HIPAA Compliance in Pennsylvania: Federal HIPAA + PA State Requirements
Pennsylvania healthcare providers must comply with federal HIPAA rules alongside the Pennsylvania Breach of Personal Information Notification Act (73 P.S. §2301 et seq.) and the Pennsylvania Medical Records Act. Pennsylvania lacks a comprehensive consumer privacy law but maintains healthcare-specific protections through its breach notification statute and medical records access rights. Major Pennsylvania health systems including UPMC and Penn Medicine have been involved in significant data breach incidents that underline the importance of robust HIPAA compliance.
PA AG enforces breach notification requirements and consumer protection laws; PA DOH oversees healthcare facility licensing and can investigate HIPAA complaints
State Penalties: PA Breach Notification Act violations: AG can seek injunctive relief and civil penalties. Pennsylvania courts can award actual damages to affected individuals.
Federal Penalties: $145–$2,190,294 per violation category per year under HIPAA (2026 adjusted)
How Federal + Pennsylvania Law Overlap
HIPAA governs PHI handling and breach notification. Pennsylvania's breach notification statute adds state-level notification requirements and covers personal information more broadly than HIPAA's PHI definition. Pennsylvania does not have a HIPAA-equivalent state law, so HIPAA's federal requirements are the primary compliance framework, supplemented by PA breach notification obligations.
Additional Pennsylvania Requirements Beyond Federal Law
- PA Breach of Personal Information Notification Act requires notification to PA residents 'in the most expedient time possible'
- PA AG must be notified of breaches affecting 1,000+ Pennsylvania residents
- Pennsylvania Medical Records Act (63 P.S. §1154) requires providers to maintain medical records for 7 years
- PA law requires patient medical records to be provided within 30 days of request — same as HIPAA
- Pennsylvania Mental Health Procedures Act imposes stricter confidentiality requirements for mental health records than HIPAA
- Employers operating self-insured health plans must comply with HIPAA independently; PA has no additional employer health data law
Key Compliance Requirements for Pennsylvania
- Maintain medical records for minimum 7 years per Pennsylvania Medical Records Act
- Notify PA residents promptly upon breach discovery; notify PA AG if 1,000+ residents affected
- Apply stricter mental health record confidentiality requirements per Pennsylvania Mental Health Procedures Act
- Conduct annual HIPAA Security Risk Analysis documented across all PA facilities
- Implement vendor management program — the UPMC and Heritage Valley incidents both involved third-party vulnerabilities
- Provide patient records within 30 days of written request
Common Violations in Pennsylvania
- Third-party vendor breaches where PA healthcare systems lacked adequate vendor security assessments
- Ransomware incidents disrupting clinical operations due to inadequate network segmentation
- Delayed notification to the PA AG for large-scale breaches affecting 1,000+ residents
- Insufficient mental health record confidentiality — Pennsylvania law is stricter than HIPAA
- Medical record retention shorter than Pennsylvania's 7-year requirement
Recent HIPAA Enforcement in Pennsylvania
Check Your HIPAA Readiness in Pennsylvania
Take our free compliance quiz to see how your organization stacks up against HIPAA requirements in Pennsylvania.
Take the Free Quiz → Risk Calculator →Frequently Asked Questions
What does Pennsylvania's Breach of Personal Information Notification Act require?
The PA Breach Notification Act (73 P.S. §2301) requires businesses to notify Pennsylvania residents 'in the most expedient time possible' after discovering a breach of personal information, which includes medical information. If 1,000 or more Pennsylvania residents are affected, the Pennsylvania AG must also be notified. This obligation exists independently of HIPAA breach notification requirements.
How long must I keep medical records in Pennsylvania?
Pennsylvania's Medical Records Act requires healthcare providers to maintain medical records for a minimum of 7 years from the date of the last entry. For minors, records must be kept until the patient reaches age 26 or for 7 years, whichever is longer. This aligns with HIPAA's documentation retention requirements.
Are mental health records treated differently under Pennsylvania law?
Yes. The Pennsylvania Mental Health Procedures Act imposes stricter confidentiality requirements than HIPAA for mental health treatment records. Most disclosures require patient consent even in situations where HIPAA would permit disclosure. Providers treating mental health patients in Pennsylvania must apply both frameworks and use the stricter standard.
What was the UPMC data breach?
In 2014, hackers breached UPMC's HR database, stealing W-2 and personal data of approximately 27,000 employees. The stolen data was used in tax fraud schemes. This incident triggered OCR scrutiny of UPMC's HIPAA security program, class action lawsuits, and PA AG inquiry into UPMC's data security practices — demonstrating that HIPAA violations can arise from HR system breaches, not just clinical systems.
Who enforces HIPAA in Pennsylvania?
OCR enforces federal HIPAA. The Pennsylvania AG enforces breach notification obligations under the PA Breach of Personal Information Notification Act. The PA Department of Health oversees healthcare facility licensing. Pennsylvania does not have a state-level HIPAA equivalent, so federal law is the primary framework, supplemented by state breach notification and mental health record laws.
More HIPAA Resources
- Complete HIPAA Framework Guide
- HIPAA Penalty Tiers
- HIPAA Breach Notification Penalties
- HIPAA for Dental Practices
- HIPAA for Mental Health Providers
- Upcoming HIPAA Compliance Deadlines
- Free 5-Minute Compliance Quiz
- Find a HIPAA Compliance Consultant in Pennsylvania
- Get Weekly Compliance Intelligence Briefs