State-Based Obligations for Organizations Subject to HIPAA
State
Law
Alabama
· Heightened non-disclosure obligations for PHI related to sexually transmitted diseases requiring written consent by the patient for disclosure – Ala. Code 1975 §22-11A-22
Alaska
- Heightened requirements for PHI disclosure related to:
- substance abuse. AK Stat § 47.37.210 (2023)
- Cancer, birth defect, or infectious disease. AK Stat § 18.05.042 (2024)
- Genetic testing. AK Stat § 18.13.010 (2024)
- Mental health. AK Stat § 47.30.845 (2024)
Arizona
- Health professionals must prepare a written protocol for the secure storage, transfer, and access of their patients’ medical records. AZ Rev Stat § 32-3211 (2024)
California
- Heightened obligations and penalties for organizations that improperly disclose PHI CA Civ Code § 56.101 (2024)
- Heightened consent requirements for PHI disclosure CA Civ Code § 56.10 (2024)
California
- Heightened obligations and penalties for organizations that improperly disclose PHI CA Civ Code § 56.101 (2024)
- Heightened consent requirements for PHI disclosure CA Civ Code § 56.10 (2024)
Delaware
- Heightened non-disclosure obligations for certain conditions, including substance abuse, cancer, genetic testing, infectious disease, mental health, birth defects, and autism 16 DE Code § 1210 (2024)
Florida
- Health care practitioners must implement PHI safeguards and train employees on them FL Stat § 456.057 (2024)
- Heightened requirements for PHI request record keeping and PHI retention obligations. FL Stat § 501.171 (2024)
Georgia
- 10 year record retention requirement for PHI related to certain treatments GA Code § 31-33-2 (2024)
Iowa
- Prohibitions on disclosure for mental health related PHI IA Code § 228.2 (2018)
Maryland
- Patients must receive requests for PHI withing 21 days MD Health – General Code § 4-309 (2024)
Massachusetts
- Greater patient control over PHI in insurance carriers’ hands, allowing patients to restrict providers’ access and prohibiting sensitive information in general insurance billing. MA Gen L ch 176o § 27 (2023)
Mississippi
- Heightened requirements for PHI disclosure related to:
- Mental Illness, Intellectual Disability, and Birth Defect MS Code § 41-21-205 (2024)
- Cancer MS Code § 41-91-11 (2024)
- Contagious and Infectious Disease MS Code § 41-23-1 (2024)
- Hepatitis B and HIV MS Code § 41-34-7 (2024)
Nebraska
- Patients must be able to view medical records containing PHI within 10 days of request and receive a copy within 21 days. NE Code § 71-8403 (2024)
- Certain required disclosures related to abused or neglected children may not contain PHI NE Code § 81-3126 (2024)
New York
- Heightened HIV/AIDS disclosure requirements NY Pub Health L § 2782 (2024)
- Heightened recording and non-disclosure obligations for metal health services NY Ment Hygiene L § 33.13 (2024)
- Heightened patient control over PHI related to Alcoholism, substance abuse, and chemical dependence NY Ment Hygiene L § 22.05 (2024)
North Carolina
- Immediate breach discovery reporting requirement NC Gen Stat § 75-65 (2023)
Texas
- Hospitals must adopt and implement reasonable safeguards for security of PHI TX Health & Safety Code § 241.155 (2023)
- Patients harmed by improper disclosure may seek injunctive relief or damages TX Health & Safety Code § 241.156 (2024)
- Expands the definition of Covered Entities, Prohibits re-identifying data that has been deidentified, and create additional patient consent requirements for certain types of data TX Health & Safety Code § 181.001 (2024)
Vermont
- Expands patient’s privacy protections 18 VT Stats § 7103
- Patient’s Bill of Rights creates additional privileged conversations involving PHI 18 VT Stats § 1852
Washington
- Expands security obligations in medication record systems WAC 246-875-070 Confidentiality and security of data
The information contained on this page is for informational purposes only.
It does not, and is not intended to, constitute legal advice.