HIPAA Compliance in Pennsylvania: The 2026 Guide

Pennsylvania healthcare providers work under several intersecting state privacy laws—the Confidentiality of HIV-Related Information Act (35 P.S. §7601 et seq.), the Mental Health Procedures Act, Act 151 of 2005 regulating patient records, the Pennsylvania Department of Health’s facility licensure rules, and the Breach of Personal Information Notification Act (73 P.S. §2301 et seq.). Layer the 2026 federal HIPAA Security Rule amendments on top, and Pennsylvania hospitals, FQHCs, RHCs, CAHs, and clinics face a compliance stack that’s broader than what HIPAA covers alone. This guide walks through what’s distinctive, what the 2026 rules change, and how providers in Philadelphia, Pittsburgh, Harrisburg, Allentown, Erie, and rural Pennsylvania meet the bar.

What’s distinctive about Pennsylvania HIPAA compliance

• HIV-related information gets heightened protection under Pennsylvania’s Confidentiality of HIV-Related Information Act—stricter than HIPAA’s baseline and enforceable through civil penalties and private causes of action.
• Mental health information under the Mental Health Procedures Act (50 P.S. §7101) adds consent requirements beyond HIPAA for psychiatric records.
• Act 151 (2005) clarifies patient rights to their records and release of medical information.
• Breach notification under 73 P.S. §2301 requires notice “without unreasonable delay,” with state AG notification requirements layered on.
• PA DOH facility rules (28 Pa. Code, Chapters 101–139 for hospitals, plus segment-specific chapters) impose privacy and records obligations enforced during licensure surveys.

The 2026 federal HIPAA Security Rule amendments, applied to Pennsylvania

• Mandatory encryption of ePHI at rest and in transit
• Mandatory MFA on every ePHI-handling system
• Biannual vulnerability scanning and annual pen testing
• 72-hour breach reporting to OCR on 500+ breaches
• Written asset inventory tied to the risk analysis

Pennsylvania providers also have to run their program against the PA AG’s breach-notification expectations and DOH licensure obligations. A single documented program should map to all of them. See our 2026 buyer’s guide to HIPAA risk assessment tools.

HIV-related information: Pennsylvania’s biggest state overlay

The Confidentiality of HIV-Related Information Act is one of the strictest state frameworks around a specific PHI category. Disclosures of HIV-related information generally require a specific written consent that references HIV, beyond what HIPAA’s general authorization or treatment-payment-operations framework allows. Redisclosure by recipients is also restricted, and violations can result in both civil penalties and private-party damages.

Practical impact for Pennsylvania covered entities:

• EHRs should be able to segregate HIV-related records and apply consent-specific access controls.
• Releases of information workflows need an HIV-specific consent pathway, distinct from the general release-of-information form.
• Interface counterparts need to carry forward the redisclosure restrictions.
• Training for release-of-information, HIM, and clinical staff needs to address the HIV overlay explicitly.

Mental Health Procedures Act

Pennsylvania’s MHPA (50 P.S. §7101) adds consent requirements for mental-health records that exceed HIPAA’s psychotherapy-notes framework. Any covered entity operating behavioral health services in Pennsylvania should map MHPA obligations onto its HIPAA program—see also our HIPAA for mental and behavioral health providers guide.

PA Breach Notification Act

Under 73 P.S. §2301, a Pennsylvania business or entity (including healthcare providers) must notify affected Pennsylvania residents of a security breach involving personal information “without unreasonable delay.” If the breach affects more than 1,000 Pennsylvania residents, the entity must also notify the PA Attorney General and consumer reporting agencies. The Act has been amended to add AG-notification and credit-monitoring requirements for larger incidents.

For PHI breaches, HIPAA’s 60-day individual-notice window applies, the 2026 Security Rule’s 72-hour OCR notification applies for 500+ breaches, and the PA Breach Notification Act’s “without unreasonable delay” standard applies. The practical result: most PA healthcare breaches trigger all three timelines, and the incident-response playbook has to be built for the shortest.

PA DOH hospital and facility rules

28 Pa. Code Chapters 101 (general hospital licensure) and 103, 107, 108, 115, and segment-specific chapters for ASCs, home health, hospice, and long-term care impose facility-level requirements that overlap with HIPAA on:

• Medical records confidentiality and retention
• Patient rights
• Incident reporting
• Workforce training

A HIPAA policy set that cites the relevant Pa. Code section makes DOH licensure surveys smoother. For rural Pennsylvania CAHs—Pennsylvania has one of the larger CAH populations in the country—see our HIPAA for CAHs guide and HIPAA for rural hospitals.

Pennsylvania FQHCs, RHCs, and safety-net providers

Pennsylvania has a substantial FQHC and RHC footprint—from Philadelphia’s large health center network, to rural North Central PA, the Southern Tier, and western PA coal country. For that population, layer the HRSA and HIPAA rules: FQHC guide, CHC guide, CHC SRA methodology, and HIPAA compliance cost guide.

What a 2026-compliant Pennsylvania program needs

1. Annual Security Risk Analysis covering every system, vendor, site, and segregation of HIV-related and mental-health records
2. Risk management plan with owned, dated remediation
3. Policy set addressing HIPAA, HIV Confidentiality Act, MHPA, Act 151, PA Breach Notification Act, and Pa. Code licensure sections
4. Release-of-information workflows that include an HIV-specific consent pathway
5. Workforce training addressing HIV and mental health overlays
6. Vendor inventory with current BAAs, including interface counterparts
7. Incident-response playbook meeting OCR, HIPAA, and PA Breach Notification Act timelines
8. Technical safeguards: encryption, MFA, vulnerability scanning, pen testing, patching, backup, audit logs

PA HIPAA readiness checklist

1. Does our release-of-information workflow have a specific HIV consent pathway?
2. Is our mental-health records handling aligned to MHPA as well as HIPAA?
3. Is our breach-response playbook built for the fastest applicable timeline (OCR 72-hour on 500+)?
4. Is our written SRA 2026-aligned and does it cover all ePHI systems?
5. Do our policies cite the Pa. Code sections that DOH surveyors use?

Frequently asked questions

Does HIPAA preempt Pennsylvania’s HIV Confidentiality Act?

No. Pennsylvania’s HIV Confidentiality Act is more protective than HIPAA on disclosures of HIV-related information, so the state law controls where it is more protective. Pennsylvania covered entities must comply with both.

What is the PA breach notification timeline?

The PA Breach of Personal Information Notification Act requires notice “without unreasonable delay.” HIPAA imposes a 60-day individual-notice maximum (72 hours to OCR under the 2026 Security Rule for 500+ breaches). In most PA healthcare breaches, all three apply and the shortest controls.

Does the Mental Health Procedures Act add to HIPAA psychotherapy-notes protection?

Yes. MHPA imposes consent requirements for mental-health information that go beyond HIPAA’s psychotherapy-notes framework. PA behavioral health providers should map MHPA onto their HIPAA program.

Are PA CAHs and RHCs covered by state-specific HIPAA rules?

No separate state-specific HIPAA overlay for CAHs and RHCs, but PA’s DOH licensure rules and the HRSA overlay both apply on top of HIPAA.

What are PA HIPAA-adjacent penalties?

PA doesn’t impose state-specific HIPAA penalties, but the HIV Confidentiality Act includes civil penalties and private causes of action. The PA Breach Notification Act is enforced by the PA AG with state consumer-protection remedies. These stack on top of federal OCR penalties.