Patient Privacy Rights

About HIPAA Summit Media Contact DONATE

A Right to Privacy is recognized as a “fundamental” constitutional right by Congress and Human Health Services.

10 States set forth in their Constitutions the right to privacy: AK, AZ, CA, FL, HI, IL, LA, MT, SC, and WA.

All states recognize the psychotherapist-patient privilege, and the privilege is also recognized under federal common law.  Under such privileges, communications between a therapist and patient may not be disclosed unless the patient waives the privilege.

44 states recognize a physician-patient privilege. It is NOT recognized by: AL, GA, KY, MD, SC, TN and WV.  Under such privileges, communications between a physician and patient may not be disclosed unless the patient waives the privilege.

Cancer:

Only nine states do NOT maintain cancer registries: CT, GA, IA, MT, NE, NM, ND, UT, and WY.  The remaining states maintain cancer registries.  The information is considered confidential, privileged, and not subject to inspection, but may be disclosed to other registries, federal cancer control agencies, state health departments, and health researchers.  Penalties for violations of cancer registry provisions vary from each state.

Genetic Testing:

Statutes are available in 38 states.  The remaining states and DC do not protect genetic test results: AL, CT, DC, ID, IA, KS, KY, MS, ND, PA, TX WA, and WV.  Only 25 states provide cause of action, including claims of unfair trade practices and equitable relief, civil liability and/or criminal charges and penalties.

HIV/AIDS:

Only four states do NOT protect HIV/AIDS information: IN, NE, TN, and WY.  Cause of action varies from state to state.

Mental Health:

Only three states do NOT provide statutory protection for the records of an individual confined to a mental facility, mental health program, or mental health treatment: AR, MA, and MN.  Still, only 17 states and DC provide a civil and/or criminal remedy for the release or public disclosure of mental health information: CO, CT, DC, HI, IL, IA, KS, KY, NE, NJ, OR, SC, TX, UT, VA, WA, WI, and WY.

STDs:

32 states have statutes governing Sexually Transmitted Diseases (STDs) and information about certain sexually transmitted diseases must be reported to state and local health officials.  Reports are confidential, and only in NY may reports of STDs be disclosed by court order in a criminal or family court proceeding.  Only 11 states provide a remedy and impose penalties for violation of the statute’s non-disclosure provision: FL, ID, NM, NC, ND, OR, PA, RI, SC, UT, and WA.

Data Breach Disclosure Laws:

39 states and DC have enacted legislation requiring notification of security breaches involving personal information.  The 10 that have no legislation requiring notification of security breach involving personal information are: AL, AK, IA, KY, MS, MO, NM, SC, SD, VA, and WV.

PPR would like to thank Powers, Pyles, Sutter & Verville, P.C. for their work in compiling information on state privacy laws.

Note: None of the information provided here or anywhere on this site should be construed as legal advice.

Additional Privacy State Law Information