HIPAA Compliance in Pennsylvania: The 2026 Guide

Pennsylvania hospitals face a compounded compliance timeline in 2026: the federal HIPAA Security Rule, as proposed, would mandate MFA, encryption at rest, and a 12-month risk-analysis cadence (effective dates rolling 2024–2026), and the Pennsylvania Breach of Personal Information Notification Act (BPINA) overlays state-level notification requirements. This guide consolidates the deadlines, breach-notification clock, and the state-privacy rule changes hospitals need to meet — in one place.

Hospital Compliance Deadlines (Pennsylvania) — 2026 Quick Reference

Requirement	Source	Effective / Recurring	What hospitals must do
HIPAA Risk Analysis	45 CFR 164.308(a)(1)(ii)(A); 2026 HIPAA Security Rule	Every 12 months	Document an asset-inventory-anchored SRA; retain 6 years.
MFA on ePHI systems	2026 HIPAA Security Rule (NPRM Dec 2024 → finalization timeline)	Compliance window: rolling 2024–2026	Enforce MFA on all ePHI-accessing user accounts.
PA breach notification	73 P.S. § 2308 (Pennsylvania Breach of Personal Information Notification Act)	Notify “without unreasonable delay”	Notify PA AG and affected individuals; coordinate with HHS HIPAA breach notification (60 days).

Pennsylvania healthcare providers work under several intersecting state privacy laws—the Confidentiality of HIV-Related Information Act (35 P.S. §7601 et seq.), the Mental Health Procedures Act, Act 151 of 2005 regulating patient records, the Pennsylvania Department of Health’s facility licensure rules, and the Breach of Personal Information Notification Act (73 P.S. §2301 et seq.). Layer the 2026 federal HIPAA Security Rule amendments on top, and Pennsylvania hospitals, FQHCs, RHCs, CAHs, and clinics face a compliance stack that’s broader than what HIPAA covers alone. This guide walks through what’s distinctive, what the 2026 rules change, and how providers in Philadelphia, Pittsburgh, Harrisburg, Allentown, Erie, and rural Pennsylvania meet the bar.

What’s distinctive about Pennsylvania HIPAA compliance

• HIV-related information gets heightened protection under Pennsylvania’s Confidentiality of HIV-Related Information Act—stricter than HIPAA’s baseline and enforceable through civil penalties and private causes of action.
• Mental health information under the Mental Health Procedures Act (50 P.S. §7101) adds consent requirements beyond HIPAA for psychiatric records.
• Act 151 (2005) clarifies patient rights to their records and release of medical information.
• Breach notification under 73 P.S. §2301 requires notice “without unreasonable delay,” with state AG notification requirements layered on.
• PA DOH facility rules (28 Pa. Code, Chapters 101–139 for hospitals, plus segment-specific chapters) impose privacy and records obligations enforced during licensure surveys.

The 2026 federal HIPAA Security Rule amendments, applied to Pennsylvania

• Mandatory encryption of ePHI at rest and in transit
• Mandatory MFA on every ePHI-handling system
• Biannual vulnerability scanning and annual pen testing
• 72-hour breach reporting to OCR on 500+ breaches
• Written asset inventory tied to the risk analysis

Pennsylvania providers also have to run their program against the PA AG’s breach-notification expectations and DOH licensure obligations. A single documented program should map to all of them. See our 2026 buyer’s guide to HIPAA risk assessment tools.

HIV-related information: Pennsylvania’s biggest state overlay

The Confidentiality of HIV-Related Information Act is one of the strictest state frameworks around a specific PHI category. Disclosures of HIV-related information generally require a specific written consent that references HIV, beyond what HIPAA’s general authorization or treatment-payment-operations framework allows. Redisclosure by recipients is also restricted, and violations can result in both civil penalties and private-party damages.

Practical impact for Pennsylvania covered entities:

• EHRs should be able to segregate HIV-related records and apply consent-specific access controls.
• Releases of information workflows need an HIV-specific consent pathway, distinct from the general release-of-information form.
• Interface counterparts need to carry forward the redisclosure restrictions.
• Training for release-of-information, HIM, and clinical staff needs to address the HIV overlay explicitly.

Mental Health Procedures Act

Pennsylvania’s MHPA (50 P.S. §7101) adds consent requirements for mental-health records that exceed HIPAA’s psychotherapy-notes framework. Any covered entity operating behavioral health services in Pennsylvania should map MHPA obligations onto its HIPAA program—see also our HIPAA for mental and behavioral health providers guide.

PA Breach Notification Act

Under 73 P.S. §2301, a Pennsylvania business or entity (including healthcare providers) must notify affected Pennsylvania residents of a security breach involving personal information “without unreasonable delay.” If the breach affects more than 1,000 Pennsylvania residents, the entity must also notify the PA Attorney General and consumer reporting agencies. The Act has been amended to add AG-notification and credit-monitoring requirements for larger incidents.

For PHI breaches, HIPAA’s 60-day individual-notice window applies, the 2026 Security Rule’s 72-hour OCR notification applies for 500+ breaches, and the PA Breach Notification Act’s “without unreasonable delay” standard applies. The practical result: most PA healthcare breaches trigger all three timelines, and the incident-response playbook has to be built for the shortest.

PA DOH hospital and facility rules

28 Pa. Code Chapters 101 (general hospital licensure) and 103, 107, 108, 115, and segment-specific chapters for ASCs, home health, hospice, and long-term care impose facility-level requirements that overlap with HIPAA on:

• Medical records confidentiality and retention
• Patient rights
• Incident reporting
• Workforce training

A HIPAA policy set that cites the relevant Pa. Code section makes DOH licensure surveys smoother. For rural Pennsylvania CAHs—Pennsylvania has one of the larger CAH populations in the country—see our HIPAA for CAHs guide and HIPAA for rural hospitals.

Pennsylvania FQHCs, RHCs, and safety-net providers

Pennsylvania has a substantial FQHC and RHC footprint—from Philadelphia’s large health center network, to rural North Central PA, the Southern Tier, and western PA coal country. For that population, layer the HRSA and HIPAA rules: FQHC guide, CHC guide, CHC SRA methodology, and HIPAA compliance cost guide.

What a 2026-compliant Pennsylvania program needs

1. Annual Security Risk Analysis covering every system, vendor, site, and segregation of HIV-related and mental-health records
2. Risk management plan with owned, dated remediation
3. Policy set addressing HIPAA, HIV Confidentiality Act, MHPA, Act 151, PA Breach Notification Act, and Pa. Code licensure sections
4. Release-of-information workflows that include an HIV-specific consent pathway
5. Workforce training addressing HIV and mental health overlays
6. Vendor inventory with current BAAs, including interface counterparts
7. Incident-response playbook meeting OCR, HIPAA, and PA Breach Notification Act timelines
8. Technical safeguards: encryption, MFA, vulnerability scanning, pen testing, patching, backup, audit logs

PA HIPAA readiness checklist

1. Does our release-of-information workflow have a specific HIV consent pathway?
2. Is our mental-health records handling aligned to MHPA as well as HIPAA?
3. Is our breach-response playbook built for the fastest applicable timeline (OCR 72-hour on 500+)?
4. Is our written SRA 2026-aligned and does it cover all ePHI systems?
5. Do our policies cite the Pa. Code sections that DOH surveyors use?

Frequently asked questions

Does HIPAA preempt Pennsylvania’s HIV Confidentiality Act?

No. Pennsylvania’s HIV Confidentiality Act is more protective than HIPAA on disclosures of HIV-related information, so the state law controls where it is more protective. Pennsylvania covered entities must comply with both.

What is the PA breach notification timeline?

The PA Breach of Personal Information Notification Act requires notice “without unreasonable delay.” HIPAA imposes a 60-day individual-notice maximum (72 hours to OCR under the 2026 Security Rule for 500+ breaches). In most PA healthcare breaches, all three apply and the shortest controls.

Does the Mental Health Procedures Act add to HIPAA psychotherapy-notes protection?

Yes. MHPA imposes consent requirements for mental-health information that go beyond HIPAA’s psychotherapy-notes framework. PA behavioral health providers should map MHPA onto their HIPAA program.

Are PA CAHs and RHCs covered by state-specific HIPAA rules?

No separate state-specific HIPAA overlay for CAHs and RHCs, but PA’s DOH licensure rules and the HRSA overlay both apply on top of HIPAA.

What are PA HIPAA-adjacent penalties?

PA doesn’t impose state-specific HIPAA penalties, but the HIV Confidentiality Act includes civil penalties and private causes of action. The PA Breach Notification Act is enforced by the PA AG with state consumer-protection remedies. These stack on top of federal OCR penalties.

HIPAA compliance in nearby states: New York · New Jersey · Maryland · See all HIPAA SRA software

Pennsylvania Mental Health Procedures Act (MHPA): The State Rule That Goes Beyond HIPAA

While Pennsylvania does not have a comprehensive medical privacy statute stricter than HIPAA across all conditions, the Pennsylvania Mental Health Procedures Act (MHPA), 50 P.S. §§ 7101–7503, applies a heightened confidentiality standard to mental-health records that every PA covered entity needs to know. Under Section 7111, all records concerning patients receiving mental-health services — whether inpatient, outpatient, or intake screening — are confidential and may only be released with the patient’s written consent or pursuant to specific statutory exceptions. The MHPA limits HIPAA’s “treatment, payment, and operations” disclosure latitude in the mental-health context: a routine HIPAA TPO disclosure that would be lawful for a primary-care record may violate the MHPA if the same disclosure involves a mental-health record. Pennsylvania providers running an integrated behavioral-health line of service — community mental-health centers, FQHCs with on-site behavioral specialists, hospital psych units — need a documented procedure for segregating mental-health records access in their EHR, training workforce on the MHPA carve-out, and obtaining specific MHPA-compliant authorizations rather than relying on a default HIPAA authorization template.

Pennsylvania Breach Notification: Stricter Timing Than HIPAA

While the federal HIPAA Breach Notification Rule allows up to 60 days from discovery to notify affected individuals, Pennsylvania’s Breach of Personal Information Notification Act (BPINA), 73 P.S. § 2301 et seq., requires notice “without unreasonable delay.” Pennsylvania also requires notice to the Pennsylvania Office of Attorney General whenever a breach affects more than 500 Pennsylvania residents, with a parallel notice to the major consumer-reporting agencies. Medcurity customers operating in Pennsylvania should configure their incident-response playbook with a 14–30 day target for individual notice (well inside HIPAA’s 60 days), maintain a current AG-notice template, and pre-stage the consumer-reporting-agency notification contacts so that incident discovery does not become incident-response paralysis.

Sources of Authority for Pennsylvania HIPAA Compliance

For ongoing regulatory guidance and enforcement context, Pennsylvania covered entities should monitor: the Pennsylvania Department of Health’s HIPAA resource page; the Pennsylvania Office of Attorney General’s data-breach reporting portal; the Hospital and Healthsystem Association of Pennsylvania (HAP) compliance bulletins; and 31 Pa. Code Chapter 146b on the privacy of consumer health information, which applies the federal HIPAA framework to Pennsylvania health insurers and producers. Pennsylvania-licensed clinical professionals — physicians, nurses, behavioral-health clinicians — should also track their respective licensing-board guidance on patient-record retention and disclosure, which can layer additional duties on top of HIPAA.