HIPAA Compliance in Maryland: State-Specific Requirements, Laws, and Checklist

Maryland Confidentiality of Medical Records Act

Maryland’s Confidentiality of Medical Records Act (MCMRA) governs how health care providers and facilities collect, use, disclose, and safeguard medical records. It defines key terms (including “disclose” and “person in interest”), sets baseline confidentiality duties, and lists narrow circumstances when disclosure without authorization is permitted. Recipients of records generally may not redisclose them unless a statute or the Act allows it. ([mgaleg.maryland.gov](https://mgaleg.maryland.gov/mgawebsite/Laws/StatuteText?article=ghg&enactments=false§ion=4-301&utm_source=openai))

Access and timing are also regulated. Maryland providers must respond to record requests within a reasonable time, not exceeding 21 working days, and may withhold portions only under specific conditions (for example, if disclosure would be injurious, especially for certain mental health content). ([health.maryland.gov](https://health.maryland.gov/mbpme/Pages/records.aspx?utm_source=openai))

At-a-glance checklist

• Map disclosures permitted under MCMRA versus HIPAA; prohibit redisclosure unless expressly allowed. ([mgaleg.maryland.gov](https://mgaleg.maryland.gov/mgawebsite/Laws/StatuteText?article=ghg&enactments=false§ion=4-302&utm_source=openai))
• Document processes to meet the 21–working–day record fulfillment timeline and any lawful denials or partial denials. ([health.maryland.gov](https://health.maryland.gov/mbpme/Pages/records.aspx?utm_source=openai))
• Apply heightened review for records related to psychiatric or psychological care before release. ([mgaleg.maryland.gov](https://mgaleg.maryland.gov/mgawebsite/Laws/StatuteText?article=ghg&enactments=false§ion=4-304&utm_source=openai))

Maryland Personal Information Protection Act (MPIPA)

MPIPA (Commercial Law §14-3501 et seq.) requires businesses—including many health organizations handling non-PHI consumer data—to notify Maryland residents of a security breach “as soon as reasonably practicable,” but no later than 45 days after discovery. Before notifying consumers, you must notify the Maryland Office of the Attorney General (OAG) and include a sample consumer notice and summary of the incident. ([oag.maryland.gov](https://oag.maryland.gov/i-need-to/Pages/Guidelines-for-Businesses-to-Comply-with-the-Maryland-Personal-Information-Protection-Act.aspx))

MPIPA defines “personal information” to include health and mental health information created by HIPAA entities, health insurance identifiers, and biometric data. The consumer notice must contain prescribed elements and may be delivered by mail, phone, or email (with conditions). Substitute notice is allowed for large or costly incidents. ([oag.maryland.gov](https://oag.maryland.gov/i-need-to/Pages/Guidelines-for-Businesses-to-Comply-with-the-Maryland-Personal-Information-Protection-Act.aspx))

At-a-glance checklist

• Build a 45-day MPIPA clock and pre-notification workflow to the OAG (with sample notice). ([oag.maryland.gov](https://oag.maryland.gov/i-need-to/Pages/Guidelines-for-Businesses-to-Comply-with-the-Maryland-Personal-Information-Protection-Act.aspx))
• Confirm contracts require service providers to implement “reasonable security” and support breach notification duties. ([oag.maryland.gov](https://oag.maryland.gov/i-need-to/Pages/Guidelines-for-Businesses-to-Comply-with-the-Maryland-Personal-Information-Protection-Act.aspx))
• Coordinate MPIPA with HIPAA and other laws to meet the shortest applicable deadline. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

2026 HIPAA Security Rule Updates

As of June 14, 2026, HHS has not finalized the Security Rule overhaul; the updates remain at the Notice of Proposed Rulemaking (NPRM) stage. The NPRM proposes to require, among other things, encryption of ePHI at rest and in transit, multi-factor authentication, vulnerability scanning at least every six months, annual penetration testing, network segmentation, an asset inventory and network map, and a more prescriptive written risk analysis. It also proposes annual compliance audits and new business associate verification and incident-notification duties. The current Security Rule remains in effect until a final rule is issued. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html))

Maryland entities should begin aligning policies and controls with the NPRM now, as these practices are already emphasized by OCR and recognized security practices can mitigate enforcement risk. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html?utm_source=openai))

At-a-glance checklist

• Prioritize NPRM controls: encryption, MFA, segmentation, vulnerability scanning, and pen testing. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html))
• Develop/refresh written asset inventory, data-flow maps, incident response, and contingency plans. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html))
• Track the final rule; plan phased implementation once HHS publishes compliance dates. ([thefederalregister.org](https://thefederalregister.org/documents/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information?utm_source=openai))

Mental Health Records Protection

Maryland provides additional protections for records “developed primarily” in connection with mental health services. Personal notes of a mental health provider receive special handling; certain disclosures require stricter conditions, and access to specific portions may be denied if release would be injurious to the patient or others. The statute also permits limited confirmations (e.g., presence in a facility to next of kin who filed a missing-person report) and sets rules for emergency disclosures and court orders. ([mgaleg.maryland.gov](https://mgaleg.maryland.gov/mgawebsite/Laws/StatuteText?article=ghg§ion=4-307&utm_source=openai))

Separately, Maryland’s Mental Health Law protects confidentiality of court records tied to emergency psychiatric evaluations, reinforcing that many such records are sealed absent a court order for good cause. ([law.justia.com](https://law.justia.com/codes/maryland/2010/health-general/title-10/subtitle-6/10-630?utm_source=openai))

At-a-glance checklist

• Apply §4‑307 safeguards to mental health records and “personal notes” before any disclosure. ([mgaleg.maryland.gov](https://mgaleg.maryland.gov/mgawebsite/Laws/StatuteText?article=ghg§ion=4-307&utm_source=openai))
• When a request could be injurious, follow the statutory process for partial denial and alternative access. ([mgaleg.maryland.gov](https://mgaleg.maryland.gov/mgawebsite/Laws/StatuteText?article=ghg&enactments=false§ion=4-304&utm_source=openai))
• Treat emergency‑evaluation court records as confidential unless a court authorizes release. ([law.justia.com](https://law.justia.com/codes/maryland/2010/health-general/title-10/subtitle-6/10-630?utm_source=openai))

Security Risk Analysis for Maryland Organizations

Under 45 CFR 164.308(a)(1)(ii)(A), every covered entity and business associate must perform an “accurate and thorough” risk analysis of risks and vulnerabilities to ePHI, then manage those risks to a reasonable and appropriate level. OCR provides detailed guidance and a free Security Risk Assessment (SRA) Tool to help small and mid‑sized organizations structure assessments. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.308?utm_source=openai))

At-a-glance checklist

• Scope your environment: systems, assets, data flows, interfaces (include telehealth, cloud, HIE, and BA connections). ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html?utm_source=openai))
• Identify threats/vulnerabilities; assess likelihood/impact; rank risks; decide treatments and timelines. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html?utm_source=openai))
• Map controls to HIPAA standards; document residual risk and management approval; repeat at least annually and upon major change. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.308?utm_source=openai))
• Use the ONC/OCR SRA Tool to document methodology and evidence; track remediation to closure. ([healthit.gov](https://healthit.gov/privacy-security/security-risk-assessment-tool/?utm_source=openai))

Breach Response Policy

For HIPAA-regulated incidents involving unsecured PHI, notify affected individuals without unreasonable delay and no later than 60 days after discovery; report to HHS (immediately for breaches affecting 500+ individuals and annually for fewer than 500), and to prominent media if 500+ residents of a state or jurisdiction are affected. Perform and document the four‑factor risk assessment to determine if a breach occurred and whether encryption safe harbor applies. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

For incidents triggering MPIPA, notify Maryland residents within 45 days and notify the OAG before sending consumer notices; include required content elements and consider substitute notice if thresholds are met. If you connect to the state‑designated HIE, follow Maryland Health Care Commission breach‑notice rules as applicable. ([oag.maryland.gov](https://oag.maryland.gov/i-need-to/Pages/Guidelines-for-Businesses-to-Comply-with-the-Maryland-Personal-Information-Protection-Act.aspx))

At-a-glance checklist

• Start dual clocks at discovery: HIPAA 60‑day and MPIPA 45‑day; meet the shortest deadline. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))
• Complete HIPAA’s four‑factor risk assessment; preserve logs, forensics, and decision rationale. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))
• Notify OAG with a sample notice before consumer outreach; include all required content. ([oag.maryland.gov](https://oag.maryland.gov/i-need-to/Pages/Guidelines-for-Businesses-to-Comply-with-the-Maryland-Personal-Information-Protection-Act.aspx))
• Report to HHS and media as required; coordinate with business associates and insurers. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

Business Associate Agreements (BAAs)

BAAs must establish permitted uses/disclosures; require safeguards for PHI and ePHI; mandate breach and incident reporting; support access, amendment, and accounting; bind subcontractors; provide for return or destruction of PHI; and allow termination for material breach. Cited authorities include 45 CFR 164.502(e) and 164.504(e), and HHS’s model provisions. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.502?utm_source=openai))

Given the NPRM, evaluate adding stricter terms now (for example, 24‑hour notice upon contingency‑plan activation, annual verification of controls like MFA and encryption) so Maryland entities are positioned for rapid compliance if the rule is finalized. Also ensure MPIPA “reasonable security” and cooperation duties are explicitly included for non‑PHI personal information. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html))

At-a-glance checklist

• Inventory all vendors touching PHI/PII; execute BAAs and flow‑down terms to subcontractors. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.504?utm_source=openai))
• Specify incident-reporting windows shorter than HIPAA’s default; define roles for drafting and issuing notices. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions?utm_source=openai))
• Embed technical and administrative safeguards (encryption, MFA, segmentation) and audit/verification rights. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html))

Conclusion

Effective HIPAA compliance in Maryland means harmonizing federal rules with MCMRA confidentiality standards and MPIPA’s 45‑day breach timeline, while preparing for the proposed Security Rule upgrades. Build a living risk analysis, tighten BAAs, and rehearse breach playbooks so you can meet both HIPAA and Maryland requirements with confidence. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.308?utm_source=openai))

FAQs

What are Maryland's specific HIPAA breach notification requirements?

Under HIPAA, notify affected individuals without unreasonable delay and no later than 60 days after discovery; report to HHS and, for incidents affecting 500+ residents, to prominent media. Maryland’s MPIPA adds a 45‑day outside limit for consumer notice and requires notifying the OAG before consumer notices go out, with specific content requirements. If both laws apply, meet HIPAA’s content/scope rules and Maryland’s shorter deadline and OAG pre‑notice. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

How does Maryland law differ from federal HIPAA for medical records confidentiality?

MCMRA governs providers and facilities statewide, detailing when disclosure is allowed, restricting redisclosure, and setting timelines and processes for patient access. It also adds special conditions for mental health records and allows partial denials where disclosure would be injurious. HIPAA sets national baselines, but Maryland’s more specific provisions (e.g., redisclosure limits and access processes) apply in addition to HIPAA. ([mgaleg.maryland.gov](https://mgaleg.maryland.gov/mgawebsite/Laws/StatuteText?article=ghg&enactments=false§ion=4-302&utm_source=openai))

What are the new 2026 HIPAA Security Rule mandates?

As of June 14, 2026, they are proposed—not final. The NPRM would require encryption at rest/in transit, MFA, vulnerability scanning and annual pen testing, asset inventories and network maps, segmentation, written risk analyses with added specificity, annual compliance audits, and new BA verification and notification duties. Keep current with HHS and plan for phased adoption once a final rule and compliance dates are published. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html))

How should Maryland organizations handle Business Associate Agreements?

Execute BAAs with every vendor that creates, receives, maintains, or transmits PHI; include HIPAA‑required terms (safeguards, breach reporting, subcontractor flow‑down, return/destruction, termination for breach) and operational details (notification windows, cooperation on notices). Given the NPRM, consider adding 24‑hour contingency‑activation notice and annual control verification; also address MPIPA “reasonable security” and breach cooperation for non‑PHI personal information. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html?utm_source=openai))