Confidentiality of Medical Records as a Condition of Hospital Licensure
This comparative map shows which of the 50 states plus the District of Columbia list medical record confidentiality as a condition of hospital licensure. Moreover, this map displays in which states medical record confidentiality is mandated for licensed hospitals, in which states it is not required, and shows the states where there are no laws concerning the matter. In the case that medical record confidentiality is required for licensed hospitals, there are also laws listed displaying possible retribution if medical records were to be released or their confidentiality threatened. [Last Updated: 07/24/2015]
Click on a state to see more information on Medical Records Collection, Retention, and Access in that state
- No law specifically addresses the issue
- Is a condition of hospital licensure
- Is not a condition of hospital licensure
Hide All
| State | Records Confidentiality | Details |
|---|---|---|
| Alabama | Is a condition of hospital licensure | Ala. Admin. Code r. 420-5-7-.13: Licensed Alabama hospitals must assign responsibility for medical record administration to a “medical records service.” Hospitals must establish a process to safeguard the confidentiality of patient records. Ala. Admin. Code r. 420-5-7-.05: Licensed Alabama hospitals must “protect and promote” patient rights including the confidentiality of their medical records. |
| Alaska | Is not a condition of hospital licensure | |
| Arizona | No law specifically addresses the issue | |
| Arkansas | No law specifically addresses the issue | |
| California | Is a condition of hospital licensure | |
| Colorado | Is a condition of hospital licensure | 6 CCR 1011-1:II-6.100: Licensed Colorado hospitals must “develop and implement a policy regarding patient rights" including the right to the confidentiality of medical records. |
| Connecticut | Is not a condition of hospital licensure | |
| Delaware | Is a condition of hospital licensure | 16 Del. C. § 1006: Grounds on which the Delaware Department of Health and Social Services may deny, suspend or revoke the license of any hospital. 16 Del. C. § 1009A: "A patient’s right of confidentiality shall not be violated in any manner.” 16 Del. C. § 1010A: Healthcare facilities that violate the Healthcare Associated Infections Disclosure Act, including the provision regarding patient privacy, face revocation of their license or civil penalties. |
| District of Columbia | Is a condition of hospital licensure | 22 DC ADC § 2022: Washington D.C. Hospitals must establish to policies and procedures to protect patient rights. These policies and procedures must include, among other items, the right to “personal privacy and confidentiality of medical records;” 22 DC ADC § 2030: Washington D.C. hospitals must maintain medical records for all patients. Medical records are confidential and may only be accessed in accordance with relevant law or with the patient’s consent. |
| Florida | Is a condition of hospital licensure | FL ST § 395.003: The Agency for Health Care Administration may suspend or revoke the license of a hospital that fails to comply with applicable laws and regulations. FL ST § 395.3025: Patient records maintained by licensed Florida facilities, including hospitals, are confidential and may not be disclosed without patient consent unless disclosure occurs to specified persons or in specified circumstances. FL ST § 408.815: The Agency for Health Care Administration may suspend or revoke the license of a health care facility that violates the health care licensing statute or related rules. |
| Georgia | Is a condition of hospital licensure | Ga. Code Ann., § 31-2-8: The Georgia Department of Human Resources may discipline specified licensed hospitals that violate applicable licensing laws. Ga. Code Ann., § 31-7-4: The Georgia Department of Human Resources may revoke the permit of a hospital that violates relevant rules and regulations. Ga. Code Ann., 290-9-7-.18: Medical records maintained by a licensed hospital are confidential and may only be accessed as authorized by state and federal law. Ga. Code Ann., 290-9-7-.41: Failure to comply with the hospital rules and regulations may result in the revocation of a hospital’s permit. |
| Hawaii | Is a condition of hospital licensure | Haw. Admin. Rules (HAR) § 11-93-3: Hawaii grants the Director of the Department of the Health the authority to license, inspect, and discipline hospitals. Haw. Admin. Rules (HAR) § 11-93-21: Licensed Hawaii hospitals must maintain confidential medical records that contain information regarding the patient’s identity, diagnosis, treatment, observations, and medical staff orders. Haw. Admin. Rules (HAR) § 11-93-26: Licensed Hawaii hospitals must establish “[w]ritten policies regarding the rights and responsibilities of patients…” These rights and responsibilities must include, among other items, that the patient is “entitled” to the confidentiality of their medical records. |
| Idaho | Is not a condition of hospital licensure | |
| Illinois | Is a condition of hospital licensure | IL ST CH 210 § 85/7: The Director of Public Health may suspend or revoke the license of a hospital that fails to comply with the Hospital Licensing Act, Hospital Report Card Act, Illinois Adverse Health Care Events Reporting Law of 2005, or other applicable rules, regulations, and standards. |
| Indiana | Is a condition of hospital licensure | |
| Iowa | Is not a condition of hospital licensure | |
| Kansas | Is a condition of hospital licensure | K.S.A. 65-430: The Kansas licensing agent may suspend or revoke the license of a hospital that fails to comply with the Article 4 hospital laws, K.S.A. 65-28,121 (regarding the abandonment of health care records), K.S.A. 65-4216 (regarding the failure to report acts by mental health technicians), or K.S.A. 65-4922 (regarding risk management programs). 28-34-9a2: Hospitals must maintain confidential medical records for all admitted patients. |
| Kentucky | Is not a condition of hospital licensure | |
| Louisiana | Is not a condition of hospital licensure | |
| Maine | Is a condition of hospital licensure | |
| Maryland | Is not a condition of hospital licensure | |
| Massachusetts | No law specifically addresses the issue | |
| Michigan | Is a condition of hospital licensure | |
| Minnesota | No law specifically addresses the issue | |
| Mississippi | Is a condition of hospital licensure | |
| Missouri | No law specifically addresses the issue | |
| Montana | Is not a condition of hospital licensure | |
| Nebraska | Is a condition of hospital licensure | Neb. Admin. R. & Regs. Tit. 175, Ch. 9, § 006: Licensed hospitals are required to maintain confidential medical records for at least ten years after a patient’s discharge or three years after a child patient reaches the age of eighteen. Neb. Admin. R. & Regs. Tit. 175, Ch. 9, § 008: The Nebraska Department of Health and Human Services Regulation and Licensure may take disciplinary action against a licensed hospital that, among other grounds, fails to comply with the Health Care Facility Licensure Act or the 175 NAC 9 regulations. |
| Nevada | Is not a condition of hospital licensure | |
| New Hampshire | Is a condition of hospital licensure | |
| New Jersey | Is a condition of hospital licensure | |
| New Mexico | No law specifically addresses the issue | |
| New York | Is not a condition of hospital licensure | |
| North Carolina | Is not a condition of hospital licensure | |
| North Dakota | Is a condition of hospital licensure | NDAC 33-07-01.1-20: Licensed North Dakota Acute Care Hospitals, Primary Care Hospitals, and Specialized Hospitals must ensure the confidentiality of medical records. Hospitals must limit access to patient medical records to authorized personnel and must obtain a patient’s written consent prior to releasing medical information. |
| Ohio | No law specifically addresses the issue | |
| Oklahoma | No law specifically addresses the issue | |
| Oregon | No law specifically addresses the issue | |
| Pennsylvania | No law specifically addresses the issue | |
| Rhode Island | Is a condition of hospital licensure | R.I. Admin. Code 31-4-18:27.0: Licensed Rhode Island hospitals must implement measures to ensure the confidentiality of all medical records. R.I. Admin. Code 31-4-18:7.0: The Rhode Island Department of Health may suspend or revoke a hospital’s license due to their noncompliance with the hospital licensing regulations, including the regulations pertaining to the maintenance and confidentiality of medical records. |
| South Carolina | Is not a condition of hospital licensure | |
| South Dakota | Is a condition of hospital licensure | SDCL § 34-12-19: The South Dakota Department of Health may suspend the license of a hospital or related institution for violations of the Chapter 34-12 laws or related regulations. ARSD 44:04:09:04: Hospitals must establish polices and procedures regarding the maintenance of medical records. The policies and procedures must address, among other items, how to safeguard and protect the confidentiality of medical records. |
| Tennessee | Is a condition of hospital licensure | |
| Texas | Is not a condition of hospital licensure | |
| Utah | Is a condition of hospital licensure | U.A.C. R432-100: Hospitals must comply with the 42 C.F.R. Part 2 confidentiality requirements when dealing with a patient that requests or receives admission to a substance abuse program. U.A.C. R432-3: The Utah Department of Health may discipline licensed hospitals for violations of Utah laws and regulations. |
| Vermont | Is not a condition of hospital licensure | |
| Virginia | Is not a condition of hospital licensure | |
| Washington | Is a condition of hospital licensure | |
| West Virginia | Is a condition of hospital licensure | W. Va. Code St. R. § 64-12-7: Licensed hospitals must establish a “Medical Records Department and Information System” that is “sufficient to support the maintenance of patient records….and quality improvement activities.” Hospitals must maintain their records for a minimum of five years and implement procedures for protecting the confidentiality of patient records. W. Va. Code St. R. § 64-12-3: Hospitals that violate any provisions of the hospital licensure rules, including the § 64-12-7 medical record maintenance provisions, face revocation of their license. |
| Wisconsin | Is a condition of hospital licensure | |
| Wyoming | Is not a condition of hospital licensure |
.png)