When Does Healthcare Privacy Law Mandate a 60-Day Notice?

Protected health information, or PHI, refers to any individually identifiable health data maintained or transmitted by a covered entity or business associate in any form or medium. PHI includes medical records, billing information, demographic data linked to health status, genetic information, and any other health data that can reasonably be used to identify an individual. The definition is broad by design, capturing not only obvious identifiers such as name and Social Security number, but also less obvious ones such as dates of birth, admission dates, and medical record numbers when combined with other information. HIPAA's Privacy Rule establishes that covered entities may use and disclose PHI only for purposes permitted by the statute, such as treatment, payment, healthcare operations, and other limited circumstances defined in the regulations.

States including New York, California, and Massachusetts have enacted privacy statutes that often impose requirements more stringent than HIPAA or address gaps in federal coverage. New York's state privacy law, for example, restricts the disclosure of mental health records and substance abuse treatment information more strictly than HIPAA does. Some states require explicit written authorization for any use or disclosure of health information beyond treatment and payment, whereas HIPAA permits certain uses for healthcare operations without separate patient consent. Healthcare professionals operating across multiple states must comply with the most protective rule applicable in each jurisdiction, creating a layered compliance obligation that extends beyond the federal floor.

Patients have a statutory right to obtain a copy of their medical records and to inspect the health information held by a covered entity. HIPAA requires covered entities to provide access within thirty days of a written request, with limited exceptions for psychotherapy notes, information compiled for legal proceedings, and certain other sensitive materials. The patient may request records in electronic format if the covered entity maintains them electronically, and may request that corrections be made to inaccurate or incomplete information. Delays in providing records or unreasonable fees for copying can constitute violations of the access rule. In New York practice, healthcare providers frequently encounter requests for records in litigation discovery, employment disputes, and insurance matters, and timely compliance with access requests helps avoid penalties and demonstrates good-faith adherence to privacy obligations.

Patients may request that a covered entity restrict the use or disclosure of their health information, though the covered entity is not required to agree to every restriction request. HIPAA requires covered entities to honor restrictions on disclosures to health plans for purposes of payment or healthcare operations if the patient pays out of pocket for the service in full. Beyond that narrow category, the restriction is discretionary on the part of the provider. Many healthcare practices establish policies permitting patients to opt out of certain routine disclosures, such as directory information or marketing communications. State laws may impose stricter requirements; for instance, some states require providers to honor restrictions on disclosure to family members or employers absent a compelling clinical need. Documenting the patient's restriction request in the medical record and communicating it to staff who handle information access is essential to prevent inadvertent breaches.

HIPAA's Security Rule requires covered entities to conduct a risk analysis, identify vulnerabilities in their information systems, and implement safeguards proportionate to the risks identified. Administrative safeguards include designating a privacy officer and security officer, conducting workforce training on privacy and security requirements, implementing access controls that limit employee access to PHI based on job function, and maintaining audit logs that track who accesses health information and when. Technical safeguards include encryption of PHI in transit and at rest, secure authentication mechanisms such as multi-factor authentication, and intrusion detection systems. Physical safeguards address facility access controls, workstation security, and secure disposal of records containing PHI. The Security Rule does not prescribe a single technology or method; instead, it requires covered entities to implement measures appropriate to their size, complexity, and resources. A small primary care practice may satisfy the requirement through basic password policies and secure filing cabinets, whereas a large health system must deploy more sophisticated encryption and monitoring infrastructure.

A breach is an unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of the information. HIPAA requires covered entities to notify affected individuals, the Department of Health and Human Services, and in some cases the media if a breach affects more than 500 residents of a state or jurisdiction. Notification must occur without unreasonable delay and no later than sixty calendar days after discovery of the breach. Civil penalties for HIPAA violations range from $100 to $50,000 per violation, with an annual maximum in the millions depending on the category of violation and the entity's compliance history. State attorneys general and private parties may also pursue enforcement actions under state privacy laws. Beyond regulatory penalties, breaches can result in loss of patient trust, reputational harm, and civil litigation from affected individuals claiming damages for identity theft, emotional distress, or other injuries stemming from the unauthorized disclosure.

The U.S. Department of Health and Human Services, Office for Civil Rights, enforces HIPAA's Privacy and Security Rules and investigates complaints filed by patients or other parties. State attorneys general also have authority to enforce HIPAA and state privacy statutes. The Office for Civil Rights may conduct compliance audits, respond to breach notifications, and issue corrective action plans requiring covered entities to remedy deficiencies. Enforcement actions may result in civil penalties, mandatory training, implementation of new policies, and in egregious cases, exclusion from federal healthcare programs. Private parties may sue covered entities under HIPAA in limited circumstances, though HIPAA itself does not create a private right of action; however, state privacy laws often do permit private lawsuits. Practitioners should understand that documentation of privacy policies, workforce training records, risk assessments, and breach response procedures serves as evidence of good-faith compliance efforts, which can influence penalty calculations and demonstrate organizational commitment to privacy protection.

Effective compliance begins with a comprehensive privacy and security audit that identifies gaps between current practices and regulatory requirements. Covered entities should develop and implement written policies addressing permitted uses and disclosures, patient rights, breach notification procedures, and workforce training. Designating a privacy officer responsible for oversight and ensuring that all workforce members receive annual training on privacy obligations is essential. Healthcare laws require ongoing monitoring of information