HIPAA & Medical Privacy by State (2026)
About this article
Sourced from primary statutes (U.S. Code, CFR, state compiled statutes) and official government agency guidance. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards
Compare by state
Statute citations are verified per state. Select a state to jump to its full section below.
| Primary statute | |
|---|---|
| Alabama | Ala. Code § 22-11A-22 — HIV/AIDS Record Confidentiality |
| Alaska | Alaska Health Care Information — Alaska Stat. § 18.23 |
| Arizona | A.R.S. § 36-509 — Arizona mental health records confidentiality (consent or court order required) |
| Arkansas | Arkansas Medical Records Retention, Ark. Code § 20-9-602 |
| California | California Civil Code § 56 — Confidentiality of Medical Information Act (CMIA) |
| Colorado | C.R.S. § 27-65-101 et seq. — mental health record confidentiality |
| Connecticut | CGS § 20-7c — Patient access to medical records |
| Delaware | Delaware Health Information Privacy Act, 16 Del. C. § 1201 et seq. |
| District of Columbia | D.C. Mental Health Information Act, D.C. Code § 7-1201.01 et seq. |
| Florida | Florida Medical Records Ownership and Confidentiality, Fla. Stat. § 456.057 |
| Hawaii | Hawaii Prepaid Health Care Act — HRS § 393 |
| Idaho | Idaho Code § 39-609 — HIV/AIDS test result confidentiality |
| Illinois | 740 ILCS 110 — Mental Health and Developmental Disabilities Confidentiality Act |
| Indiana | Indiana Code § 16-39 — Indiana Health Records Act (patient access and confidentiality) |
| Iowa | Iowa Code § 228 — Mental Health Records Confidentiality |
| Kansas | K.S.A. § 65-4971 — Medical Records |
| Kentucky | KRS § 214.625 — HIV/AIDS Confidentiality |
| Louisiana | Louisiana Medical Records Privacy Act, La. R.S. § 40:1165.1 et seq. |
| Maine | 34-B M.R.S.A. § 1207 — mental health record confidentiality |
| Maryland | Maryland Confidentiality of Medical Records Act, MD Code, Health-General § 4-301 et seq. |
| Massachusetts | MGL c. 111, § 70E — Massachusetts Patients' Bill of Rights (health privacy) |
| Michigan | Michigan Mental Health Code, MCL § 330.1748 — mental health record confidentiality |
| Minnesota | Minn. Stat. § 144.291 — Minnesota Health Records Act |
| Mississippi | Miss. Code Ann. § 41-9-1 et seq. — Mississippi medical records access |
| Missouri | Missouri Mental Health Records Confidentiality, RSMo § 630.140 |
| Montana | Montana Constitution Art. II, § 10 — explicit right to individual privacy |
| Nebraska | Neb. Rev. Stat. § 71-8401 — Health Information Technology Act |
| Nevada | NRS 629 — Medical Records |
| New Hampshire | RSA 329:26 — NH patient medical records access |
| New Jersey | NJ Genetic Privacy Act, N.J.S.A. 10:5-43 |
| New Mexico | NMSA § 14-6-1 — New Mexico Inspection of Public Records Act |
| New York | NY Public Health Law § 18 — patient access to medical records |
| North Carolina | N.C. Gen. Stat. § 122C-52 et seq. — Mental health records confidentiality |
| North Dakota | N.D. Cent. Code § 23-12 — Health Records |
| Oklahoma | Oklahoma HIV Confidentiality, 63 Okl. St. § 1-502.2 |
| Oregon | Oregon Genetic Privacy Act — ORS § 192.531 et seq. |
| Pennsylvania | Pennsylvania Mental Health Procedures Act — confidentiality, 50 P.S. § 7111 |
| Rhode Island | R.I. Gen. Laws § 5-37.3 — Confidentiality of Health Care Communications and Information Act |
| South Carolina | S.C. Code § 44-29-135 — HIV/AIDS Record Confidentiality |
| South Dakota | HIPAA, 42 U.S.C. § 1320d et seq. |
| Tennessee | TCA § 33-3-103 — Mental Health Record Confidentiality |
| Texas | Texas Medical Records Privacy Act, Tex. Health & Safety Code Ch. 181 |
| Utah | Utah Consumer Privacy Act — Utah Code § 13-61 |
| Vermont | 18 V.S.A. § 1881 — Vermont health record access and privacy |
| Virginia | Virginia Health Records Privacy, Va. Code § 32.1-127.1:03 |
| Washington | Washington Uniform Health Care Information Act, RCW 70.02 |
| West Virginia | W. Va. Code § 27-3-1 — Mental health records confidentiality |
| Wisconsin | Wis. Stat. § 51.30 — Mental Health Treatment Records Confidentiality |
| Wyoming | HIPAA Privacy Rule, 42 U.S.C. § 1320d et seq. |
What is this right?
HIPAA — passed in 1996 — was originally about insurance portability when changing jobs. The medical privacy rules everyone associates with the name came in the Privacy Rule, finalized in 2003 after years of HHS rulemaking. The basic deal: your doctor, hospital, insurer, and pharmacy cannot share your medical records, diagnoses, or test results with your employer, family, or anyone else without your written permission. You have the right to see your own records and to request corrections, with the provider required to respond within 30 days.
Narrow exceptions let providers share information for treatment, payment, and healthcare operations — your doctor can send records to a specialist who is treating you without a signed release. Outside those exceptions, unauthorized disclosures can be reported to the HHS Office for Civil Rights. Penalties scale up to $1.5 million per violation category per year for willful neglect, and the OCR has used them — Anthem paid $16 million in 2018 over a single breach.
When does it apply?
HIPAA applies when:
- A doctor, hospital, clinic, pharmacy, or health plan has your medical information.
- You want to see or get a copy of your records.
- You believe your information was shared without permission.
- You want to correct an error in your records.
- A provider or insurer asks you to sign a Notice of Privacy Practices.
Three myths:
- "HIPAA covers all my health info everywhere." No. HIPAA reaches covered entities and their business associates — and that is it. Your employer, your school, fitness apps, genetic testing companies (23andMe), and social media posts are all outside the law's reach.
- "My doctor can never share without my permission." Treatment, payment, and healthcare operations are explicit exceptions. Your doctor can talk to your specialist without a signed release. Public health reporting (certain diseases, gunshot wounds) is also generally required by state law.
- "My employer can read my medical records." Generally no — your employer is not a covered entity. The exception: if your employer runs a self-insured health plan, the plan itself has HIPAA obligations, but it should be walled off from HR decision-making.
What to Do If Your Medical Information Was Shared Without Permission
Step 1: Request your records in writing. Under 45 C.F.R. § 164.524, the provider has 30 days to respond, with one 30-day extension allowed if they give you a written reason. Most providers now offer patient portals that meet the requirement.
Step 2: Found an error? Request an amendment. 45 C.F.R. § 164.526 — the provider has 60 days. If they refuse, they must explain why, and you have the right to add a statement of disagreement to the file that travels with the record going forward.
Step 3: Read the Notice of Privacy Practices. It tells you exactly how the provider will use and share your information. You have the right to ask for additional restrictions, though the provider is not always required to agree.
Step 4: File complaints with HHS OCR within 180 days. Online at hhs.gov/hipaa/filing-a-complaint or by phone at 1-800-368-1019. The 180-day deadline runs from when you discovered the violation, with limited extensions for good cause.
Step 5: Self-pay rights. Under 45 C.F.R. § 164.522(a), if you pay for a service in full out of pocket, you can require the provider not to share information about that specific visit with your health insurer. Useful for sensitive care you want to keep off your insurance record.
What should you NOT do?
Don't assume HIPAA covers everything called "health." Health apps, wearables, genetic testing services, and most online symptom tools sit outside HIPAA. The data you share with them is governed by the company's privacy policy and your state's consumer privacy law (if any).
Don't toss the Notice of Privacy Practices. It is not legal noise — it tells you exactly what the provider will do with your data and what rights you can exercise.
Don't sign blanket authorizations without reading. A "share with anyone you deem appropriate, for any reason, indefinitely" form is not the same as a targeted release. You can limit scope, recipients, and duration, and you can revoke any authorization in writing at any time.
Don't miss the 180-day complaint window. HHS OCR can extend it for cause, but the default is hard. File as soon as you know about the violation.
Worked example
ScenarioYou ask your doctor's office for a complete copy of your medical records, but weeks pass with no response.
OutcomeUnder HIPAA, a provider must act on your access request within 30 calendar days (with one possible 30-day extension if they notify you in writing of the reason). If they don't, you can file a complaint with the HHS Office for Civil Rights — there's no fee.
Verified against the HIPAA Privacy Rule — the 30-day access requirement (45 C.F.R. §164.524). Some states set shorter timelines or extra protections; see your state's section. Educational information, not legal or medical advice.
You shouldn't have to hire a lawyer to assert your rights.
Answer a few questions. We generate a personalized letter citing your state's exact statutes, deadlines, and penalties — ready to print and send in minutes.
Lawyers charge $350+. Your letter: $19.
See all 6 letter types →Common Questions
Do I have a right to my own medical records?
Yes. HIPAA gives you the right to inspect and get a copy of your health information held by providers and health plans — including medical, billing, and claims records. They must respond within 30 days and can charge only a reasonable, cost-based fee for copies.
How long does a provider have to give me my records?
Generally 30 calendar days from your request. They can take one additional 30-day extension only if they notify you in writing of the reason and the new date. Many states require faster turnaround — check your state's section above.
Can my health information be shared without my permission?
HIPAA allows sharing for treatment, payment, and health-care operations, but most other disclosures — especially marketing or selling your data — require your written authorization. You can also ask for restrictions and an accounting of certain disclosures.
What can I do if my medical privacy was violated?
You can file a complaint with the HHS Office for Civil Rights, generally within 180 days of learning of the violation; it's free. HIPAA itself has no private lawsuit, but some state laws let you sue. See your state's section above.
Do state laws add to HIPAA?
Often, yes. Many states have stricter rules for sensitive records — mental-health, HIV, genetic, or substance-use information — and some give you a private right to sue. Where state law is more protective, it applies on top of HIPAA. Check your state's section above.
State-by-state details
Alabama
Primary statute: Ala. Code § 22-11A-22 — HIV/AIDS Record Confidentiality
Alabama relies primarily on federal HIPAA with limited additional state protections:
- HIPAA applies to covered entities in Alabama
- Alabama has confidentiality protections for HIV/AIDS records (Ala. Code § 22-11A-22)
- Mental health records have protections under Alabama law
- Patients have a right to access their records within 30 days under HIPAA
Alaska
Primary statute: Alaska Health Care Information — Alaska Stat. § 18.23
Alaska follows federal HIPAA regulations with additional state privacy protections:
- HIPAA applies to all covered entities in Alaska
- You have the right to access, inspect, and obtain copies of your medical records
- Providers must respond to records requests within 30 days (with a possible 30-day extension)
- Alaska Stat. § 18.23 provides additional confidentiality protections for health care information
- Alaska's strong constitutional right to privacy (Art. I, § 22) may provide additional protections for health information
Arizona
Primary statute: A.R.S. § 36-509 — Arizona mental health records confidentiality (consent or court order required)
Arizona supplements federal HIPAA with state-specific health privacy protections:
- HIPAA applies to covered entities operating in Arizona
- Arizona has specific protections for mental health records under A.R.S. § 36-509 — disclosure of mental health records generally requires patient consent or a court order
- Arizona law provides confidentiality protections for HIV/AIDS test results under A.R.S. § 36-664
- Arizona's medical records access law (A.R.S. § 12-2293) gives patients the right to obtain copies of their medical records
- Healthcare providers must provide records within a reasonable time and may charge a reasonable fee for copies
- Arizona protects the confidentiality of substance abuse treatment records consistent with federal 42 C.F.R. Part 2
Arkansas
Primary statute: Arkansas Medical Records Retention, Ark. Code § 20-9-602
Arkansas follows federal HIPAA regulations:
- HIPAA applies to all covered entities in Arkansas
- You have the right to access, inspect, and obtain copies of your medical records
- Providers must respond to records requests within 30 days (with a possible 30-day extension)
- Arkansas law provides additional protections for mental health records under the Mental Health Services Act
- Medical records must be retained for a minimum of 10 years under Arkansas regulations
California
Primary statute: California Civil Code § 56 — Confidentiality of Medical Information Act (CMIA)
Full California guide →Colorado
Primary statute: C.R.S. § 27-65-101 et seq. — mental health record confidentiality
Colorado supplements federal HIPAA with comprehensive state health privacy protections, including the Colorado Privacy Act:
- HIPAA applies to covered entities operating in Colorado
- Colorado has additional protections for mental health records under CRS § 27-65-101 et seq. (mental health confidentiality)
- CO law provides specific confidentiality protections for HIV/AIDS test results (CRS § 25-4-1404) and substance abuse treatment records
- The Colorado Privacy Act (CRS § 6-1-1301 et seq., effective July 2023) provides broad consumer data privacy rights including health data
- Patients have a right to access their medical records — providers must respond within 30 days
- Colorado's data breach notification law (CRS § 6-1-716) requires notification within 30 days when health data is compromised — one of the shortest notification deadlines in the country
- Colorado has specific genetic information privacy protections (CRS § 10-3-1104.7)
Connecticut
Primary statute: CGS § 20-7c — Patient access to medical records
Connecticut follows federal HIPAA with strong additional state privacy protections:
- HIPAA applies to all covered entities in Connecticut
- You have the right to access, inspect, and obtain copies of your medical records
- Providers must respond to records requests within 30 days
- Connecticut law provides additional protections for HIV/AIDS records, mental health records, and genetic information
- Connecticut enacted a comprehensive data privacy law (CTDPA) that provides additional health data protections effective 2023
Delaware
Primary statute: Delaware Health Information Privacy Act, 16 Del. C. § 1201 et seq.
Delaware follows federal HIPAA regulations with some additional state protections:
- HIPAA applies to all covered entities in Delaware
- You have the right to access, inspect, and obtain copies of your medical records
- Providers must respond to records requests within 30 days
- Delaware's Health Information Privacy Act (Del. Code tit. 16, § 1201 et seq.) provides additional protections for genetic information and HIV/AIDS records
- Delaware enacted a Personal Data Privacy Act effective 2025 with additional health data protections
District of Columbia
Primary statute: D.C. Mental Health Information Act, D.C. Code § 7-1201.01 et seq.
Full District of Columbia guide →Florida
Primary statute: Florida Medical Records Ownership and Confidentiality, Fla. Stat. § 456.057
Florida has state-level health privacy laws that supplement HIPAA:
- Florida Constitution Art. I, § 23: Florida is one of the few states with an explicit constitutional right to privacy. This has been applied to protect medical information.
- Fla. Stat. § 456.057: Governs the ownership, custody, and disclosure of patient medical records. Patients have the right to access their records, and providers must maintain confidentiality.
- Mental health records: The Baker Act (Fla. Stat. § 394.4615) provides additional confidentiality protections for mental health records created during involuntary examination or treatment.
- HIV/AIDS confidentiality (Fla. Stat. § 381.004(3)): Provides specific confidentiality protections for HIV test results, requiring written informed consent before disclosure.
Hawaii
Primary statute: Hawaii Prepaid Health Care Act — HRS § 393
Hawaii follows federal HIPAA regulations and has a unique employer healthcare mandate:
- HIPAA applies to all covered entities in Hawaii
- You have the right to access and obtain copies of your medical records
- Providers must respond to records requests within 30 days
- Hawaii's Prepaid Health Care Act (1974) requires employers to provide health insurance to employees working 20+ hours per week — the only state with such a mandate (predating the ACA)
- This means most Hawaii workers have employer-provided insurance, giving them greater access to healthcare and related privacy protections
- Hawaii has additional protections for HIV/AIDS-related health information (HRS § 325-101)
Idaho
Primary statute: Idaho Code § 39-609 — HIV/AIDS test result confidentiality
Idaho follows federal HIPAA regulations for health information privacy:
- HIPAA applies to all covered entities in Idaho
- You have the right to access and obtain copies of your medical records
- Providers must respond to records requests within 30 days
- Idaho does not have extensive additional state health privacy laws beyond HIPAA
- Mental health records and substance abuse treatment records receive additional federal protections (42 CFR Part 2)
- Idaho law protects the confidentiality of HIV/AIDS test results (Idaho Code § 39-609)
Illinois
Primary statute: 740 ILCS 110 — Mental Health and Developmental Disabilities Confidentiality Act
Illinois has additional health privacy protections beyond federal HIPAA:
- Mental Health and Developmental Disabilities Confidentiality Act (740 ILCS 110): Provides heightened confidentiality protections for mental health records. Requires specific written consent for disclosure, with very narrow exceptions.
- Genetic Information Privacy Act (410 ILCS 513): Prohibits genetic discrimination in employment and insurance and provides strong confidentiality protections for genetic test results.
- AIDS Confidentiality Act (410 ILCS 305): Provides extra confidentiality protections for HIV/AIDS-related information, requiring specific written consent for disclosure.
- BIPA implications: The Biometric Information Privacy Act (740 ILCS 14) can apply to healthcare settings that collect biometric data (fingerprints, facial scans), providing an additional layer of privacy protection.
Indiana
Primary statute: Indiana Code § 16-39 — Indiana Health Records Act (patient access and confidentiality)
Indiana supplements federal HIPAA with state health privacy protections:
- HIPAA applies to covered entities operating in Indiana
- Indiana has additional protections for mental health records under IC § 16-39-2 et seq. (confidentiality of health records)
- IN law provides specific confidentiality protections for HIV test results (IC § 16-41-6)
- Indiana's Health Records Act (IC § 16-39) governs patient access to and confidentiality of medical records
- Patients have a right to access their medical records — providers must respond within 30 days
- Indiana law limits charges for medical record copies
- Indiana's data breach notification law (IC § 24-4.9) requires notification when health data is compromised
Iowa
Primary statute: Iowa Code § 228 — Mental Health Records Confidentiality
Iowa follows federal HIPAA regulations with some additional state protections:
- HIPAA applies to all covered entities in Iowa
- You have the right to access, inspect, and obtain copies of your medical records
- Providers must respond to records requests within 30 days
- Iowa has specific protections for mental health records (Iowa Code § 228) and substance abuse records
- Iowa requires that patients be notified of their privacy rights upon receiving health care services
Kansas
Primary statute: K.S.A. § 65-4971 — Medical Records
Kansas follows federal HIPAA regulations:
- HIPAA applies to all covered entities in Kansas
- You have the right to access, inspect, and obtain copies of your medical records
- Providers must respond to records requests within 30 days
- Kansas law provides additional protections for mental health records and substance abuse treatment records
- Medical records must be retained for a minimum of 10 years under Kansas regulations
Kentucky
Primary statute: KRS § 214.625 — HIV/AIDS Confidentiality
Kentucky supplements HIPAA with state health privacy protections:
- HIPAA applies to covered entities in Kentucky
- Kentucky has confidentiality protections for HIV/AIDS records (KRS § 214.625)
- Mental health records have protections under KRS Chapter 210
- Patients have a right to access records within 30 days under HIPAA
Louisiana
Primary statute: Louisiana Medical Records Privacy Act, La. R.S. § 40:1165.1 et seq.
Louisiana supplements HIPAA with state health privacy protections:
- HIPAA applies to covered entities in Louisiana
- Louisiana has a Medical Records Privacy Act (La. R.S. § 40:1165.1 et seq.) with additional patient protections
- HIV/AIDS records have heightened confidentiality under La. R.S. § 40:1099
- Mental health records have additional protections under the Mental Health Law
Maine
Primary statute: 34-B M.R.S.A. § 1207 — mental health record confidentiality
Maine follows federal HIPAA regulations with additional state protections:
- HIPAA applies to all covered entities in Maine
- You have the right to access and obtain copies of your medical records
- Providers must respond to records requests within 30 days
- Maine provides additional protections through MaineCare (Maine Medicaid) for enrolled individuals
- Maine has strong mental health confidentiality protections (34-B M.R.S.A. § 1207)
- Maine law protects the confidentiality of HIV/AIDS test results and genetic information
Maryland
Primary statute: Maryland Confidentiality of Medical Records Act, MD Code, Health-General § 4-301 et seq.
Maryland supplements federal HIPAA with comprehensive state health privacy protections:
- HIPAA applies to covered entities operating in Maryland
- The Maryland Confidentiality of Medical Records Act (MD Code, Health-General § 4-301 et seq.) provides additional protections beyond HIPAA
- MD law provides specific confidentiality protections for mental health records, HIV/AIDS test results, and substance abuse treatment records
- Patients have a right to access their medical records — providers must respond within 21 working days (stricter than HIPAA's 30 days)
- MD law limits the fees that providers can charge for medical record copies
- Maryland's data breach notification law (MD Code, Commercial Law § 14-3501 et seq.) requires notification when health data is compromised
- MD has specific protections for genetic information under the MD Genetic Information Nondiscrimination Act
Massachusetts
Primary statute: MGL c. 111, § 70E — Massachusetts Patients' Bill of Rights (health privacy)
Massachusetts supplements federal HIPAA with strong state health privacy protections:
- HIPAA applies to covered entities operating in Massachusetts
- MA has additional protections under MGL c. 111, § 70E (Patients' Bill of Rights) granting patients the right to confidential treatment of medical records
- MA law provides specific confidentiality protections for mental health records (MGL c. 123, § 36), HIV/AIDS status, and substance abuse treatment records
- Patients have a right to access and copy their medical records — providers must respond within 30 days
- MA law limits the cost of medical record copies
- MA has a comprehensive data breach notification law (MGL c. 93H) requiring notification when health data is compromised
- Insurance companies must comply with both HIPAA and MA-specific privacy requirements
Michigan
Primary statute: Michigan Mental Health Code, MCL § 330.1748 — mental health record confidentiality
Michigan supplements federal HIPAA with state health privacy protections:
- HIPAA applies to covered entities operating in Michigan
- Michigan has specific protections for mental health records under the Mental Health Code (MCL § 330.1748 et seq.) — these records have heightened confidentiality requirements
- HIV/AIDS test results have special protections under Michigan law (MCL § 333.5131)
- Substance abuse treatment records are protected under both federal 42 C.F.R. Part 2 and state law
- Patients have a right to access their medical records; providers must respond within 30 days
- Michigan allows patients to designate a personal representative for healthcare decisions and records access
Minnesota
Primary statute: Minn. Stat. § 144.291 — Minnesota Health Records Act
Minnesota has some of the strongest health privacy protections in the nation under the Minnesota Health Records Act:
- The Minnesota Health Records Act (Minn. Stat. § 144.291 et seq.) provides protections beyond federal HIPAA
- Patients must provide specific written consent before health records can be released (stricter than HIPAA's general authorization)
- Mental health records have heightened protections under Minn. Stat. § 148B
- Patients have a right to access their records within 30 days
- Minnesota law provides a private right of action for health privacy violations (unlike HIPAA which has no private right of action)
Mississippi
Primary statute: Miss. Code Ann. § 41-9-1 et seq. — Mississippi medical records access
Mississippi follows federal HIPAA regulations:
- HIPAA applies to all covered entities in Mississippi
- You have the right to access, inspect, and obtain copies of your medical records
- Providers must respond to records requests within 30 days
- Mississippi does not have comprehensive additional state health privacy laws beyond HIPAA
- Medical records must be retained by providers under professional licensing requirements
Missouri
Primary statute: Missouri Mental Health Records Confidentiality, RSMo § 630.140
Missouri supplements federal HIPAA with state health privacy protections:
- HIPAA applies to covered entities operating in Missouri
- Missouri has additional protections for mental health records under RSMo § 630.140 (mental health records confidentiality)
- MO law provides specific confidentiality protections for HIV/AIDS test results (RSMo § 191.656)
- Substance abuse treatment records have additional protections under both state and federal law
- Patients have a right to access their medical records under both HIPAA and MO law
- Missouri law requires healthcare providers to release records within a reasonable time
- Missouri's data breach notification law (RSMo § 407.1500) requires notification when health data is compromised
Montana
Primary statute: Montana Constitution Art. II, § 10 — explicit right to individual privacy
Montana follows federal HIPAA regulations and has uniquely strong constitutional privacy protections:
- HIPAA applies to all covered entities in Montana
- You have the right to access and obtain copies of your medical records
- Providers must respond to records requests within 30 days
- Montana's constitutional right to individual privacy (Art. II, § 10) provides additional protections for health information beyond HIPAA
- Montana courts have interpreted this privacy right broadly to cover medical records and health data
- Montana law provides additional confidentiality protections for mental health records and substance abuse treatment
Nebraska
Primary statute: Neb. Rev. Stat. § 71-8401 — Health Information Technology Act
Nebraska follows federal HIPAA regulations with some additional state protections:
- HIPAA applies to all covered entities (healthcare providers, insurers, clearinghouses) in Nebraska
- You have the right to access, inspect, and obtain copies of your medical records
- Providers must respond to records requests within 30 days (with a possible 30-day extension)
- Nebraska law provides additional protections for mental health records and substance abuse treatment records
- The Nebraska Health Information Technology Act promotes secure electronic health information exchange
Nevada
Primary statute: NRS 629 — Medical Records
Nevada follows federal HIPAA with strong additional state privacy protections:
- HIPAA applies to all covered entities in Nevada
- You have the right to access, inspect, and obtain copies of your medical records
- Providers must respond to records requests within 30 days
- Nevada has enacted comprehensive health data privacy laws — SB 370 (2019) requires data brokers to comply with consumer opt-out requests
- Nevada provides additional protections for genetic information and HIV/AIDS records
New Hampshire
Primary statute: RSA 329:26 — NH patient medical records access
New Hampshire follows federal HIPAA regulations with additional state protections:
- HIPAA applies to all covered entities in New Hampshire
- You have the right to access and obtain copies of your medical records
- Providers must respond to records requests within 30 days
- New Hampshire has additional insurance protections — the NH Insurance Department regulates health insurance practices
- NH law provides additional confidentiality protections for mental health treatment records and HIV/AIDS information
- New Hampshire Medicaid (NH Healthy Families) provides additional privacy protections for enrolled individuals
New Jersey
Primary statute: NJ Genetic Privacy Act, N.J.S.A. 10:5-43
New Jersey provides additional health privacy protections beyond federal HIPAA:
- NJ Patient's Bill of Rights (N.J.A.C. 8:43G-4.1): Guarantees patients the right to privacy and confidentiality of all medical records and communications. Applies to all licensed healthcare facilities in New Jersey.
- NJ Genetic Privacy Act (N.J.S.A. 10:5-43 to -49): Prohibits genetic information from being used for employment or insurance discrimination. Genetic test results have extra confidentiality protections beyond what HIPAA provides.
- NJ Identity Theft Prevention Act (N.J.S.A. 56:11-44): Requires notification of data breaches involving personal health information within a specific timeframe. Broader coverage than HIPAA's breach notification rule.
- Mental health and substance abuse records: NJ has strong state-level protections for mental health records under N.J.S.A. 30:4-24.3 and aligns with federal 42 C.F.R. Part 2 protections for substance abuse treatment records.
New Mexico
Primary statute: NMSA § 14-6-1 — New Mexico Inspection of Public Records Act
New Mexico follows federal HIPAA regulations with some additional state protections:
- HIPAA applies to all covered entities in New Mexico
- You have the right to access, inspect, and obtain copies of your medical records
- Providers must respond to records requests within 30 days
- New Mexico has additional protections for behavioral health records and substance abuse treatment records
- The Indian Health Service (significant in NM) follows both HIPAA and additional federal tribal health privacy rules
New York
Primary statute: NY Public Health Law § 18 — patient access to medical records
New York provides additional health privacy protections through several state laws:
- NY Public Health Law § 18: Gives patients the right to access their medical records within 10 days of a written request (faster than HIPAA's 30-day window). Providers can charge no more than $0.75 per page.
- NY SHIELD Act (General Business Law § 899-aa): Expands data breach notification requirements to include health information. Healthcare entities must notify patients of breaches involving their health data, with stricter requirements than HIPAA's breach notification rule.
- NY Mental Hygiene Law § 33.13: Provides extra confidentiality protections for mental health records. Mental health information has stricter disclosure rules than general medical records, requiring specific authorization for release.
- HIV/AIDS confidentiality: NY Public Health Law Article 27-F provides exceptionally strong protections for HIV-related information, requiring specific written consent for disclosure separate from general medical record authorizations.
North Carolina
Primary statute: N.C. Gen. Stat. § 122C-52 et seq. — Mental health records confidentiality
North Carolina supplements federal HIPAA with state health privacy protections:
- HIPAA applies to covered entities (healthcare providers, insurers, clearinghouses) operating in NC
- NC has additional confidentiality protections for mental health records under N.C. Gen. Stat. § 122C-52 et seq.
- NC law provides specific protections for HIV/AIDS test results and substance abuse records
- Patients have a right to access their medical records under both HIPAA and NC law
- Healthcare providers must respond to records requests within 30 days under HIPAA
- NC law restricts disclosure of minors' health information related to certain treatments (mental health, substance abuse, STIs)
North Dakota
Primary statute: N.D. Cent. Code § 23-12 — Health Records
North Dakota follows federal HIPAA regulations with some additional state protections:
- HIPAA applies to all covered entities in North Dakota
- You have the right to access, inspect, and obtain copies of your medical records
- Providers must respond to records requests within 30 days
- North Dakota has specific confidentiality protections for mental health, substance abuse, and genetic information records
- N.D. Cent. Code § 23-12 provides rules for the handling and disclosure of health information
Oklahoma
Primary statute: Oklahoma HIV Confidentiality, 63 Okl. St. § 1-502.2
Oklahoma supplements HIPAA with limited state health privacy protections:
- HIPAA applies to covered entities in Oklahoma
- Oklahoma has confidentiality protections for HIV/AIDS records (63 Okl. St. § 1-502.2)
- Mental health records have protections under Oklahoma Mental Health Law
- Patients have a right to access records within 30 days under HIPAA
Oregon
Primary statute: Oregon Genetic Privacy Act — ORS § 192.531 et seq.
Oregon supplements HIPAA with state health privacy protections:
- Oregon has a comprehensive Genetic Privacy Act (ORS § 192.531 et seq.) — one of the strongest in the nation
- HIV/AIDS records have heightened confidentiality under ORS § 433.045
- Mental health records have additional protections under ORS Chapter 179
- Patients have a right to access records within 30 days
- Oregon provides a private right of action for health information privacy violations
Pennsylvania
Primary statute: Pennsylvania Mental Health Procedures Act — confidentiality, 50 P.S. § 7111
Pennsylvania supplements HIPAA with additional health privacy protections:
- PA Mental Health Procedures Act (50 P.S. § 7111): Provides heightened confidentiality for mental health records. Disclosure requires specific written consent, with limited exceptions for treatment emergencies.
- Drug and Alcohol Abuse Control Act (71 P.S. § 1690.108): Provides confidentiality protections for substance abuse treatment records, aligning with federal 42 C.F.R. Part 2.
- HIV/AIDS confidentiality (35 P.S. § 7601 et seq.): The Confidentiality of HIV-Related Information Act requires specific written consent for disclosure of HIV-related information, with criminal penalties for violations.
- Breach notification: PA's Breach of Personal Information Notification Act (73 P.S. § 2303) requires notification of breaches involving health information.
Rhode Island
Primary statute: R.I. Gen. Laws § 5-37.3 — Confidentiality of Health Care Communications and Information Act
Rhode Island follows federal HIPAA with additional state health privacy protections:
- HIPAA applies to all covered entities in Rhode Island
- You have the right to access, inspect, and obtain copies of your medical records
- Providers must respond to records requests within 30 days
- Rhode Island's Confidentiality of Health Care Communications and Information Act (R.I. Gen. Laws § 5-37.3) provides additional protections
- Rhode Island has specific protections for mental health, HIV/AIDS, and genetic information records
South Carolina
Primary statute: S.C. Code § 44-29-135 — HIV/AIDS Record Confidentiality
South Carolina supplements federal HIPAA with limited state health privacy protections:
- HIPAA applies to covered entities operating in SC
- SC has confidentiality protections for HIV/AIDS records (S.C. Code § 44-29-135)
- Mental health records have heightened confidentiality under the SC Mental Health Act
- Patients have a right to access their records within 30 days under HIPAA
South Dakota
Primary statute: HIPAA, 42 U.S.C. § 1320d et seq.
South Dakota follows federal HIPAA regulations:
- HIPAA applies to all covered entities in South Dakota
- You have the right to access, inspect, and obtain copies of your medical records
- Providers must respond to records requests within 30 days
- South Dakota does not have comprehensive additional state health privacy laws beyond HIPAA
- Medical records retention requirements follow professional licensing standards
Tennessee
Primary statute: TCA § 33-3-103 — Mental Health Record Confidentiality
Tennessee supplements federal HIPAA with state health privacy protections:
- HIPAA applies to covered entities operating in Tennessee
- TN has additional protections for mental health records under TCA § 33-3-103 et seq. (confidentiality of mental health records)
- TN law provides specific confidentiality protections for HIV/AIDS test results (TCA § 68-10-113)
- Substance abuse treatment records have additional protections under both state and federal law
- Patients have the right to access their medical records under both HIPAA and TN law
- TN law requires healthcare providers to respond to records requests within 30 days
- Tennessee's data breach notification law (TCA § 47-18-2107) requires notification when health data is compromised
Texas
Primary statute: Texas Medical Records Privacy Act, Tex. Health & Safety Code Ch. 181
Full Texas guide →Utah
Primary statute: Utah Consumer Privacy Act — Utah Code § 13-61
Utah follows federal HIPAA with additional state privacy protections:
- HIPAA applies to all covered entities in Utah
- You have the right to access, inspect, and obtain copies of your medical records
- Providers must respond to records requests within 30 days
- Utah enacted the Utah Consumer Privacy Act (UCPA) effective December 2023, which includes provisions for health data
- Utah has specific protections for mental health and substance abuse records
Vermont
Primary statute: 18 V.S.A. § 1881 — Vermont health record access and privacy
Vermont follows federal HIPAA with strong additional state privacy protections:
- HIPAA applies to all covered entities in Vermont
- You have the right to access, inspect, and obtain copies of your medical records
- Providers must respond to records requests within 30 days
- Vermont has enacted comprehensive health data privacy protections, including the Vermont Health Insurance Claims Database
- Vermont Act 53 (2019) provides additional consumer health data protections
Virginia
Primary statute: Virginia Health Records Privacy, Va. Code § 32.1-127.1:03
Full Virginia guide →Washington
Primary statute: Washington Uniform Health Care Information Act, RCW 70.02
Washington supplements federal HIPAA with some of the strongest state health privacy protections in the nation:
- HIPAA applies to covered entities operating in Washington
- The Washington My Health My Data Act (2023) provides comprehensive health data privacy protections for data not covered by HIPAA — including data collected by apps, websites, and non-HIPAA-covered businesses
- Washington has specific protections for mental health records (RCW 71.05.390) with heightened consent requirements for disclosure
- HIV test results and substance abuse records have strict confidentiality protections
- Washington requires patient consent before sharing health information in many situations where HIPAA alone would not require consent
- Washington's Uniform Health Care Information Act (RCW 70.02) provides additional patient access and privacy rights
West Virginia
Primary statute: W. Va. Code § 27-3-1 — Mental health records confidentiality
Full West Virginia guide →Wisconsin
Primary statute: Wis. Stat. § 51.30 — Mental Health Treatment Records Confidentiality
Wisconsin supplements federal HIPAA with state health privacy protections:
- HIPAA applies to covered entities operating in Wisconsin
- Wisconsin has additional protections for mental health records under Wis. Stat. § 51.30 (confidentiality of mental health treatment records)
- WI law provides specific confidentiality protections for HIV/AIDS test results (Wis. Stat. § 252.15) and substance abuse treatment records
- Wisconsin's Patient's Bill of Rights (Wis. Stat. § 51.61) provides comprehensive protections for individuals in mental health facilities
- Patients have a right to access their medical records — providers must respond within 30 days
- Wisconsin's data breach notification law (Wis. Stat. § 134.98) requires notification when personal information, including health data, is compromised
Wyoming
Primary statute: HIPAA Privacy Rule, 42 U.S.C. § 1320d et seq.
Wyoming follows federal HIPAA regulations:
- HIPAA applies to all covered entities in Wyoming
- You have the right to access, inspect, and obtain copies of your medical records
- Providers must respond to records requests within 30 days
- Wyoming does not have comprehensive additional state health privacy laws beyond HIPAA
- Wyoming's small population and rural healthcare system mean access and privacy concerns are closely intertwined