state privacy lawsState privacy laws are often overlooked in discussions.  More importantly, they can be overlooked in practices too.  If you have state privacy laws (or breach notification laws), you are responsible for understanding those requirements relating to your information just as much as HIPAA privacy laws.  In other episodes we have mentioned some states have different rules.  Finally, we have a chance to look more specifically into the state privacy laws out there and how much they may impact your business.

HIPAA For MSPs by David Sims State privacy laws vs HIPAA who wins?
00:00:00 00:00:00


In this episode:

HIPAA Boot Camp
Speaking Events
Hilton Head
Boot Camp

Recently, New Mexico passed a new data breach notification law in March. Once it is signed there will only be 2 states that don’t have their own notification rules, Alabama and South Dakota. What do all the state laws mean when you are also required to do HIPAA notifications?

Most of them say that if you are subject to GLBA or HIPAA the notification laws do not apply to you. But, it is always best to be sure you know what your state requires.

HIPAA says that as long as it is more strict than state privacy laws then HIPAA takes precedence, but many times states are now enacting stronger legislation.

California and Texas developed some pretty extensive requirements that apply to CEs and BAs in their states. Massachusetts also added their own twist beyond HIPAA.

State Privacy Laws and Breach Notifications

  • include specific requirements for who is a covered entity under the law
    • must have more than 10 employees
  • include what data is covered
    • CA: First name or first initial and last name, plus: Social Security number; driver’s license or state identification card number; financial account, credit or debit card number, in combination with any required security or access code or password permitting access to a resident’s financial account; medical or health insurance info; and info collected by automated license plate recognition systems A user name or email address, in combination with a password or security question answer that would permit access to an online account.
  • include their own definition of what is considered a breach
  • may only apply to electronic and not paper
  • different notification time frames
    • some just say without delay
  • require including credit protection for all breach victims
  • require notification to state agencies as well as HHS
    • CA: If more than 500 state residents are notified as result of a single breach, must also electronically submit a sample copy of the notification to the California Attorney General.
  • some required different harm thresholds
    • AK: Notification not required if, after appropriate investigation and after written notification to the Alaska Attorney General, covered entity determines that there is not a reasonable likelihood that harm to consumer has resulted or will result from the breach.
  • different safe harbor allowances for encrypted devices
  • some allow for civil penalties to apply


  • GA: Doesn’t apply to HIPAA CEs and BAs
  • SC:
Comparison of US State and Federal Security Breach Notification Laws

Patient rights to access records

Some states also have stronger versions of the right to access your medical records.

  • CA: Physicians and hospitals must permit inspection of a medical record within 5 working days from the request. Providers must ensure that a copy of medical record is transmitted to the patient within 15 days from when the request was made.
  • CO: Hospitals must provide discharged patients copies of their medical records within 10 days from the request. However, inpatients in a hospital must be provided the opportunity to inspect their records within 24 hours from the request based on the regulation. C.R.S.A. § 25-1-802: Physicians must provide copies of patient medical records to patients within a reasonable time or 30 days (as further defined by the CO Board of Medical Examiners).
  • HI: A provider must furnish a copy of a patient’s medical record upon request. However, a provider who fails to give a patient access must turn over a copy of the medical record, upon a patient’s written authorization that the provider furnish the patient’s attorney with the medical record copy, within 10 days from the authorization.
  • LA: A health care provider must furnish a copy of a medical record within 15 days from a patient’s request. LSA –R.S. [40:21]44: Hospitals must provide medical record access “as soon as practicable” and upon payment of reasonable copying fees. “As soon as practicable” as defined by La. Admin. Code tit. 48, pt. I, § 9387 as within 15 days from the patient’s request and payment of copying fees.
  • NV: Health care providers must permit a patient to examine his or her health care records within 5 working days of receiving a request, unless the records are located outside Nevada, in which case within 10 working days of receiving a request. Copies of such records must be made available upon request.
  • TX: A hospital must make a patient’s recorded health care information available to the patient no later than 15 business days after receiving a written authorization A physician must provide a copy or a summary of a patient’s medical and/or billing records within 15 business days after receiving a written release for the information A provider using an electronic health records system must provide a person’s record in electronic form, if the system is capable of doing so, within 15 business days after receiving a written request, unless the person agrees to accept the record in a different form.
  • VA: Health care entities must disclose a patient’s health care records to a patient in accordance with a written request for disclosure. Health care entities must furnish copies of or allow access to a patient’s health care records in an electronic format within 15 days of receiving a written request for access to such records. Va. Code Ann. § 54.1-2403.3: Health care practitioners must release copies of a patient’s medical records in compliance with requirements applicable to health care entities (see also 18 Va. Admin. Code § 85-20-26). The laws do not specify a time period for access to records in a hard copy (e.g., paper) format.
  • WA: Health care providers must permit a patient to examine or copy his or her recorded health care information no later than 15 days after receiving a written request.
  • WY: Wyo. Stat. Ann. § 35-2-611: A hospital must make a patient’s recorded health care information available for examination and/or provide a copy of such information to a patient no later than 10 days after receiving a written request. Wyo. Admin. & Info. Code R. Board of Medicine, ch. 3 § 4: A physician must make information in a patient’s medical records readily available, or provide a copy or summary of such records no later than 30 days after receiving a signed, written release (see also Wyo. Stat. Ann. § 33-26-402).

Other state law topics

Retention of records

  • Medical record retention ranges from less than HIPAA to far longer than HIPAA
    • MS: Hospitals must retain medical records must be retained for 7 years for patients discharged at death, 10 years for adult patients discharged otherwise, for 7 years after a minor patient reaches 18 or for 7 years after the period that a patient is under a known disability, but not to exceed 28 years. X-ray films and any other graphic data must be retained for 4 years
      MISS. CODE ANN. § 41-9-73: Hospitals may retain, preserve, and store medical records for longer than the retention period established in Mississippi Code § 41-9-69 as in its discretion or as may be required by any court.
      MISS. CODE ANN. § 41-9-71: Hospitals may discard medical records earlier than the retention period established in Mississippi Code § 41-9-69 upon the written consent of the patient involved.
    • MO: Hospitals must retain medical records for 10 years.
      but… Physicians must retain patient records for 7 years.

Release of mental health records with a court order

  • SC: Confidential information may be disclosed pursuant to a court order, provided that the court determines that the disclosure is necessary for a proceeding before it, and that failure to disclose the information contravenes the public interest.
  • TX: Confidential information may be disclosed in a proceeding brought by a patient or the patient’s representative
    • in an action against the mental health professional*, such as a malpractice action,
    • in a license revocation proceeding if the patient consents in writing to the disclosure,
    • in a claim to recover payment for services delivered, as otherwise required by law,
    • in a proceeding regarding a parent-child relationship, or
    • in the context of an involuntary commitment.
    • A court may order disclosure, but limit disclosure to the extent necessary to protect the patient.

Amy from Atlanta has a pertinent question

We have a shredding company that comes on-site and picks up our bins of shredding and replaces the bins in our office with new, empty bins. The bins are locked. The full bins are loaded on their truck and taken to their facilities for shredding.

We have a BAA with them and they have completed our BA Due Diligence (and have for several years). Do we need to consider getting a shredding company that shreds on-site? I have listened to the podcast about the company that had shredding in their truck and got in an accident…. The paper records were all over the highway.

Donna and David say
That story about the paper all over the street is certainly a scary one. The best advice for this is just like any other potential security threat. You do a risk analysis of the situation.

Ask your vendor if they are aware of the issue and what they may have done to address it with training or anything else. I would hope they know about it since it directly connected to their industry plus it has happened more than once in the news. How seriously did they take the threat?

Once you have that discussion, you should have a pretty good idea how comfortable you can be with their ability to address your risk.

The same things apply to all of your BAs

All this variety is causing issues

In Dec 2016, the National Governors Association released a roadmap that suggests that states better align their privacy laws with HIPAA to improve data sharing across the states.

As state privacy law debates continue across the country we have to wait and see where each state ends up.

More info

State privacy laws are certainly becoming a bigger issue as they proliferate and become more complex.  One thing is certain, you aren’t going to relax HIPAA privacy laws to match state privacy laws.  That can’t happen unless several states REDUCE their laws to match HIPAA requirements.  There are too many states that have more stringent privacy laws than HIPAA these days.  It is much more likely that HIPAA will have to align with a compromise across the states.  No matter what happens later, today you have to make sure you stay abreast of your own state laws.  That applies to all businesses, not just HIPAA CEs and BAs.