HIPAA Compliance in Nebraska: State‑Specific Requirements and How to Stay Compliant

Nebraska Department of Health and Human Services Oversight

HIPAA is a federal law enforced by the U.S. Department of Health and Human Services Office for Civil Rights, but in Nebraska, the Department of Health and Human Services (DHHS) sets and enforces state licensure rules for healthcare facilities. Those Title 175 rules govern how you operate, document, safeguard, and share Protected Health Information (PHI) inside licensed settings. ([dhhs.ne.gov](https://dhhs.ne.gov/Pages/Title-175.aspx?utm_source=openai))

State law also gives patients the right to access their medical records, with limited exceptions for certain mental health records. Nebraska’s patient‑access statutes (sections 71‑8401 to 71‑8407) work alongside HIPAA and require providers to furnish copies upon request; you must protect other patients’ confidentiality within a record. ([law.justia.com](https://law.justia.com/codes/nebraska/chapter-71/statute-71-8403/?utm_source=openai))

Hospitals, clinics, home health, hospice, and other facilities must follow chapter‑specific operational and recordkeeping standards under Title 175. For example, hospitals must maintain certain administrative records at least seven years and keep a permanent patient index, while health clinics, home health, and inpatient hospice have explicit clinical record retention periods (detailed below). Your HIPAA program should map to these DHHS rules and your facility license. ([law.cornell.edu](https://www.law.cornell.edu/regulations/nebraska/175-Neb-Admin-Code-ch-9-SS-006))

Nebraska Data Privacy Act Overview

The Nebraska Data Privacy Act (LB 1074) took effect on January 1, 2025, and establishes consumer privacy rights (access, deletion, portability, opt‑out of targeted ads/sale) and controller/processor duties, with enforcement by the Nebraska Attorney General. ([nebraskalegislature.gov](https://nebraskalegislature.gov/FloorDocs/108/PDF/Final/LB1074.pdf))

For healthcare, the Act exempts HIPAA covered entities and business associates, as well as PHI and certain health‑related data (including 42 U.S.C. 290dd‑2 substance‑use disorder “patient identifying information”). Even if your PHI is exempt, the law can still apply to non‑PHI consumer data you process (for example, website analytics or marketing databases), so update your notices and request‑handling workflows accordingly. ([nebraskalegislature.gov](https://nebraskalegislature.gov/FloorDocs/108/PDF/Final/LB1074.pdf))

Bottom line: Continue meeting HIPAA for PHI, and assess the Nebraska Data Privacy Act for consumer data outside HIPAA. Document what data is exempt and how you will honor consumer requests when the law applies. ([nebraskalegislature.gov](https://nebraskalegislature.gov/FloorDocs/108/PDF/Final/LB1074.pdf))

Medical Records Retention Guidelines

HIPAA does not set medical record retention periods. It requires you to retain HIPAA compliance documentation (policies, procedures, NPPs, BAAs, training, risk analyses) for six years from creation or last effective date. Pair that requirement with Nebraska’s facility‑licensure rules and payer/regulatory obligations to create a single, written retention schedule. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/580/does-hipaa-require-covered-entities-to-keep-medical-records-for-any-period/index.html?utm_source=openai))

Facility‑specific minimums under Title 175

• Health clinics: Retain medical records at least five years; destruction is allowed after the five‑year mark, subject to confidentiality protections. ([regulations.justia.com](https://regulations.justia.com/states/nebraska/health-and-human-services-system/title-175/chapter-7/section-175-7-006/?utm_source=openai))
• Home health agencies: Retain clinical records at least five years after last discharge; for minors, at least five years after the patient reaches the age of majority. ([dhhs.ne.gov](https://dhhs.ne.gov/Documents/Title-175-Complete.pdf))
• Inpatient hospice and certain other licensed settings: Similar five‑year minimums apply, with permanent documentation of destruction. ([dhhs.ne.gov](https://dhhs.ne.gov/Documents/Title-175-Complete.pdf))
• Hospitals: Chapter 9 requires a permanent patient index and sets minimum seven‑year retention for designated administrative and medication records; confirm your hospital’s policy for full chart retention based on risk, payers, and legal holds. ([law.cornell.edu](https://www.law.cornell.edu/regulations/nebraska/175-Neb-Admin-Code-ch-9-SS-006))

Practical approach: Keep clinical records for the longest applicable period across DHHS rules, contracts, Medicare/Medicaid conditions, malpractice statutes of limitation, and organizational risk tolerance—often seven to ten years or longer for high‑risk services or pediatrics. Preserve HIPAA documentation for at least six years regardless of clinical record schedules. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.530?utm_source=openai))

Medical Records Custodian Appointment

Designate a Medical Records Custodian in writing to manage retention, access, and disclosure when owners leave, merge, or close a practice. Your policy should identify where PHI is stored, how requests are authenticated, fees (when applicable), turnaround times, and how you protect PHI during storage and destruction. ([law.justia.com](https://law.justia.com/codes/nebraska/chapter-71/statute-71-8403/?utm_source=openai))

If you use a third‑party custodian, execute a Business Associate Agreement, maintain a records inventory, and publish clear patient notices (website, voicemail, mailings) explaining how to request records after transitions. Ensure your custodian follows Nebraska’s patient‑access and fee rules (for example, Section 71‑8404 outlines allowable copying fees and costs for special media like X‑rays). ([dhhs.ne.gov](https://dhhs.ne.gov/licensure/Documents/Medical%20Records.pdf?utm_source=openai))

Keep a permanent log of requests and disclosures, adhere to your Title 175 retention schedule before destruction, and document how you verify identity and fulfill requests to meet HIPAA and state obligations. ([regulations.justia.com](https://regulations.justia.com/states/nebraska/health-and-human-services-system/title-175/chapter-7/section-175-7-006/?utm_source=openai))

Telehealth Service Regulations

Nebraska’s Telehealth Act (sections 71‑8501 to 71‑8508) governs Telehealth Act Compliance. Before an initial telehealth visit, you must provide specified written information and obtain either a signed statement or verbal consent; patients must have access to information resulting from the telehealth encounter. ([nebraskalegislature.gov](https://nebraskalegislature.gov/laws/statutes.php?statute=71-8505&utm_source=openai))

The Act defines telehealth and confirms it does not change scope of practice or limit a patient’s right to choose in‑person care. Nebraska also permits audio‑only services in limited behavioral health contexts for established patients, in line with federal allowances. Your telehealth workflows should integrate HIPAA Privacy/Security Rule safeguards and state consent/documentation rules. ([nebraskalegislature.gov](https://nebraskalegislature.gov/laws/statutes.php?statute=71-8503&utm_source=openai))

Dental Practice Compliance Standards

Dental practices must align HIPAA safeguards with Nebraska’s professional rules under Title 172 (Dentistry) and applicable facility or radiation regulations. Maintain complete, legible dental records that justify diagnosis and treatment; follow sedation/anesthesia documentation rules when applicable; and ensure secure retention and destruction policies map to Nebraska’s licensure requirements. ([dhhs.ne.gov](https://dhhs.ne.gov/Pages/Title-172.aspx?utm_source=openai))

Train your team annually on OSHA Bloodborne Pathogens, implement CDC infection‑control guidance, and document compliance. If your team has occupational exposure to blood or OPIM, OSHA 29 CFR 1910.1030 requires an exposure control plan, vaccinations, and initial plus annual training. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/29/1910.1030?utm_source=openai))

For larger or multi‑site groups, adopting a recognized security framework—such as HITRUST CSF Certification—can help operationalize HIPAA safeguards across ePHI systems, vendor management, and incident response, while demonstrating due diligence to payers and partners.

Behavioral Health Services Statutory Requirements

Nebraska’s Behavioral Health Services Act designates the Division of Behavioral Health as the state’s chief behavioral health authority, responsible for system planning, oversight of regional behavioral health entities, and standards for programs and providers. Coordinate HIPAA and 42 CFR Part 2 controls with these state directives when handling sensitive mental health and substance use disorder information. ([nebraskalegislature.gov](https://nebraskalegislature.gov/laws/laws-index/chap71-full.html?utm_source=openai))

Two intersections matter most: (1) Telehealth—audio‑only allowances for certain behavioral services under the Telehealth Act; and (2) privacy—patient‑identifying SUD information under 42 U.S.C. 290dd‑2 is expressly recognized and exempted from Nebraska Data Privacy Act consumer‑rights processing, reinforcing your obligation to apply Part 2‑level protections. ([nebraskalegislature.gov](https://nebraskalegislature.gov/laws/statutes.php?statute=71-8503&utm_source=openai))

Wrap these statutes into your policies: define access controls for clinical notes, limit redisclosure, and maintain documentation and training tailored to behavioral health privacy nuances and emergency situations. ([dhhs.ne.gov](https://dhhs.ne.gov/Pages/Behavioral-Health-Regulations-Contracts-and-Guidance.aspx?utm_source=openai))

FAQs.

What are Nebraska’s retention requirements for medical records?

Nebraska sets retention largely through DHHS facility licensure rules. Many settings require at least five years after last discharge (and for minors, five years after reaching majority). For example, health clinics have a five‑year minimum; home health and inpatient hospice specify similar five‑year rules. Hospitals must keep a permanent patient index and retain designated administrative/medication records for at least seven years; confirm full‑chart retention with your hospital’s policy and legal counsel. Separately, HIPAA requires you to keep HIPAA compliance documentation for six years. ([regulations.justia.com](https://regulations.justia.com/states/nebraska/health-and-human-services-system/title-175/chapter-7/section-175-7-006/?utm_source=openai))

How does the Nebraska Data Privacy Act affect HIPAA compliance?

Covered entities, business associates, PHI, and certain health‑related data (including 42 U.S.C. 290dd‑2 SUD data) are exempt from the Nebraska Data Privacy Act. You still must comply with HIPAA for PHI. However, the Act can apply to non‑PHI consumer data you process (for example, marketing or website analytics), so stand up consumer‑rights workflows and update notices where applicable. ([nebraskalegislature.gov](https://nebraskalegislature.gov/FloorDocs/108/PDF/Final/LB1074.pdf))

What steps are required to appoint a medical records custodian?

Adopt a written policy that names the custodian, inventories where PHI is stored, and sets procedures for authentication, response times, retention, and secure destruction. If using a third party, sign a BAA. Publish clear patient instructions for requesting records after transitions and apply Nebraska’s access and fee rules when furnishing copies (e.g., Section 71‑8404). Maintain a permanent log of requests and follow your Title 175 retention schedule before destroying records. ([law.justia.com](https://law.justia.com/codes/nebraska/chapter-71/statute-71-8403/?utm_source=openai))

How do telehealth regulations impact HIPAA in Nebraska?

The Nebraska Telehealth Act requires you to provide specific written information and obtain a signed statement or verbal consent before an initial telehealth visit; it also preserves patients’ right to access information from the telehealth encounter. The Act doesn’t alter scope of practice and allows audio‑only in limited behavioral contexts for established patients. Your telehealth platforms and workflows must still satisfy HIPAA Privacy/Security Rule safeguards end‑to‑end. ([nebraskalegislature.gov](https://nebraskalegislature.gov/laws/statutes.php?statute=71-8505&utm_source=openai))