements, or is a grand
health profession regulatory Ann. § 20-2106(7) jury or health profession
board; utilization review agent; regulatory board subpoena.
third party payor; or deceased Ariz. Rev. Stat. Ann. § 12-
patient’s health care decision 2294.01; id. § 12-12802. Court
maker or specified family must determine information
members. Ariz. Rev. Stat. Ann. is not available from original
§ 12-2294(C)-(D); id. § 20-2113 source and is relevant. Ariz.
Rev. Stat. Ann. § 36-3808(A)
None beyond HIPAA. None beyond HIPAA. Report to affected individuals Subject to Attorney General Must notify patient (or
in most expedient manner action for deceptive trade patient’s attorney) by writing
possible and without practice. Potential penalty or fax once records are
unreasonable delay. If more of $10,000 per violation. Ark received. Ark. Code § 16-46-
than 1,000 affected individuals, Code § 4-88-113 403
notify Attorney General within
45 days. Ark. Code § 4-110-105
How does the state
CA
California
“Personal Information”
is information that has
a person’s first name or
Rules for “Personal
Information cover all
California businesses,
All health care providers,
health service plans,
pharmaceutical companies,
Specific patient
authorization is required
in order to share patient
A breach of the security
of the system means
unauthorized acquisition
first initial and last name organizations, and state contractors or other information with business of computerized data
in combination with any of and local government entities must preserve, associates who are not that compromises the
the following: agencies. store, maintain or destroy third-party payers, security, confidentiality,
• Social Security Number; Rules for “Medical patient medical records entities who review in or integrity of personal
Information” cover in a way that preserves liability, arbitration, peer information maintained
• driver’s license number or the confidentiality of the review, quality assurance, by the person or business.
California identification providers of health care,
health care service information. They shall quality assessment, Good faith acquisition of
card number; or protect and preserve the medical necessity cases or personal information by an
plans, contractors, and
• account number, credit/ all recipients of that integrity of electronic otherwise not included. employee or agent of the
debit card number, in information. Any business medical information and Cal. Civil Code § 56.10 person or business for the
combination with any that offers software automatically record purposes of the person or
required security code, or hardware that are and preserve any change business is not a breach
access code, or password designed to maintain or deletion of any of the security of the
that would allow access medical information is electronically stored system, provided that the
to the person’s financial considered a provider. medical information. The personal information is not
account. record of any change or used or subject to further
Cal. Civil Code § 1798.82(a) deletion shall include the unauthorized disclosure.
Cal. Civil Code § 1798.80
Cal. Civil Code identity of the person who
“Medical information” § 56.05(b&m) accessed and changed the
means any individually medical information, the
identifiable information, in date and time the medical
electronic or physical form, information was accessed,
in possession of or derived and the change that was
from a provider of health made to the medical
care, health care service information.
plan, pharmaceutical
company, or contractor Cal. Civil Code § 56.101
regarding a patient’s
medical history, mental
or physical condition, or
treatment.
“Individually identifiable”
means that the medical
information includes or
contains any element
of personal identifying
information sufficient to
allow identification of the
individual, such as the
patient’s name, address,
electronic mail address,
telephone number, or
Social Security Number,
or other information that,
alone or in combination
with other publicly
available information,
reveals the individual’s
identity.
Cal. Civil Code § 56.05(j)

Various state laws allow A provider of health care, Any person or business An entity or individual who Must list under what statute
use and disclosure of health health care service plan, or that conducts business in negligently discloses medical the health information being
information in particular contractor shall not disclose California, and that owns information is also liable (in sought is covered under.
instances or under particular medical information regarding or licenses computerized addition to damages paid to Cal. Civil Code § 56
circumstances. a patient of the provider of data that includes personal the patient) to pay a civil or
health care or an enrollee or information, must disclose administrative fine of $2,500 Cal. Civil Code § 5328
Cal. Civil Code § 5328, 5541,
1798.91, 4514, 120975-121020, subscriber of a health care any “breach of the security per violation.
121025, 4135 service plan without first of the system,” following Cal. Civil Code § 1798.84(b)
obtaining an authorization, discovery, to any California
except as provided in patient whose unencrypted Cal. Civil Code § 56.36
subdivision (b) or (c). The personal information was,
information may be disclosed or is reasonably believed to
to providers of health care, have been, acquired by an
health care service plans, unauthorized person.
contractors, or other health The breach notification must
care professionals or facilities meet all of the following
for purposes of diagnosis or requirements:
treatment of the patient.
(A) The security breach
The information may be notification shall be written in
disclosed to an insurer, plain language.
employer, health care service
plan, hospital service plan, (B) The security breach
employee benefit plan, notification shall include,
governmental authority, at a minimum, the following
contractor, or other person information: (1) The name and
or entity responsible for contact information of the
paying for health care services reporting person or business
rendered to the patient, to subject to this section. (2) A
the extent necessary to allow list of the types of personal
responsibility for payment to information that were or are
be determined and payment to reasonably believed to have
be made. been the subject of a breach.
(3) If the information is possible
Cal. Civil Code § 56.10 to determine at the time the
notice is provided, then any of
the following: (i) the date of the
breach, (ii) the estimated date
of the breach, or (iii) the date
range within which the breach
occurred. The notification shall
also include the date of the
notice. (4) Whether notification
was delayed as a result of a
law enforcement investigation.
(5) A general description of
the breach incident. (6) The
toll-free telephone numbers
and addresses of the major
credit reporting agencies
if the breach exposed a
social security number or a
driver’s license or California
identification card number.
(C) At the discretion of the
person or business, the
security breach notification
may also include any of the
following: (1) Information about
what the person or business
has done to protect individuals
whose information has been
breached. (2) Advice on
steps that the person whose
information has been breached
may take to protect himself or
herself.
Cal. Civil Code § 1798.82(a&d)
How does the state
CO
Colorado
Undefined. “Personal
Information” means:
Resident’s name plus:
Individual or entity that
maintains Personal
Information the course of
None. This state does not
define Protected Health
Information. This state
None beyond HIPAA.
Third-party service
A “security breach” is an
unauthorized acquisition of
unencrypted computerized
providers are not covered
• Social Security Number; his/her/its occupation or does not mandate security entities per state statute, data that compromises the
business. Excludes third- obligations beyond HIPAA. but can be a HIPAA confidentiality of Personal
• driver’s license number; party service providers. Col. Rev. Stat. Ann. § 6-1- Information maintained by
business associate. Col.
• medical information; Col. Rev. Stat. Ann. § 6-1- 716(2) (West 2021) Rev. Stat. Ann. § 6-1-716(1) a covered entity. Col. Rev.
• health insurance number; 716(1)(b) (West 2021) (b) (West 2021) Stat. Ann. § 6-1-716(1)(h)
or (West 2021)
• other specified
information. Col. Rev.
Stat. Ann. § 6-1-716(1)(g)
(West 2021)
CT
Connecticut
1) Defined in CT Statute
Title 38a INSURANCE
Chapter 700C Health
1) Defined in CT Statute
Title 38a INSURANCE
Chapter 700C Health
CT common law, CT
Supreme Court Case
Byrne v. Avery Center for
CT Statutes don’t have
a definition for Business
Associate. It is defined by
CT statutes don’t define
what constitute a breach
or unlawful disclosure.
Insurance, C.G.S.A. Insurance, C.G.S.A. Obstetrics and Gynecology 45 C.F.R. § 160.103 Defer to 45 C.F.R.
§ 38a-591a. Health § 38a-472f, citing 42 (2018) holds that while it is Defer to federal HIPAA § 164.402 for what is a
information that identifies U.S.C.A. § 256b. Covered true that the privacy rules rules. breach.
an individual who is the entity as defined in 42 in federal HIPAA do not In addition protection
subject of the information U.S.C. 256b. One of the provide patients a private under HIPAA, CT statutes
or for which there is a following: Federally- right of action, health care prohibits persons from
reasonable basis to believe qualified health center; providers in Connecticut selling or offering to
that such information entity receiving a grant and a significant number sell personal health
could be used to identify under section 256a of of other states can be information and prohibits
such individual. PHI is this title; family planning sued for unauthorized the Department of Public
protected under both project receiving a grant disclosures of confidential Health from publicly
federal and state law. under section 300 of patient information. disclosing personal
2) Defined in CT Statute this title; State operated identifiable information
Title 38a INSURANCE AIDS drug purchasing about a patient in an
Chapter Connecticut assistance program institution. CT statues also
Insurance Information receiving financial establishes a bill of rights
and Privacy Protection assistance; black lung for individuals admitted to
Act, C.G.S.A. § 38a-999b clinic receiving funds nursing home, residential
citing 45 C.F.R. § 160.103. under section 973(a) of care home or chronic
Individually identifiable title 30; Federally-qualified disease hospital to assure
health information that is health center; family confidential treatment of
maintained or transmitted planning project; entity patient personal medical
by electronic media or any providing outpatient early records.
other form or medium. intervention services
for HIV disease; State The CT government
The individual’s first and documents explain what is
last name in combination operated AIDS drug
purchasing assistance lawful disclosure.
with protected heath
information as defined in program; comprehensive
45 C.F.R. 160.103 hemophilia diagnostic
treatment center; Native
Hawaiian Health Center;
urban Indian organization;
certain entity receiving
funds for treatment of
sexually transmitted
diseases or tuberculosis;
certain hospital; certain
children’s hospital and
certain rural community
hospital.

None beyond HIPAA. None beyond HIPAA. Notification of the affected State AG may file a lawsuit None beyond HIPAA.
residents and the state’s to ensure compliance and/
attorney general within or recover resulting direct
30 days. Covered Entity economic damages. Col. Rev.
must conduct a prompt Stat. Ann. § 6-1-716(4) (West
investigation. Col. Rev. Stat. 2021)
Ann. § 6-1-716(2) (West 2021)
Availability of patient Content of disclosure HIPAA requirements on No CT statutes. See HIPAA (45 Inspection and subpoena of
information to certain authorization forms. The Notification in the Case C.F.R. § 160.404 Amount of a hospital records. If a private
agencies, such as the CT statute provides that no of Breach of Unsecured civil money penalty) hospital, public hospital,
Department of Emergency authorization form may be Protected Health Information. society, or corporation
Services and Public utilized unless it is written The Office of the Attorney receiving state aid is served
Protection, the Department of in plain language, dated, General has authority to with a subpoena issued by a
Social Services, and the United specifies the types of persons enforce HIPAA protections competent authority directing
States Department of Health to disclose the information, for Connecticut state production of records, except
and Human Services. C.G.S.A. specifies the nature of the residents. OCR and the Office where the record pertains to
§ 17b-225 information to be disclosed, of the Attorney General a mentally ill patient, deliver
Consent not required identifies the individual who have authority to receive the record to the clerk of such
for certain disclosures, authorizes the information and investigate complaints court in a sealed envelope for
including to persons to be disclosed, and specifies against covered entities and safekeeping. C.G.S.A. § 4-104
engaged in the diagnosis or the length of time such business associates related Records as evidence. Records
treatment of patients, or if authorization remains valid. to the HIPAA Privacy Rule, of the Office of Chief Medical
records determine that the C.G.S.A. § 38a-981 Security Standards, and the Examiner shall be subject
disclosure or transmission (What means release of newly established Breach to subpoena under same
is needed to accomplish the confidential HIV-related Notification Rule. conditions as medical records.
objectives of diagnosis or information). “Release of C.G.S.A. § 19a-412
treatment, or if a mental confidential HIV -related
health provider determines information” requires a
there is substantial risk of written authorization for
imminent physical injury by disclosure of confidential
the patient to himself or HIV-related information, which
others, or in the course of is signed by the protected
examinations, ordered by a individual, dated, and specifies
court, or made in connection to whom the disclosure is
with the appointment of a authorized, the purpose
conservator, and with regard for the disclosure, and the
to certain payment requests time period during which the
by a provider of behavioral release is effective. C.G.S.A.
health services that contracts § 19a-581
with the Department of Mental
Health and Addiction Services.
C.G.S.A. § 52-146f
How does the state
DE
Delaware
“Protected health
information” follows
HIPAA. Del. Code Ann. tit.
specific to certain entities,
for example:
“Any person who
conducts business in
[Delaware] and owns,
None beyond HIPAA.
Notice of data breach
A “‘breach of the security
of the system’ means the
unauthorized acquisition of
applicable to vendors
16, § 1210 (4). • Long-term care facilities. licenses, or maintains with access to personal unencrypted computerized
The statute governing Del. Code Ann. tit. 16, personal information shall information. Del. Code Ann. data that compromises the
notice requirements § 1121(9) implement and maintain tit. 6, § 12B-100 security, confidentiality,
for a computer security reasonable procedures or integrity of personal
• Skilled and intermediate and practices to prevent information maintained
breach also includes broad care nursing facilities.
definition of “Personal the unauthorized by an individual or a
16 Del. Admin. Code acquisition, use, commercial entity.” Del.
information.” Del. Code § 3201-9.0
Ann. tit. 6, § 12B-101(7) modification, disclosure, Code Ann. tit. 6, § 12B-
• Free standing surgical or destruction of personal 101(1)
centers. 16 Del. Admin. information collected or
Code § 4405-4.0 maintained in the regular
Notice of data breach course of business.” Del.
applicable to person Code Ann. tit. 6, § 12B-100
that owns or licenses or In addition, restrictions
maintains computerized on disclosure specific to
data that includes personal certain conditions, Del
information about a Code Ann. tit. 16, § 1210,
Delaware resident. Del. including, for example:
Code Ann. tit. 6, § 12B-100 • Substance abuse. 16 Del.
Person comprehensively Admin. Code § 2220
defined to include “an • Cancer. 16 Del. Admin.
individual; corporation; Code § 4201-3.0
business trust; estate
trust; partnership; • Genetic testing. 16 Del.
limited liability company; Admin. Code § 1202
association; joint venture; • Infectious diseases. 16
government; governmental Del. Admin. Code § 1009A
subdivision, agency, or • Mental health. 16 Del.
instrumentality; public Admin. Code § 5161(13)
corporation; or any other
legal or commercial • Birth Defects. 16 Del.
entity.” Del. Code Ann. tit. Admin. Code § 4101-3.0
6, § 12B-101 (6) • Autism. 16 Del. Admin.
Code § 4109-3.0
FL
Florida
Any medical record
generated after
making a physical or
Any health care
practitioner who
generates medical records
All records owners
required to develop and
implement confidentiality
Business associates who
suffer breach of health
records must notify
Protected health
information included in
state data breach law
mental examination, or to whom such records policies and train covered entity within 10 includes any unauthorized
administration of are transferred. Fla. Stat. employees. Fla. Stat. days. Fla. Stat. § 501.171(6) access of data in electronic
treatment, or dispensation § 456.057(2) § 456.057(10) form. Fla. Stat. § 501.171(1)
of legend drugs. Fla. Stat. Record owners also (g)(V)
§ 456.057(1) required to maintain
record of any requests
from third parties, and
destroy information after
retention requirements
expire. Fla. Stat.
§ 456.057(11); Fla. Stat.
§ 501.171(8)
GA
Georgia
Any record “used in
assessing the patient’s
condition, or the pertinent
Includes “all hospitals…
other special care
units…; intermediate
Providers are obligated
to retain covered records
for 10 years; particularized
None beyond HIPAA. State data breach law
does not include health
information. State
portion of the record care facilities; requirements for copying recognizes tort claims
relating to a specific ambulatory surgical or of records. Ga. Code § 31- for unlawful disclosure of
condition or a summary obstetrical facilities; 33-2 health information.
of the record.” Ga. Code health maintenance
§ 31-33-1 organizations; and home
health agencies.”
Ga. Code § 31-33-1
HI
Hawaii
Hawaii’s Health Care
Privacy Harmonization
Act of 2012 harmonizes
None beyond HIPAA. None beyond HIPAA. None beyond HIPAA. None beyond HIPAA.
state law with HIPAA. HRS

§ 323B-3

“Good faith acquisition of Pursuant to “informed “Notice must be made in the DHS shall enforce Del Code Issued through or pursuant
personal information by an consent.” Del Code Ann. tit. 16, most expedient time possible Ann. tit. 16, §1210. to a court or administrative
employee or agent of an §1212(b). and without unreasonable Attorney General may bring tribunal order, PHI may be
individual or commercial “Informed consent” means a delay, consistent with the an action in law or equity disclosed without informed
entity for the purposes of the written authorization for the legitimate needs of law to address the violations of consent. Note that a covered
individual or commercial entity disclosure of PHI on a form enforcement and consistent statute relating to notice of entity may disclose; it does not
is not a breach of the security substantially similar to one with any measures necessary data breach and may recover have to disclose. See Del Code
of the system, provided that promulgated by DHS. Del Code to determine the scope of the damages. Statute is not Ann. tit. 16 §1212(b)
the personal information is Ann. tit. 16, §1210(2). breach and to restore the exclusive remedy and does not
not used or subject to further reasonable integrity of the relieve a person subject to this
unauthorized disclosure.” Del. computerized data system.” chapter from compliance with
Code Ann. tit. 6, §12B-101(1) Del Code Ann. tit. 6 §12B-102(a) all other applicable provisions
Not later than 60 days after of law. Del Code Ann. tit. 6
determination of the breach §12B-104(a)
of security breach except in
certain circumstances. Del
Code Ann. tit. 6 §12B-102(c)
Additional notice requirements
if breach involves SSN. Del
Code Ann. tit. 6 §12B-102(d)
In cases of compulsory physical Written authorization Notify affected individuals Penalty of $1,000 each day Patient authorization not
examination, to poison control required. Fla. Stat. within 30 days and Florida for first 30 days of failure to required as long as subpoena
centers, and to Department of § 456.057(7)(a) Department of Legal Affairs notify; thereafter $50,000 for is from court of competent
Children and Families in abuse for any breach affecting more each 30-day period in which jurisdiction and proper notice
or neglect investigations. Fla. than 500 individuals. Fla. Stat. failure continues. Fla. Stat. given to patient or patient’s
Stat. § 456.057(7)(a)(1-6) § 501.171(3-4) § 501.171(9) representative by party
seeking records. Fla. Stat.
§ 456.057(7)(a)(3)
No civil or criminal liability for Request must be in writing None beyond HIPAA. None beyond HIPAA. None beyond HIPAA.
provider releasing information by patient or authorized
“in good faith” pursuant to representative. Ga. Code Ann.
provisions of health records § 31-33-2 (West)
law. Ga. Code Ann. § 31-33-5
May be provided to family
members or executors
of estates in certain
circumstances. Ga. Code
§ 31-33-2
None beyond HIPAA. None beyond HIPAA. None beyond HIPAA. None beyond HIPAA. None beyond HIPAA.
How does the state
ID
Idaho
No comprehensive
Requires pharmacies to
maintain sufficient security
mechanisms to protect
None beyond HIPAA. No state-specific statute
governing breach or
unlawful disclosure of PHI
• Health care
is addressed in separate practitioners. Idaho records from unauthorized beyond federal protections
statutes governing specific Code Ann. § 37-2743(c); access, including electronic and tort law.
types of entities and Idaho Admin. Code recordkeeping systems
conditions. § 16.05.01.107.02 in certain instances.
Idaho Admin. Code
• Prescription information. § 27.01.01.300; see also
Idaho Code Ann. § 54-1727 Idaho Code Ann. § 39-1394
• Nurses. Idaho Admin.
Code § 22.01.11.100
• Optometrists.
Idaho Admin. Code
§ 24.10.01.300.02
• Social workers.
Idaho Admin. Code
§ 24.14.01.450.02
IL
Illinois
Definitions: As specified in
45 CFR § 164.103. 410 ILCS
§ 513/10
As specified in 45 CFR
§ 160.103. 410 ILCS
§ 305/3(d)
Confidentiality Protections
in Illinois: See here.
Business associates
- under “General
Information Privacy Act”.
Establishment and
disclosure of limited data
sets and de-identified
“Protected health “Covered entity” has the 410 ILCS 513/31.3 information. 740 ILCS
information” has the meaning ascribed to it Business associates 110/9.11
meaning ascribed to it under HIPAA. - under “AIDS
under HIPAA. 45 CFR Confidentiality Act”. 410
§ 164.103 ILCS 305/9.3
Establishment and
disclosure of limited data
sets and de-identified
information. 740 ILCS
110/9.11
IN
Indiana
“As used in this chapter,
PHI has the meaning set
forth in 45 CFR § 160.103
“As used in this chapter,
‘covered entity’ has the
meaning set forth in 45
Right of access. IC § 16-
39-1-1
Indiana State Department
of Health HIPAA Business
Associates Policy ISDH-
Provider’s use of records;
data aggregation;
confidentiality; violations.
Provider’s use of records;
as in effect on November 4, CFR § 160.103 as in effect data aggregation; COMM-006-04 IC § 16-39-5-3
2004.” IC § 16-39-10-3 on November 4, 2004.” IC confidentiality; violations.
§ 16-39-10-1 IC § 16-39-5-3
IA
Iowa
Defined with reference
to HIPAA if created or
received by an authorized
No specific definition
for covered entities
beyond HIPAA, but some
Heightened confidentiality
requirements for AIDS-
related records and
None beyond HIPAA. No set definition under
state law. State data
breach reporting law
participant in state health disclosure and record- information. IA. Code does not include health
information network. IA. keeping rules apply to § 141A.9 information unless such
Code § 135D.2(17) participants in state health information is “biometric
information network. data.”
KS
Kansas
Equivalent to HIPAA,
as this state explicitly
incorporates HIPAA
Equivalent to HIPAA. Kan.
Stat. Ann. § 65-6822(d)
(West 2021)
None beyond HIPAA. Kan.
Stat. Ann. § 65-6824(b)
(West 2021)
A Covered Entity may
disclose Protected Health
Information to a health
None beyond HIPAA. Kan.
Stat. Ann. § 65-6825(a)
(West 2021)
regarding PHI and its information organization
unauthorized disclosure. without an authorization
Kan. Stat. Ann. § 65- under certain conditions.
6822(d) and (q) (West 2021) Kan. Stat. Ann. § 65-
6825(b) (West 2021)

Child abuse and domestic Written and signed by None beyond HIPAA. None beyond HIPAA. None beyond HIPAA.
violence. Idaho Code Ann. individual or legally authorized
§ 9-203 representative. Idaho Admin.
Disclosure necessary to warn Code § 16.05.01.051. No
potential victims or disclose duration limitation.
threats. Idaho Code Ann.
§ 54-3410
Disclosure; consent “Except as “Informed consent’ means: …” See 815 ILCS 530- IL Personal Violation: “A violation of this Subpoenas. 40 ILCS 175/6
provided in Sections 6 through 410 ILCS 305/3(q) Information Protection Act Act constitutes an unlawful
12.2 of this Act, records and practice under the Consumer
communications may be Fraud and Deceptive Business
disclosed …” 740 ILCS 110/5 Practices Act.” IL Personal
Information Protection Act -
815 ILCS 530/20
Injunctive relief; restitution;
and civil penalties. IL
Consumer Fraud and
Deceptive Business Practices
Act - 815 ILCS 505/7
Provider’s use of records; data Patient’s written consent for None beyond HIPAA. See See HIPAA (45 C.F.R. § 160.404 Confidentiality; production on
aggregation; confidentiality; release of records. IC § 16- Breach Notification Rule, 45 Amount of a civil money court order. IC § 16-39-6-3
violations. IC § 16-39-5-3 39-1-4 CFR §§ 164.400-414 penalty)
Disclosure to locate or identify
a missing person. IC § 16-39-
10-4
None beyond HIPAA. None beyond HIPAA. Kan. Stat. This state does not identify None beyond HIPAA. None beyond HIPAA.
Ann. § 65-6825(a) (West 2021) any reporting and remediation
requirements beyond HIPAA
with respect to the unlawful
disclosure of PHI.
How does the state
KY
Kentucky
Generally same as
HIPAA. Ky. Rev. Stat. Ann.
§ 61.931(6)(f) (West)
An agency defined as the
executive branch of the
government, including,
Entities are required
to consult and follow
policies and procedures
Nonaffiliated third parties
are held to the same
standards as the agencies.
General breach
notification law not
applicable to breaches
Right of privacy extends without limitation, public established by the local They are required to subject HIPAA. Ky. Rev.
to patient’s mental health school districts and public governments or other maintain the policies at Stat. Ann. § 365.732 (West)
or chemical dependency, universities; agencies overseeing least as stringent as those The unauthorized
and limits disclosure Nonaffiliated third parties the entity, for example, from the entity or agency acquisition, distribution,
to an insurer to what is that have a contract or Kentucky Board of that they are receiving disclosure, destruction,
necessary for the insurer agreement with an agency Education and Counsel on the PHI. Ky. Rev. Stat. Ann. manipulation, or release
to render its services. Ky. and receive personal Postsecondary Education. § 61.932 (West)
Ky. Rev. Stat. Ann. § 61.932 (A) unencrypted or
Rev. Stat. Ann. § 304.17A- information from the unredacted records or
555 (West) agency pursuant to the (West)
data or
All information, records, contract or agreement.
Ky. Rev. Stat. Ann. § 61.931 (B) encrypted data
and reports relating to containing PHI along with
persons infected with (West)
the confidential process
or suspected of being or key to unencrypt the
infected with a sexually records that comprises
transmitted disease. Ky. or the entity reasonably
Rev. Stat. Ann. § 214.420 believes may comprise the
(West) security, confidentiality,
or integrity of personal
information and result in
the likelihood of harm to
one (1) or more individuals.
Ky. Rev. Stat. Ann.
§ 61.931(9) (West)

None beyond HIPAA. None beyond HIPAA. Nonaffiliated third parties None beyond HIPAA. Psychiatrist-patient privilege
shall notify the agency in the not waived. Ky. Rev. Stat. Ann.
most expedient time possibly § 422.330 (West)
without undue delay but no
later than seventy-two (72)
hours of determination of a
security breach.
The report shall include
all information that the
nonaffiliated third party has
with regard to the breach. Ky.
Rev. Stat. Ann. § 61.932(2)(b)
(1) (West)
Reporting may be delayed
based on a notice from law a
law enforcement agency. Ky.
Rev. Stat. Ann. § 61.932(2)(b)
(2) (West)
Agencies must report the
breach to the state officers
and departments listed in Ky.
Rev. Stat. Ann. § 61.933(1)(a)
(1) (West).
Notification of individuals
affected or likely affected must
be notified within 35 days after
providing a report to officers
listed in section (1)(a)(1) of the
completion of an investigation
into the breach. Ky. Rev. Stat.
Ann. § 61.933(1)(b)(1)(b) (West)
Additional requirements must
be met where the individuals
to be notified exceeds one
thousand. Ky. Rev. Stat. Ann.
§ 61.933(1)(b)(1)(c) (West)
Notice to individuals must
include information laid out in
Ky. Rev. Stat. Ann. § 61.933(2)
(West)
How does the state
LA
Louisiana
No comprehensive
Requires hospitals to
have medical records
department responsible
governing breach or
• HMOs. La. Rev. Stat. Ann.
is addressed in separate § 22:2020 for maintaining medical beyond federal protections
statutes governing specific records for each patient and tort law.
types of entities and • State facilities. La. Rev. and to establish certain
conditions. Stat. Ann. § 44:7 standards. La. Admin Code
• Utilization review. La. Rev. tit. 48, Pt I, § 9387
Stat. Ann. § 40:2731
specific to certain
conditions:
• Birth defects. La. Rev.
Stat. Ann. § 40:31.44
• Cancer. La. Rev. Stat.
Ann. § 40:1299.87
• Communicable disease.
La. Rev. Stat. Ann. § 40:3.1
• Genetic test results. La.
Rev. Stat. Ann. § 22:213.7
• HIV/AIDS. La. Rev. Stat.
Ann. § 40:1300.14
• Mental health. La. Rev.
Stat. Ann. § 28:171
• Substance abuse. La. Rev.
Stat. Ann. § 37:50.3384
ME
Maine
Directly identifiable
information relating to
condition, medical history,
A health care practitioner
or facility licensed by the
state to provide health
If release of information
to the individual would be
detrimental, make copy
None beyond HIPAA. None beyond HIPAA.
or treatment provided to care. 22 M.R.S. § 1711-C(1) available to authorized

patient. 22 M.R.S. § 1711- (D) and (F) representative. 22 M.R.S.
C(1)(E) § 1711-C(10)(C)
Disclosure of mental
health records outside of
practitioner or facility’s
office in nonemergency
situations requires
authorization. 22 M.R.S.
§ 1711-C(10)(D)

Child and elder abuse. La. Written and signed by patient None beyond HIPAA. None beyond HIPAA. Subpoenaed provider must
Code Evid. Ann. Art. 510 or legal representative. La. receive affidavit that subpoena
Child custody. La. Code Evid. Rev. Stat. Ann. §§ 13:3734; is for records of party to
Ann. Art. 510 40:1165.1(A)(2)(b)(i); La. Admin litigation and notice has been
Code tit. 48, Pt I, § 507. No mailed to affected patient
Proceeding against physician. duration limitation. seven days before issuance. La.
La. Code Evid. Ann. Art. 510 Rev. Stat. Ann. § 13:3715.1(B)(1)
Personal injury or worker’s Subpoenaed provider entitled
compensation proceeding. La. to reimbursement by person
Code Evid. Ann. Art. 510 issuing subpoena. La. Rev.
Stat. Ann. § 13:3715.1(G)
Disclosure to another Written or oral authorization Notification requirements Intentional violation carries Disclosure without
practitioner or facility for permitted, but cannot exceed only apply to breach of penalty up to $5,000 plus authorization is permitted if
in emergency situations 30 months. 22 M.R.S. § 1711- information from statewide costs. Up to $10,000 for responding to subpoena issued
permitted. Disclosure to C(3) health information exchange. practitioners and $50,000 for by governmental entity. 22
family or household member 22 M.R.S. § 1711-C(18)(L) facilities if repeated. 22 M.R.S. M.R.S. § 1711-C(6)(F-2)
permitted unless prohibited § 1711-C(13)(C)
by the individual. Facility can
respond to media or public
with brief confirmation of
general health status unless
prohibited by individual. 22
M.R.S. § 1711-C(6)
How does the state
MD
Maryland
(j) (1) “Medical record”
means any oral, written,
or other transmission
(h) (1) “Health care
provider” means: (i) A
person who is licensed,
None beyond HIPAA. See
MD Code, Commercial Law,
1 § 4-3507
in any form or medium certified, or otherwise

of information that: (i) Is authorized under the
entered in the record of Health Occupations
a patient or recipient; (ii) Article or § 13–516 of
Identifies or can readily the Education Article
be associated with the to provide health care
identity of a patient or in the ordinary course
recipient; and (iii) Relates of business or practice
to the health care of the of a profession or in an
patient or recipient. MD approved education or
Code, Health-General training program; or (ii) A
§ 4-301(j)(1) facility where health care
is provided to patients
or recipients, including
a facility as defined in
§ 10–101(g) of this article,
a hospital as defined in
§ 19–301 of this article,
a related institution
as defined in § 19–301
of this article, a health
maintenance organization
as defined in § 19–701(g) of
this article, an outpatient
clinic, a medical laboratory,
a comprehensive crisis
response center, a crisis
stabilization center,
and a crisis treatment
center established
under § 7.5–207 of this
article.- 104 - (2) “Health
care provider” includes
the agents, employees,
officers, and directors of
a facility and the agents
and employees of a health
care provider. MD Health-
General § 4-301(j)(1)
MA
Massachusetts
None beyond HIPAA. Hospitals and clinics
must keep records of the
treatment of the cases
Patients can require
insurance carriers to send
their medical information
None beyond HIPAA. Under case law, providers
generally must not
disclose a patient’s health
under their care for 20 only to them and not information without
years. M.G.L. c. 111, § 70 policyholder. M.G.L. c. the patient’s written
167O, § 27 consent, subject to limited
exceptions. Alberts v.
Devine, 395 Mass. 59, 68
(1985)

Immediate family members Written; See MD Health- None beyond HIPAA. None beyond HIPAA. See, MD Code –Health
involved with care of patient General, § 4-303 General, § 4-306 (Mandatory
See MD Health-General, disclosures of health
§ 4-305 information)
Disclosure of mental health No specific form required. None beyond HIPAA. No state-level penalties. State A hospital or clinic served
records permitted without a data breach law does not apply with a subpoena shall deliver
patient’s written consent only to health information. certified copies of the
at DMH’s request, pursuant to subpoenaed records in its
a court order, or if in patient’s custody to the court or place
best interest and consent not of hearing designated on the
possible or practicable. M.G.L. subpoena. M.G.L. c. 111, § 70
c. 123, § 36; 104 CMR 27.17
How does the state
MI
Michigan
“Medical record” means
information oral or
recorded in any form or
Health care providers
(licensed or registered to
provide health care)
Shall take reasonable
steps to verify the identity
of the person making the
medium that pertains to Health facility (organized request for a patient’s

a patient’s health care, entity where health care medical data. Mich. Comp.
medical history, diagnosis, provider provides health Laws Ann. § 333.26265(g)
prognosis, or medical care services) (West)
condition and that is
maintained by a health Medical record company
care provider or health (person who stores,
facility in the process of locates, or copies medical
caring for the patient’s records for a health care
health. Mich. Comp. Laws provider or health facility
Ann. § 333.26263 (West) under a contract or
agreement). Mich. Comp.
Laws Ann. § 333.26263
(West)
MN
Minnesota
Any information relating to
physical or mental health
or condition of patient, or
Any person who provides
health care services,
including home care
Provider must maintain
records of any release
of information without
None beyond HIPAA. “Negligent or intentional”
request or release of
health records without
payment for same. Minn. providers, health care patient consent as authorization. Minn. Stat.
Stat. § 144.291(2)(c) facilities, and physician authorized by law, within § 144.298
assistants. Minn. Stat. patient’s health record.
§ 144.291(2)(i) Minn. Stat. § 144.293(9).
Particular disclosure
requirements for mental
health records. Minn. Stat.
§ 144.294

Upon death either personal Explicit written authorization; N/A Disclosure of confidential Health information gathered
representative, heirs at law, OR An entity to which the statute medical information from as part of a professional review
or beneficiary of life insurance applies shall provide notice of the Department of Health is or institution of higher learning
policy. Mich. Comp. Laws Ann. Upon death either personal a misdemeanor, punishable is not discoverable. Mich.
representative, heirs at law, the breach to each resident
§ 333.26263 (West) of MI if (a) the resident’s by fine, imprisonment, or Comp. Laws Ann. § 333.21515
or beneficiary of life insurance both. Mich. Comp. Laws Ann. (West); Mich. Comp. Laws Ann.
policy. unencrypted and unredacted
personal information was § 333.2638 (West) § 333.20175(8) (West)
Mich. Comp. Laws Ann. accessed and acquired by A person that knowingly
§ 333.26263 (West) an unauthorized person or fails to provide any notice of
(b) the resident’s personal a security breach required
information was accessed and under this section may be
acquired in encrypted form ordered to pay a civil fine of
by a person with unauthorized not more than $250 for each
access to the encryption key. failure to provide notice. Mich.
Notification is not required if Comp. Laws § 445.72
the entity determines that the
security breach has not or is
not likely to cause substantial
loss or injury to, or result in
identity theft with respect to,
one or more residents.
Notice shall be provided
without unreasonable delay
subject to measures necessary
to determine the scope of the
security breach and restore
the reasonable integrity of the
database. Mich. Comp. Laws
§ 445.72
Consent not required for Consent must be in writing, None specified. No specific penalties for None beyond HIPAA.
medical emergency where signed and dated, and valid for failure to report in state law.
patient consent cannot be one year unless consent states Civil liability to patient for
obtained, to other providers otherwise or as otherwise unauthorized disclosure, and
within related health care provided by law. Minn. Stat. subject to disciplinary action
entities when necessary § 144.293(2) and (4) by licensing board. Minn. Stat.
for treatment. Minn. Stat. § 144.298
§ 144.293(5)
How does the state
MS
Mississippi
No comprehensive
specific to certain
conditions:
governing breach or
• Counselors. Miss. Code
is addressed in separate Ann. § 73-30-17 • Substance abuse. Miss. beyond federal protections
statutes governing specific Code Ann. §§ 41-41-14, and tort law.
types of entities and • Health care
practitioners. Miss. Code 71-7-15, 71-3-219, and
conditions. 41-31-17
Ann. § 13-1-21.
The Mississippi Insurance • Birth defects. Miss. Code
Department adopted • HMOs and PPOs. Miss.
Code Ann. § 83-41-355 Ann. § 41-21-205
a privacy regulation
governing disclosure • Hospice. Miss. Code Ann. • Cancer. Miss. Code Ann.
of “nonpublic personal § 41-85-23 § 41-91-11
health information” by • Hospitals. Miss. Code • Communicable diseases.
“licensees” (i.e., insurers), Ann. § 41-9-67 Miss. Code Ann. § 41-23-1.
which are required to • HIV/AIDS. Miss. Code Ann.
comply with the regulation • Insurers. 19 Miss. Admin.
Code Pt. 1, R. §§ 28.04(Q), § 41-34-7
unless they satisfy HIPAA
requirements. 19 Miss. 28.17(A) • Mental illness. Miss. Code
Admin. Code Pt. 1, R. • Nursing homes. Miss. Ann. § 41-21-97
§ 28.20 Code Ann. § 43-11-16
Under these regulations, • Mental health facilities.
“nonpublic personal Miss. Code Ann. § 41-21-97
health information” is any • Psychologists. Miss. Code
information that relates Ann. § 73-31-29
to the individual’s health
condition, provision of • Social workers. Miss.
health care, or payment Code Ann. § 73-53-29
for health care, and that • Substance abuse
can be used to identify the facilities. Miss. Code Ann.
individual. 19 Miss. Admin. § 41-30-33
Code Pt. 1, R. § 28.04(U), • Utilization review agents.
28.04(O) Miss. Code Ann. § 41-83-17
MO
Missouri
Individual’s first name or
initial with last name, plus
unencrypted medical or
Individual or entity that:
(1) conducts business
in MO and possesses
None beyond HIPAA. Included in definition of
“covered entity.”
Unauthorized access to
or acquisition of personal
information in a manner
health information. Mo. MO resident health that compromises the
Stat. § 407.1500(1)(5)-(1)(6). information or (2) owns information’s security,
Among other records. Mo. or licenses MO resident confidentiality, or integrity.
Stat. § 407.1500(1)(9) health information. Mo. Mo. Stat. § 407.1500(1)(1)
Stat. § 407.1500(2)(1)
MT
Montana
Enacted the Uniform
Health Care Information
Act in 1987 and then
None beyond HIPAA. None beyond HIPAA. None beyond HIPAA. None beyond HIPAA.
amended it in 2003 to only

apply to those entities
NOT covered by HIPAA.
MCA 50-16-500
NE
Nebraska
Resident’s first name
or initial with last name,
plus unencrypted
Individuals and any
commercial entity, as
listed in Neb. Rev. St. § 87-
Unauthorized acquisition
of unencrypted personal
information. Neb. Rev. St.
identification numbers, 802(2) § 87-802(1)
physical representations,
or usernames, among
other items. Neb. Rev. St.
§ 87-802(5)
2 2 | 50 -STATE SURVEY OF HEALTH CARE INFORMATION PRIVACY L AWS

Insurance functions. 19 Miss. Written and signed by None beyond HIPAA. None beyond HIPAA. None beyond HIPAA.
Admin. Code Pt. 1, R. § 28.17(B) subject of nonpublic personal
Disclosure necessary to health information or their
prevent crime, violence, or representative. 19 Miss.
suicide. Miss. Code Ann. §§ 73- Admin. Code Pt. 1, R. § 28.18(A);
30-17, 41-21-97 Miss. Code Ann. § 41-21-97.
Valid for two years. 19 Miss.
Litigation between person and Admin. Code Pt. 1, R. § 28.18(C)
HMO. Miss. Code Ann. § 83-
41-355
Court order. Miss. Code Ann.
§ 41-21-97
Necessary for continued
treatment of patient. Miss.
Code Ann. § 41-21-97
Necessary for benefits
determination. Miss. Code Ann.
§ 41-21-97
None beyond HIPAA. None beyond HIPAA. Disclose without unreasonable Up to $150,000 per breach. None beyond HIPAA.
delay to affected consumer, Mo. Stat. § 407.1500(4)
and if applicable, the Attorney
General and consumer
reporting agencies. Mo. Stat.
§ 407.1500(2)
Good faith acquisition by None beyond HIPAA. Disclose without unreasonable Direct economic damages for No authorization required
employee or agent for delay in Written, Electronic, each affected NE resident. when responding to subpoena.
authorized disclosure or or Substitute Notice form Neb. Rev. St. § 87-806 Neb. Rev. St. § 87-802(1)
pursuant to a search warrant, to affected consumer and
subpoena, or other court Attorney General. Neb. Rev.
order. Neb. Rev. St. § 87-802(1) St. § 87-802(4)
W W W. SEYFARTH .COM | 2 3
How does the state
NV [A] natural person’s first

name or first initial and
last name in combination
Any data collector
that owns or licenses
computerized data
None beyond HIPAA. None beyond HIPAA. A “breach of the security
of the system data” is the
“unauthorized acquisition
Nevada
with any one or more which includes personal of computerized
of the following data information. data that materially
elements, when the name A “data collector” is “any compromises the security,
and data elements are governmental agency, confidentiality or integrity
not encrypted: (1) Social institution of higher of personal information
Security Number. (2) education, corporation, maintained by the data
Driver’s license number or financial institution or collector. NRS § 603A.020
identification card number. retail operator or any
(3) Account number, credit other type of business
card number or debit card entity or association that,
number, in combination for any purpose, whether
with any required security by automated collection
code, access code or or otherwise, handles,
password that would collects, disseminates
permit access to the or otherwise deals with
person’s financial account. nonpublic personal
NRS § 603A.040 information.
NRS § 603A.220(1)
NRS § 603A.030
NH Same definition as HIPAA.

RSA § 332-I:1(a)(4)
Hospital, building,
residence, or other place
or part thereof, licensed by
Authorization is required
to disclose for marketing
and fundraising (only
None beyond HIPAA. RSA
§ 332-I:1, II(a)(1)
Physician/patient
communications are placed
on the same basis as those
New Hampshire
the state. RSA § 151:21(X) certain distribution provided by law between
methods allowed). Election attorney and client. Except
not to receive fundraising as otherwise provided by
communication is a law, no such physician or
revocation of authorization surgeon shall be required
under HIPAA. RSA § 332-I:4 to disclose such privileged
communications. 40 RSA
§ 329:26

For establishing own None beyond HIPAA. Method: “[T]he notification State enforcement: “If the N/A
notification method: required by this section may Attorney General or a district
“A data collector which be provided by one of the attorney of any county has
maintains its own notification following methods: (a) Written reason to believe that any
policies and procedures as notification. (b) Electronic person is violating, proposes
part of an information security notification, if the notification to violate or has violated the
policy for the treatment of provided is consistent with the provisions of this chapter, he
personal information that is provisions of the Electronic may bring an action against
otherwise consistent with Signatures in Global and that person to obtain a
the timing requirements of National Commerce Act, temporary or permanent
this section shall be deemed 15 U.S.C. §§ 7001 et seq. (c) injunction against the
to be in compliance with the Substitute notification, if the violation.” NRS § 603A.920
notification requirements data collector demonstrates Private Right of Action: “A
of this section if the data that the cost of providing data collector that provides
collector notifies subject notification would exceed the notification required
persons in accordance with $250,000, the affected class pursuant to NRS § 603A.220
its policies and procedures in of subject persons to be may commence an action for
the event of a breach of the notified exceeds 500,000 damages against a person
security of the system data.” or the data collector that unlawfully obtained or
NRS § 603A.220(5)(a) does not have sufficient benefited from personal
contact information.” NRS information obtained from
For following interagency § 603A.220(4)
guidelines: records maintained by the
Timing: Following discovery data collector. A data collector
A data collector which “[i] or notification of the breach, that prevails in such an action
s subject to and complies “disclosure must be made may be awarded damages
with the privacy and security in the most expedient which may include, without
provisions of the Gramm- time possible and without limitation, the reasonable
LeachBliley Act, 15 U.S.C. unreasonable delay, consistent costs of notification,
§§ 6801 et seq., shall be with the legitimate needs reasonable attorney’s fees and
deemed to be in Compliance of law enforcement, as costs and punitive damages
with the Notification provided in [§ 603A.220(3)], when appropriate. The costs
requirements of this section.” or any measures necessary of notification include, without
NRS § 603A.220(5)(b) to determine the scope limitation, labor, materials,
of the breach and restore postage and any other
the reasonable integrity costs reasonably related to
of the system data.” NRS providing the notification.”
§ 603A.220(1) NRS § 603A.900
Restitution also available:
“In addition to any other
penalty provided by law for
the breach of the security of
the system data maintained
by a data collector, the court
may order a person who
is convicted of unlawfully
obtaining or benefiting from
personal information obtained
as a result of such breach to
pay restitution to the data
collector for the reasonable
costs incurred by the data
collector in providing the
[required] notification . . .
including, without limitation,
labor, materials, postage and
any other costs reasonably
related to providing such
notification.” NRS § 603A.910
None beyond HIPAA. No specific form required. If PHI is disclosed for If successful in civil suit, Information about HIV testing
marketing or fundraising in court shall award damages obtained by subpoena shall
a manner that complies with of not less than $1,000 for not be released or made public
HIPAA, but not RSA § 332-I:4, each violation, and costs and outside of the proceedings.
the health care provider shall reasonable legal fees. RSA RSA § 141-F:8
promptly notify in writing the § 332-I:6
individual(s) whose PHI was
disclosed. Business associate
responsible for cost if it was
the disclosing party. RSA
§ 332-I:5
How does the state
NJ Follows HIPAA. N.J.

Stat. Ann. N.J. Stat. Ann.
§ 56:8-196 (“Identifiable
New Jersey does NOT
have a comprehensive
statute which protects
See generally, industry
specific guidelines such as
§ 56:8-197(a) and Title 26,
applicable to vendor
with access to personal
A “breach of security”
is the “unauthorized
access to electronic files,
New Jersey
health information” means the privacy of confidential Health and Vital Statistics, information if the personal media or data containing
individually identifiable medical information. See which includes specific information was, or is personal information that
health information as generally, specific privacy privacy protections reasonably believed to compromises the security,
defined in 45 C.F.R. protections applicable to applicable to various have been, accessed by an confidentiality or integrity
§ 160.103) various medical facilities: medical facilities such as unauthorized person. N.J. of personal information
“personal information” General, psychiatric and hospitals. Stat. Ann. § 56:8-163(b) when access to the
for purposes of notice of special hospitals in New In addition, restrictions Health Insurance carriers personal information
breach separately defined Jersey. N.J. Admin. Code on disclosure specific to also subject to act which has not been secured by
at N.J. Stat. Ann. § 56:8-161 § 8:43G-1.1 certain conditions, such as includes an insurance encryption or by any other
Practitioners. N.J. Admin. reporting of communicable company, health service method or technology
Code § 13:35-6.5 diseases or gunshot corporation, hospital that renders the personal
wounds or suspected child service corporation, information unreadable or
Notice of data breach unusable.” N.J. Stat. Ann.
applicable to any business abuse, etc., or when the medical service
patient’s treatment is the corporation, or health § 56:8-161
that compiles or maintains
computerized records subject of peer review. N.J. maintenance organization
that contain personal Admin. Code § 13:35-6.5(d); authorized to issue health
information if the personal see also N.J. Stat. Ann. benefits plans in New
information was, or is § 30:4-24.3 (mental health) Jersey. N.J. Stat. Ann.
reasonably believed to Also industry-specific § 56:8-196
have been, accessed by an guidelines regarding
unauthorized person. N.J. statutory data encryption
Stat. Ann. § 56:8-163 or any other method or
technology rendering the
information unreadable,
undecipherable, or
otherwise unusable by an
unauthorized person of
personal information. See
e.g. N.J. Stat. Ann. § 56:8-
197(a)
NM Undefined. This state

excludes individuals/
entities covered by HIPAA
Undefined. This state
None beyond HIPAA. N.M.
Stat. Ann. § 57-12C-8 (West
2021)
None beyond HIPAA. N.M.
Stat. Ann. § 57-12C-8 (West
2021)
Undefined. This state
New Mexico
from its Data Breach from its Data Breach from its Data Breach
Notification Act. Apply Notification Act. Apply Notification Act. Thus,
federal HIPAA for this HIPAA for this category. HIPAA applies for this
category. N.M. Stat. Ann. N.M. Stat. Ann. § 57-12C-8 category. N.M. Stat. Ann.
§ 57-12C-8 (West 2021) (West 2021) § 57-12C-8 (West 2021)
NY “Patient Information”:
“information concerning
or relating to examination,
“References covered
entities, as defined in
section 340B of the
None beyond HIPAA. NY Statute doesn’t have
See NY HIPAA Preemption
Charts for the NY Public
Health Law § 2782, § 2805-
New York
health assessment, public health service 45 C.F.R. § 160.103 m, § 4410(2)
including but not limited act, to facilitate their The rules governing
to health assessment for participation in such business associates are
insurance or employment drug discount program”. explained in HHS.gov.
purposes or treatment McKinney’s Public Health
maintained or possessed Law § 206
by a health care facility or See NY HIPAA Preemption
health care practitioner.” Charts for the scope of
McKinney’s Public Health “covered entity” in NY - NY
Law § 18 Public Health Law § 206
See NY HIPAA Preemption
Charts for the scope
of PHI in NY - NY Public
Health Law § 17 and § 18

“Good faith acquisition of “in accordance with the Notice of breach “in the most It shall be an unlawful practice Requires HIPAA compliant
personal information by an statute” See e.g. N.J. Stat. expedient time possible and and a violation of [the New release, or court order, see
employee or agent of the Ann. § 30:4-24.3 or with without unreasonable delay, Jersey Consumer Fraud e.g. N.J. Stat. Ann. § 30:4-
business for a legitimate patient approval. Jersey. N.J. consistent with the legitimate Act] to willfully, knowingly or 24.3, or subpoena issued by
business purpose is not a Admin. Code § 8:43G-4.1 (21) needs of law enforcement recklessly violate [the breach Board of Medical Examiners or
breach of security, provided written authorization. N.J. or any measures necessary notification law].” N.J. Stat. Attorney General, or demand
that the personal information Admin. Code § 13:35-6.5(d) to determine the scope of Ann. § 56:8-166 in writing, N.J. Admin. Code
is not used for a purpose the breach and restore the “It shall be an unlawful practice § 13:35-6.5 (d)
unrelated to the business reasonable integrity of the and a violation of [the New
or subject to further data system” except no Jersey Consumer Fraud Act]
unauthorized disclosure.” N.J. disclosure necessary if misuse to violate the provisions of
Stat. Ann. § 56:8-161 of the information is not [the specific health insurance
Maintenance of and compliance reasonably possible. N.J. Stat. provisions].” N.J. Stat. Ann.
with an entity’s own Ann. § 56:8-163(a) § 56:8-198
notification process as part Also industry specific
of a privacy or security policy enforcement. For example,
and otherwise consistent with N.J. Stat. Ann. § 26:2H-13
the NJ Act, shall be deemed provides for the imposition
in compliance with notice of administrative penalties if
requirements. N.J. Stat. Ann. a hospital violates a patient’s
§ 56:8-163(e) rights. Those penalties include
fines and suspension or
revocation of all licenses.
None beyond HIPAA. N.M. Stat. None beyond HIPAA. N.M. Stat. None beyond HIPAA. N.M. Stat. None beyond HIPAA. N.M. Stat. None beyond HIPAA. N.M. Stat.
Ann. § 57-12C-8 (West 2021) Ann. § 57-12C-8 (West 2021) Ann. § 57-12C-8 (West 2021) Ann. § 57-12C-8 (West 2021) Ann. § 57-12C-8 (West 2021)
Court authorization for Definitions. McKinney’s Public NY SHIELD Act S.Sec. § 5575B Penalties; immunities. Objection to disclosure,
disclosure of confidential Health Law § 2780 Chapter 117 McKinney’s Public Health Law inspection or examination;
HIV related information. Confidentiality and disclosure. § 2783 compliance. McKinney’s CPLR
McKinney’s Public Health Law McKinney’s Public Health Law Rule 3122
§ 2785 § 2782
How does the state
NC N/A; HIPAA Privacy Rule

governs.
N/A; HIPAA privacy rule
governs, however some
breaches may be subject
(general breach
notification requirements).
N.C. Gen. Stat. §§ 75-61,
None beyond HIPAA. An incident of
unauthorized access
to and acquisition
North Carolina
to N.C. Gen. Stat. Ann. 75-65 of unencrypted and
§ 75-65, which provides: unredacted records (or
Any business that owns encrypted data along with
or licenses personal the confidential process
information of residents or key) or data containing
of North Carolina or any personal information
business that conducts where illegal use of the
business in North Carolina personal information has
that owns or licenses occurred or is reasonably
personal information in any likely to occur or that
form. N.C. Gen. Stat. Ann. creates a material risk of
§ 75-65 harm to a consumer. See,
N.C. Gen. Stat. §§ 75-61,
75-65
ND Individual’s first name

or initial with last name,
plus unencrypted medical
Person who owns or
licenses computerized
personal information.
information. N.D.C.C., § 51-
North Dakota
or health insurance N.D.C.C., as defined in 30-01(1)
information (as defined § 51-30-01.
in N.D.C.C., § 51-30-01),
among other items.
OH Same as HIPAA. Same

definition as provided in 45
C.F.R. § 160.103. Oh. Rev.
Same as HIPAA. Same
definition as provided in 45
C.F.R. § 160.103. Oh. Rev.
None specific to PHI.
However, Ohio has
Ohio Office of Information
and Security has prepared
a HIPAA Business
None beyond HIPAA. Same
as defined in 45 C.F.R. part
2. Oh. Rev. Code § 3798.04
Ohio consumer protection laws
Code § 3798.01 Code § 3798.01 that similarly protect Associate Agreement
consumer data. Oh. Rev. Template.
Code § 3798.03
OK Undefined. “Personal
Undefined. This state’s
disclosure laws apply to
all individuals or entities
None beyond HIPAA. This
state does not define PHI.
Okla. Stat. Ann. tit. 24,
None beyond HIPAA. Okla.
Stat. Ann. tit. 24, § 162, et
seq. (West 2021)
Unauthorized data
acquisition that
compromises PI
Oklahoma
• Social Security Number; that own or license § 162, et seq. (West 2021) confidentiality and
computerized data causes its maintainer
• Driver’s license number; that includes personal to reasonably believe
• Financial account information. Okla. Stat. that fraud will occur to
number; or Ann. tit. 24, § 163 (West resident. Okla. Stat. Ann.
• Other specified 2021) tit. 24, § 162 (West 2021)
information. Okla. Stat.
Ann. tit. 24, § 162 (West
2021)

None beyond HIPAA. None beyond HIPAA. Entity shall provide notice to No private right of action may None beyond HIPAA.
the affected entity without be brought by an individual
unreasonable delay if the for a violation of this section
business owns or licenses unless such individual is injured
the personal information, as a result of the violation. N.C.
or immediately following Gen. Stat. Ann. § 75-65(i).
discovery of the breach of Civil penalty of up to five
if the entity does not own thousand dollars ($5,000 for
or license the personal each violation. N.C. Gen. Stat.
information. See, N.C. Gen. Ann. § 75-15.2
Stat. §§ 75-61, 75-65
Notice must be conspicuous
and provide, for example,
information relating to the
personal information accessed
and contact information for
assistance. N.C. Gen. Stat.
Ann. § 75-65(d)
Notice can be provided in
several forms, for example,
written notice, email,
telephonic, etc. N.C. Gen. Stat.
Ann. § 75-65(e)
Good faith acquisition by None beyond HIPAA. Disclose in most expedient Up to $5,000 per violation. None beyond HIPAA.
employee or agent for time possible to affected N.D.C.C. § 51-30-07 & 51-15-11
authorized disclosure. consumer and if applicable, the
N.D.C.C., § 51-30-01(1) Attorney General. § N.D.C.C.,
51-30-02 to 51-30-05
No specific safe harbors Properly executed form by an General privacy laws that do Civil Action by attorney None specific to HIPAA,
defined. Potential safe harbor individual or the individual’s not identify PHI. Oh. Rev. Code general pursuant to the however there remains
from tort liability under the personal representative that § 1349.191 Security Breach Notification privilege between a patient
Ohio Data Protection Act. meets the requirements Act. Oh. Rev. Code § 1349.192 and their physician, advanced
specified in 45 C.F.R. 164.508 practice registered nurse, and
and if applicable 42 C.F.R. part dentist that may bar response.
2. Oh. Rev. Code § 3798.10 Oh. Rev. Code § 2317.02(B)
None beyond HIPAA. Okla. None beyond HIPAA. Prompt notification of resident State AG or DA may file lawsuit None beyond HIPAA.
Stat. Ann. tit. 24, § 163 (West who is subject of the PI if the for actual damages or civil
2021) maintainer reasonably believes penalty up to $150,000 per
the disclosure will cause fraud. breach. Okla. Stat. Ann. tit. 24,
Okla. Stat. Ann. tit. 24, § 163 § 165 (West 2021)
(West 2021)
How does the state
OR Individually identifiable
health information that is
maintained or transmitted
(A) A state health plan;
(B) A health insurer;
None beyond HIPAA. “Business Associate”
means an individual or
entity performing any
“Breach” has the meaning
given that term in 45 CFR
§ 164.402. OAR § 943-014-
Oregon
in any form of electronic or (C) A health care provider function or activity on 0410
other medium by a covered that transmits any health behalf of the Authority
entity. information in electronic involving the use or
form to carry out financial disclosure of protected
“Protected health or administrative activities
information” does health information (PHI)
in connection with a and is not a member of the
not mean individually transaction covered by
identifiable health Authority’s workforce.
ORS § 192.553 (Policy
information in: for protected health (A) “Function or activity”
(A) Education records information) to § 192.581 includes but is not limited
covered by the federal (Allowed retention or to program administration,
Family Educational Rights disclosure of genetic claims processing or
and Privacy Act (20 U.S.C. information); or administration, data
§ 1232g); analysis, utilization review,
(D) A health care quality assurance, billing,
(B) Records described at clearinghouse. legal, actuarial, accounting,
20 U.S.C. § 1232g(a)(4)(B) ORS § 192-556 consulting, data
(iv); or processing, management,
(C) Employment records administrative,
held by a covered entity in accreditation, financial
its role as employer. services, and similar
ORS § 192.556 services for which the
Authority may contract
or obtain by interagency
agreement, if access to
PHI is involved.
(B) Business associates
do not include licensees
or providers unless the
licensee or provider also
performs some function
or activity on behalf of the
Authority.
OAR § 943-014-0000

A health care provider may Authorization form template For the purposes of this None beyond HIPAA. N/A
use or disclose protected provided. ORS § 192.566 rule, a breach is considered
health information of an “discovered” in accordance
individual without obtaining with 45 CFR § 164.404(a)(2)
an authorization from the and 45 CFR § 164.410(2). OAR
individual or a personal § 943-014-0440
representative of the
individual if the conditions
in paragraph (b) of this
subsection are met and:
(A) The disclosure is to a
family member, other relative,
a close personal friend or
other person identified
by the individual, and the
protected health information
is directly relevant to the
persons involvement with the
individuals health care; or
(B) The disclosure is for
the purpose of notifying a
family member, a personal
representative of the
individual or another person
responsible for the care of the
individual of the individual’s
location, general condition or
death.
A health care provider
may make the disclosures
described in paragraph (a) of
this subsection if:
(A) (i) The individual is not
present or obtaining the
individuals authorization is
not practicable due to the
individuals incapacity or an
emergency circumstance; and
(ii) In the exercise of
professional judgment
and based on reasonable
inferences, the health care
provider determines that
the disclosure is in the best
interests of the individual; or
(B) The individual is present
and the health care provider
gives the individual an
opportunity to object to the
disclosure and the individual
does not express an objection
or the health care provider
reasonably infers from the
circumstances, based on
the exercise of professional
judgment, that the individual
does not object to the
disclosure.
ORS § 192.567
How does the state
PA Pennsylvania does NOT

have a comprehensive
statute which protects
specific to certain entities.
See generally, specific
specific to certain
conditions, such as child
None beyond HIPAA.
Breach of the security
of the system is defined
as: “The unauthorized
Pennsylvania applicable to vendor
the privacy of confidential privacy protections abuse. See generally Title with access to personal access and acquisition of
medical information; applicable to various 28 and 49. information. 73 Pa. Cons. computerized data that
privacy is addressed medical facilities such as Stat. Ann. § 2303(b) and (c) materially compromises
in separate statutes Title 28, Health and Safety, the security or
governing specific types of which includes various confidentiality of personal
entities and conditions. But medical facilities such as information maintained
see 73 Pa. Cons. Stat. Ann. hospitals. 28 Pa. Code by the entity as part of
§ 2302 (2006) (Breach of § 115.27 (hospitals); 28 Pa. a database of personal
Personal Information Act), Code § 563.9 (ambulatory information regarding
which includes definition surgical centers); 28 multiple individuals and
of “Personal information” Pa. Code § 5.53 (Clinical that causes or the entity
and applies to “the laboratories); See also reasonably believes has
discovery or notification Title 49, Professional and caused or will cause loss
of a breach in the security Vocational Standards, or injury to any resident
of personal information which includes specific of [Pennsylvania].” 73 Pa.
data that occurs on or privacy protections Cons. Stat. Ann. § 2302.
after the effective date” applicable to various
rather than the manner in medical professions.
which personal protected Notice of data breach
information is stored or applicable to “An entity
maintained. See 73 Pa. that maintains, stores, or
Cons. Stat. Ann. § 2329. manages computerized
data that includes personal
information . . .” 73 Pa.
Cons. Stat. Ann. § 2303(a)
RI
Rhode Island
All information relating
to a patient’s health
care history, diagnosis,
Any person licensed
to provide or lawfully
providing health care
None beyond HIPAA. None. Statute technically
applies to “any person,”
but is limited to
Any release or transfer
not described in 5 R.I. Gen.
Laws § 5-37.3-4(b). For
condition, treatment, or services. 5 R.I. Gen. Laws information obtained from all data, any disclosure of
evaluation obtained from § 5-37.3-3 a health care provider. personal information that
a health care provider who poses a significant risk of
has treated the patient. 5 identity theft. 11 R.I. Gen.
R.I. Gen. Laws § 5-37.3-3 Laws § 11-49.3-4
SC
South Carolina
N/A; HIPAA Privacy Rule
governs
governs
N/A None beyond HIPAA. “breach in the security of
the data to a resident of
this State whose personal
identifying information
that was not rendered
unusable through
encryption, redaction, or
other methods was, or
is reasonably believed to
have been, acquired by
an unauthorized person
when the illegal use of the
information has occurred
or is reasonably likely
to occur or use of the
information creates a
material risk of harm to
the resident.” S.C. Code
Ann. § 39-1-90
SD Person’s first name or

initial with last name, plus
HIPAA-defined health
Person or business that:
(A) conducts business in
SD and (B) owns or retains
information. SDL § 22-40-
South Dakota
information, among other computerized personal 19(1)
items. § SDL 22-40-19(4) information of an SD
resident. SDL § 22-40-19(3)

“Good faith acquisition of None beyond HIPAA. For A covered entity shall The Attorney General shall The release of a PHI may not
personal information by an example, there is no specific provide notice of any breach have exclusive authority to require authorization in the
employee or agent of the provision allowing the following discovery of the bring an action for violation of case of a subpoena.
entity for the purposes of release of information from breach of the security of the the data breach statute. 73 Pa. See e.g. 49 Pa. Code § 25.213.
the entity is not a breach of medical records for research system to any resident of Cons. Stat. Ann. § 2308
the security of the system if purposes. this Commonwealth whose
the personal information is unencrypted and unredacted
not used for a purpose other personal information was or
than the lawful purpose of is reasonably believed to have
the entity and is not subject been accessed and acquired
to further unauthorized by an unauthorized person and
disclosure.” 73 Pa. Cons. Stat. take any measures necessary
Ann. § 2302 to determine the scope of the
Maintenance of an entity’s own breach and to restore the
notification process, as part of reasonable integrity of the
a privacy or security policy or data system, the notice shall
compliance with federal rules be made without unreasonable
of guidelines, shall be deemed delay. 73 Pa. Cons. Stat. Ann.
in compliance with notice § 2303
requirements. 73 Pa. Cons.
Stat. Ann. § 2307(b)
Disclosure without consent Must be in writing and contain Notification to affected Reckless violation - $100 per May disclose if subpoena
permitted for medical statutory disclosure language. residents of the state (if more record and certification of service
or dental emergency, for 5 R.I. Gen. Laws § 5-37.3-4(d) than 500 individual affected), Knowing and willful violation - on affected individual, and
professional disciplinary the Attorney General, and $200 per record passage of 20 days or court
or peer-review boards, to major credit reporting order after challenge. 5 R.I.
law enforcement in certain agencies. No later than 45 AG may bring action Gen. Laws § 5-37.3-6.1
circumstances, or for claims calendar days of discovery. 11 (11 R.I. Gen. Laws § 11-49.3-5)
adjudication. 5 R.I. Gen. Laws R.I. Gen. Laws § 11-49.3-4
§ 5-37.3-4
N/A A patient or his legal The disclosure must be made Knowing and willful Other provisions pertaining
representative has a right to to a resident whose data violations may be subject to medical records or actions
receive a copy of his medical was breached in the most to an administrative fine of involving medical negligence
record, or have the record expedient time possible and $1,000 for each resident not invalidated by this chapter.
transferred to another without unreasonable delay, whose information has been S.C. Code Ann. § 44-115-150
physician, upon request, when consistent with the legitimate breached. S.C. Code Ann. § 39-
accompanied by a written needs of law enforcement 1-90(H_)
authorization from the patient or with measures necessary
or his legal representative to to determine the scope of
release the record. S.C. Code the breach and restore the
Ann. § 44-115-30 reasonable integrity of the
data system. S.C. Code Ann.
§ 39-1-90
Good faith acquisition by None beyond HIPAA. Disclose within 60 days to Prosecution for deceptive None beyond HIPAA.
employee or agent for affected consumer, and if practice or act. Up to $10,000
authorized disclosure. SDL applicable, the Attorney per day for violation. SDL
§ 22-40-19(1) General. SDL, § 22-40-22 § 22-40-25
How does the state
TN
Tennessee
Same as HIPAA. Defined
the same as the meaning
given in 45 C.F.R. § 160.103
Health care providers,
further defined as “any
person required to be
N/A None beyond HIPAA. None beyond HIPAA.
(Note this relates to licensed under [Tennessee

solicitation, but provides Code Annotated Title 63]”
a definition of PHI.) Tenn. Tenn. Code Ann. § 63-2-101
Code Ann. § 47-18-3001
TX
Texas
Has the same meaning
assigned by HIPAA. Tex.
Health & Safety Code Ann.
Any person who collects,
uses, stores, transmits,
or possesses PHI. Tex.
Hospitals must safeguard
all health care information
they maintain. Tex.
None beyond HIPAA. The unauthorized
acquisition of
computerized data
§ 181.001(a); Tex. Ins. Code Health & Safety Code Ann. Health & Safety Code that compromises the
Ann. § 602.001(3); 28 Tex. § 181.001(b)(2); Tex. Ins. Ann. § 241.155. Patients security, confidentiality,
Admin. Code § 22.52 Code Ann. § 602.001(1). harmed by the release or integrity of sensitive
The Texas Administrative Covered entities must of confidential health personal information. Tex.
Code defines as any comply with HIPAA privacy information may sue Bus. & Com. Code Ann.
information that relates requirements. Tex. Health for injunctive relief or § 521.053(a)
to the individual’s health & Safety Code Ann. damages. Tex. Health &
condition, provision of § 181.004 Safety Code Ann. § 241.156
health care, or payment
for health care, and can
be used to identify that
individual. See, e.g., 10
Tex. Admin. Code § 1.24(b)
(12); 25 Tex. Admin.
Code § 1.501(b)(5); Tex.
Bus. & Com. Code Ann.
§ 521.002(a)(2)(B)
UT
Utah
any individual/entity who/
None beyond HIPAA. This
state does not define PHI.
Utah Code Ann. § 13-44-
None beyond HIPAA. Utah
Code Ann. § 13-44-102, et
seq. (West 2020)
of computerized data
maintained by a person
• Social Security Number; that conducts business in 201 (West 2020) that compromises the
the state and maintains security, confidentiality,
• driver’s license number; Personal Information. Utah or integrity of personal
• financial account number; Code Ann. § 13-44-201 information. Utah Code
or (West 2020) Ann. § 13-44-102 (West
• other specified 2020)
information. Utah Code
Ann. § 13-44-102 (West
2020)

Disclosure of student records Written authorization None beyond HIPAA. None beyond HIPAA. None beyond HIPAA.
to a member of the state including core elements of 45
threat assessment team C.F.R. Parts 160 and 164.
is allowed if information Allows health care provider
holder believes disclosure is to determine from of
necessary to prevent a serious authorization based on
or imminent threat. Tenn. circumstance and maintain a
Code Ann. § 49-6-2702 policy.
Upon death, next of kin Tenn. Code Ann. § 63-2-101
is considered authorized
representative. Tenn. Code
Ann. § 63-2-101
Disclosure is: for treatment, Written or electronic form, or Within 60 days after breach, Failure to report unlawful Patient is party to judicial
payment, health care in oral form if it is documented covered entities must provide exposure is liable to State for proceeding and disclosure is
operations, or performing in writing by the covered written notice to last known civil penalty between $2,000 pursuant to subpoena issued
insurance functions; directory entity. No duration limitation. address of any affected state and $50,000 for each violation. under: (1) the Texas Rules of
information; to another Tex. Health & Safety Code Ann. resident. Tex. Bus. & Com. Tex. Bus. & Com. Code Ann. Civil or Criminal Procedure;
treating physician, EMS § 181.153(b) Code Ann. § 521.053(b), (e) § 521.151(a) or (2) Chapter 121 of the Texas
provider, or prospective Civil Practice and Remedies
provider; to certain clergy; Code Tex. Health & Safety
to an organ procurement Code Ann. § 241.153(20); Tex.
organization; for peer review; Occ. Code Ann. § 159.002(f)
to a government agency;
to a hospital’s successor in
interest; to the American Red
Cross; to a poison control
center; to a utilization review
agent; for research; for
reimbursement for medical
services; to an HMO; for
medical records of a deceased
or incompetent; pursuant
to court order or subpoena.
Tex. Health & Safety Code
Ann. §§ 181.153, 241.153; see
also Tex. Occ. Code Ann.
§ 159.003(a); Tex. R. Evid.
509(e), 510(d)
None beyond HIPAA. Utah None beyond HIPAA. Notification of the subject State AG may file a lawsuit for None beyond HIPAA.
Code Ann. § 13-44-202 (West of the PI if the maintainer up to $2,500 per resident up
2020) determines that the PI may or to certain aggregate limits
will be fraudulently used. Utah determined by specified
Code Ann. § 13-44-202 (West circumstances. Utah Code
2020) Ann. § 13-44-301 (West 2020)
How does the state
VT
Vermont
“Protected health
information” shall have
the same meaning as in 45
“Covered entity” has the
same meaning as in 45
C.F.R. § 160.103. 18 V.S.A.
The state of Vermont
provides patients with
more privacy protections
VT Statutes don’t have
“A covered entity shall not
disclose protected health
information unless the
C.F.R. § 160.103. 18 V.S.A. § 1881(a)(1) than HIPAA. See p. 9-10 of 45 C.F.R. § 160.103 disclosure is permitted
§ 1881(a)(2) VT Legal Aid “Protected under the Health
Health Information - What Insurance Portability
Vermonters Should Know”, and Accountability Act of
which cites the following 1996 (HIPAA).” 18 V.S.A.
VT laws as additional § 1881 (b)
protection beyond HIPPA HIPAA (45 CFR § 164.402)
- 18 V.S.A. § 7103, 12 V.S.A. Definition of Breach
§ 1612, 18 V.S.A. § 1852(a)
(7), 18 V.S.A. § 4211, 18
V.S.A. § 4223, 23 VSA
§ 1203(b), 33 V.S.A. § 4913,
33 V.S.A. § 6903, 18 V.S.A.
§ 1001
VA
Virginia
Any written, printed, or
electronically recorded
material maintained by a
Any health care provider,
health plan, or health care
clearinghouse. See Code of
None beyond HIPAA. None beyond HIPAA. Unauthorized access and
acquisition of unencrypted
and unredacted
health care entity in the Virginia; § 32.1-127.1:03(B) computerized data that
course of providing health compromises the security,
services to an individual confidentiality, or integrity
concerning the individual of medical information
and the services provided. maintained by an entity.
“Health record” also Va. Code Ann. § 32.1-
includes the substance of 127.1:05(A)
any communication made
by an individual to a health
care entity in confidence
during or in connection
with the provision of health
services or information
otherwise acquired by the
health care entity about
an individual in confidence
and in connection with the
provision of health services
to the individual. Va. Code
Ann. § 32.1-127.1:03(B)
(West)

Disclosures of protected The law states that patient None beyond HIPAA. See None beyond HIPAA. Vermont Rules of Civil
health information to avert a identification and records shall Breach Notification Rule, 45 Procedure, Rule 45.
serious risk of danger. 18 V.S.A. be kept confidential absent the CFR §§ 164.400-414 SUBPOENA
§ 1882 patient’s written consent or a
“Nothing in this section shall court order. 18 V.S.A. § 7103
preclude disclosure, upon
proper inquiry, of information
concerning medical condition
to the individual’s family,
clergy, physician, attorney,
the individual’s health care
agent under section 5264 of
this title, a person to whom
disclosure is authorized by a
validly executed durable power
of attorney for health care,
or to an interested party.” 18
V.S.A. § 7103(b)
12 V.S.A. § 1612(b) & (c)
18 V.S.A. §1852(a)(7)
See § 32.1-127.1:03 (D). – health Written authorization HIPAA controls if an entity is The Office of the Attorney In compliance with a subpoena
records minors, worker’s including information provided covered as a “covered entity” General may impose a issued in accord with
comp cases, release to a in the sample form at Va. Code or “business associate” or a civil penalty not to exceed subsection H, pursuant to a
correctional facility, or secure Ann. § 32.1-127.1:03 non-HIPAA-covered entity $150,000 per breach of the search warrant or a grand
juvenile shelter, and to comply subject to the Health Breach security of the system or a jury subpoena, pursuant to
with subpoena). Notification Rule. Va. Code series of breaches of a similar court order upon good cause
Ann. § 32.1-127.1:05(F) nature that are discovered in shown or in compliance with
Notice shall be written, a single investigation. Va. Code a subpoena issued pursuant
telephonic, or electronic, Ann. § 18.2-186.6.(I) to subsection C of § 8.01-413.
substitute (available under Regardless of the manner by
certain circumstances) which health records relating
to include: email notice, to an individual are compelled
conspicuous posting on a to be disclosed pursuant
website of the entity, notice to to this subdivision, nothing
major statewide media. Notice in this subdivision shall be
shall include (1) the incident construed to prohibit any
in general terms, (2) type of staff or employee of a health
medical information subject care entity from providing
to unauthorized access or information about such
acquisition, (3) general acts individual to a law-enforcement
of the entity to protect the officer in connection with such
personal information from subpoena, search warrant, or
further unauthorized access, court order. See Va. Code Ann.
and (4) a telephone number § 32.1-127.1:03 (D)(2)
that the person may call
for further information and
assistance, in one exists.
Notice must be provided to
Office of the Attorney General
and the Commissioner of
Health if more than 1,000
individuals are provided notice
at any time. Va. Code Ann.
§ 32.1-127.1:05
How does the state
WA
Washington
“Health care information”
means any information,
whether oral or recorded
Health care provider,
health care facility, or
third-party payor, to the
Special security rules exist
for information contained
in a patient medication
None beyond HIPAA. Washington’s public
records act prohibits
disclosure of the following
in any form or medium, extent that activities are record system or in health care information:
that identifies or can related to functions that regards to hospital patient • Information obtained by
readily be associated with make an entity a health discharge data. the board of pharmacy
the identity of a patient care provider, health care RCW § 246-875-070 from a manufacturer or
and directly relates to facility or third-party their representative.
the patient’s health care, payor. RCW § 70.02.020 RCW § 246-455-080
including a patient’s • Information obtained
Additionally, state law by the board of
deoxyribonucleic acid and requires many agencies
identified sequence of pharmacy from an
that are exempt individual or entity
chemical base pairs. The from HIPAA to meet
term includes any required (e.g. pharmaceutical
similar administrative manufacturer,
accounting of disclosures requirements. Executive
of health care information. practitioner) that
Order 16-01 purchases or distributes
RCW § 70.02.010
drugs.
• Information and
documents created
and maintained by
quality improvement
committees, peer review
committees, quality
assurance committees,
and hospitals in relation
to the reporting and
notification of adverse
events and hospital
acquired infections.
• Records related to
the impaired physician
program.
• Complaints regarding
health professional
discipline.
• Information related
to the prescription
monitoring program.
• Information obtained by
the department of health
pursuant to the death
with dignity act.
• Cardiac and stroke
performance data
submitted to national,
state, or local data
collection systems.
• Information obtained
from the employee
wellness program.
However, statistical
reports that do not
contain identifying
information may be
disclosed.
RCW § 42.56.360

Individuals, or their legal A patient may authorize a None beyond HIPAA. A person who has None beyond HIPAA.
representatives, may authorize, health care provider or facility complied with the relevant
in writing, a state agency to to disclose the patient’s requirements governing
disclose records containing health care information. The health care information access
their individually identifiable provider or facility must and disclosure may bring an
information for research honor an authorization, and if action for relief against a
purposes. RCW § 42.48.020 requested, provide a copy of health care provider or facility
A health care provider or facility the recorded information. A who has not complied with
has the option of disclosing reasonable fee may be charged relevant requirements within
health care information about for providing the information, two years after the cause
a patient without the patient’s and the record is not required of action is discovered. The
authorization if the disclosure to be sent until the fee is paid. court may order the provider
fits in one of the following The provider must keep either or other person to comply
categories: the original or a copy of the with requirements, and may
information being disclosed. award actual damages. The
• To a person who the provider To be valid, a disclosure court must award reasonable
or facility reasonably believes authorization must: attorneys’ fees and all other
is providing health care to the expenses reasonably incurred
patient • Be in writing, dated, and
signed by the patient to the prevailing party. RCW
• To other persons in the § 70.02.170
facility or office to provide • Identify the information to be
planning, quality assurance, disclosed
peer review, or administrative, • Identify the name of the
legal, financial or other health person to whom the
care operations on behalf of information is to be disclosed
the provider or facility • Identify who is to make the
• To another provider disclosure
reasonably believed to have • Contain an expiration date or
previously provided health event for that disclosure
care to the patient, unless
the patient has specifically A patient may revoke in writing
instructed otherwise a disclosure authorization at
any time. Patients may not
• To a person the provider or maintain an action against the
facility reasonably believes provider for disclosures made
will help avoid or minimize an in good-faith reliance on an
imminent danger to the health authorization if the provider
or safety of the patient or any had no actual notice of the
other individual revocation.
• To immediate family members, RCW § 70.02.030
domestic partners, and close
personal relationships of the
patient, unless the patient has
stated otherwise
• For use in certain research
projects that contain
reasonable safeguards to
protect the information from
direct identification and
redisclosure
• To a person who obtains
information for purposes of
an audit
• To officials of a correctional
facility
• To provide directory
information, unless the
patient has instructed the
health care provider or health
care facility not to make the
disclosure
• To fire, police, sheriff, or
other public authorities that
brought the patient to the
provider or facility
• To law enforcement
authorities if evidence of
criminal conduct is present
• For payment
RCW § 70.02.0500
How does the state
WV
West Virginia
None beyond HIPAA except
for specific areas (e.g.
mental health records)
governs
governs
WI “Protected Health
Information” has the
meaning given in 45 CFR
“Covered entity” has
the meaning given in 45
CFR § 160.1030. W.S.A.
Confidentiality of patient
health care records.
W.S.A. § 146.82
‘Business associate’ has
the meaning given in 45
CFR § 160.103. W.S.A.
None beyond HIPAA.
Wisconsin
§ 160.103. W.S.A. § 146.816 § 146.816 (1)(b) § 146.816 (1)(a)
(1)(f)
WY
Wyoming
Identifying Information”
means: Resident’s name
any individual/entity who/
None beyond HIPAA. None beyond HIPAA. Unauthorized acquisition of
data that compromises the
confidentiality of Personal
plus: that conducts business Identifying Information or
• Social Security Number; in-state and maintains is reasonably believed to
Personal Identifying cause resident loss. Wyo.
• driver’s license number; Information. Wyo. Stat. Stat. Ann. § 40-12-501
• medical/health insurance Ann. § 40-12-502 (West (West 2020)
information; or 2020)
• other specified
information. Wyo. Stat.
Ann. § 40-12-501 (West
2020); Wyo. Stat. Ann.
§ 6-3-901 (West 2020)

N/A; HIPAA Privacy Rule Upon written request of a None beyond HIPAA. None beyond HIPAA. None beyond HIPAA.
governs. patient or his or her personal
representative, as defined
by HIPAA. W. Va. Code Ann.
§ 16-29-1(a)
Confidentiality of patient Confidentiality of patient Not specified. See HIPAA HIPPA (45 C.F.R. § 160.404 W.S.A. § 805.07. Subpoena
health care records. W.S.A. health care records. W.S.A. Breach Notification Rule, 45 Amount of a civil money
§ 146.82 § 146.82 CFR §§ 164.400-414. penalty)
WI DHS - Consent must be
informed.
None beyond HIPAA. None beyond HIPAA. Notification of affected person State AG may file a lawsuit None beyond HIPAA.
if the information is likely to be to recover damages and/or
misused. Wyo. Stat. Ann. § 40- ensure compliance. Wyo. Stat.
12-502(a) and (h) (West 2020) Ann. § 40-12-502(f) (West
2020)
“Seyfarth” and “Seyfarth Shaw” refer to Seyfarth Shaw LLP, an Illinois limited liability partnership. Our London office operates as Seyfarth Shaw (UK)
LLP, an affiliate of Seyfarth Shaw LLP. Seyfarth Shaw (UK) LLP is a limited liability partnership established under the laws of the State of Delaware,
USA, and is authorised and regulated by the Solicitors Regulation Authority with registered number 556927. Legal services provided by our Australian
practice are provided by the Australian legal practitioner partners and employees of Seyfarth Shaw Australia, an Australian partnership. Seyfarth Shaw
(賽法思律師事務所) is a separate partnership operating from Hong Kong as a firm of solicitors.
©2021 Seyfarth Shaw LLP. Attorney Advertising. Prior results do not guarantee a similar outcome. #21-7844 R4 www.seyfarth.com

50 State Survey of Health Care Information Privacy Laws

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

50 State Survey of Health Care Information Privacy Laws

Uploaded by

Copyright:

Available Formats

50-State Survey of Health Care

Information Privacy Laws

Jesse M. Coleman Sheryl Tatar Dacso Kevin Mahoney Leon Rodriguez

2 | 50 -STATE SURVEY OF HEALTH CARE INFORMATION PRIVACY L AWS

4 | 50 -STATE SURVEY OF HEALTH CARE INFORMATION PRIVACY L AWS

6 | 50 -STATE SURVEY OF HEALTH CARE INFORMATION PRIVACY L AWS

8 | 50 -STATE SURVEY OF HEALTH CARE INFORMATION PRIVACY L AWS

state law with HIPAA. HRS

10 | 50 -STATE SURVEY OF HEALTH CARE INFORMATION PRIVACY L AWS

12 | 50 -STATE SURVEY OF HEALTH CARE INFORMATION PRIVACY L AWS

14 | 50 -STATE SURVEY OF HEALTH CARE INFORMATION PRIVACY L AWS

or treatment provided to care. 22 M.R.S. § 1711-C(1) available to authorized

16 | 50 -STATE SURVEY OF HEALTH CARE INFORMATION PRIVACY L AWS

in any form or medium certified, or otherwise

18 | 50 -STATE SURVEY OF HEALTH CARE INFORMATION PRIVACY L AWS

medium that pertains to Health facility (organized request for a patient’s

20 | 50 -STATE SURVEY OF HEALTH CARE INFORMATION PRIVACY L AWS

amended it in 2003 to only

2 2 | 50 -STATE SURVEY OF HEALTH CARE INFORMATION PRIVACY L AWS

NV [A] natural person’s first

NH Same definition as HIPAA.

24 | 50 -STATE SURVEY OF HEALTH CARE INFORMATION PRIVACY L AWS

NJ Follows HIPAA. N.J.

NM Undefined. This state

26 | 50 -STATE SURVEY OF HEALTH CARE INFORMATION PRIVACY L AWS

NC N/A; HIPAA Privacy Rule

ND Individual’s first name

OH Same as HIPAA. Same

2 8 | 50 -STATE SURVEY OF HEALTH CARE INFORMATION PRIVACY L AWS

30 | 50 -STATE SURVEY OF HEALTH CARE INFORMATION PRIVACY L AWS

PA Pennsylvania does NOT

SD Person’s first name or

3 2 | 50 -STATE SURVEY OF HEALTH CARE INFORMATION PRIVACY L AWS

(Note this relates to licensed under [Tennessee

34 | 50 -STATE SURVEY OF HEALTH CARE INFORMATION PRIVACY L AWS

36 | 50 -STATE SURVEY OF HEALTH CARE INFORMATION PRIVACY L AWS

3 8 | 50 -STATE SURVEY OF HEALTH CARE INFORMATION PRIVACY L AWS

40 | 50 -STATE SURVEY OF HEALTH CARE INFORMATION PRIVACY L AWS

You might also like