HIPAA Laws in Illinois: What Patients and Providers Need to Know

HIPAA Overview and History

HIPAA is a 1996 federal law that set national standards for protecting health information and streamlining electronic transactions. The HIPAA Privacy Rule (finalized in December 2000; effective April 14, 2001; compliance by April 14, 2003) created nationwide protections for how covered entities use and disclose protected health information (PHI). The HIPAA Security Rule (finalized in 2003; compliance by 2005) requires administrative, physical, and technical safeguards for electronic PHI. HITECH (2009) strengthened enforcement and extended many obligations to business associates; the 2013 Omnibus Rule aligned and updated the framework. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/general-overview/index.html?utm_source=openai))

Cyber threats have driven new federal action. On December 27, 2024, HHS proposed the first significant update to the HIPAA Security Rule since 2013 to add clearer cybersecurity expectations (for example, testing, documentation, and alignment to modern practices). Until a final rule issues, current HIPAA rules remain in effect. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html?utm_source=openai))

Illinois HIPAA Compliance Requirements

In Illinois, all HIPAA covered entities and business associates must comply with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. Illinois law adds obligations—particularly around breach notification and statewide exchange of health data—that operate alongside HIPAA and are not preempted when they offer greater protection. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/general-overview/index.html?utm_source=openai))

State breach notification and “personal information”

Illinois’ Personal Information Protection Act requires notification to impacted residents “in the most expedient time possible.” If a single incident affects more than 500 Illinois residents, the data collector must also notify the Illinois Attorney General. “Medical information” and “health insurance information” are expressly included in the statute’s definition of personal information, so health organizations often have duties under this law in addition to HIPAA. ([law.justia.com](https://law.justia.com/codes/illinois/chapter-815/act-815-ilcs-530/?utm_source=openai))

State-level health information exchange (HIE)

The Illinois Health Information Exchange and Technology Act (20 ILCS 3860) authorizes the State to establish and administer the Illinois Health Information Exchange (ILHIE), adopt participation standards, and enforce privacy and security requirements for exchange participants. The current Act is scheduled to be repealed on January 1, 2027, so organizations should track legislative updates. ([law.justia.com](https://law.justia.com/codes/illinois/2022/chapter-20/act-20-ilcs-3860/?utm_source=openai))

Public health reporting and IDPH

The Illinois Department of Public Health (IDPH) operates I-CARE, the statewide immunization registry, authorized at 410 ILCS 527. Providers report immunizations to I-CARE, and patients may opt out. IDPH emphasizes confidentiality and security controls for registry data. ([ilga.gov](https://ilga.gov/legislation/ilcs/documents/041005270K10.htm?utm_source=openai))

Patient Rights Under Illinois Law

Illinois supplements HIPAA with specific patient rights. Under the Medical Patient Rights Act, you have rights to privacy and confidentiality and, importantly, an opportunity to opt out of having information transmitted through a health information exchange, without being denied access to care for opting out. ([law.justia.com](https://law.justia.com/codes/illinois/chapter-410/act-410-ilcs-50/?utm_source=openai))

Access to records and turnaround times

Illinois law requires facilities and practitioners to fulfill written requests for medical records within 30 days or provide a written reason for delay and a definite date—no later than 60 days from receipt. Certain requests—for veterans’ disability, Social Security, and similar benefit claims—must be fulfilled with one free copy. HIPAA also guarantees a “Right of Access,” typically within 30 days (with one 30‑day extension), and allows only a reasonable, cost‑based fee for copies. When HIPAA’s access right applies, its fee limits override higher state fee schedules. ([law.justia.com](https://law.justia.com/codes/illinois/chapter-735/act-735-ilcs-5/article-viii/?utm_source=openai))

Penalties for HIPAA Violations in Illinois

HIPAA civil penalties are tiered based on culpability (ranging from “Did Not Know” to “Willful Neglect”), with per‑violation and annual caps that HHS updates for inflation. On January 28, 2026, HHS issued its annual inflation adjustment rule; current penalty tables are maintained in 45 CFR 102.3 and related guidance. As of the 2025 rate update applied in 2026, per‑violation maximums can reach $73,011 and annual caps for identical violations can reach $2,190,294, subject to HHS enforcement discretion and ongoing rulemaking. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2026-01-28/html/2026-01688.htm?utm_source=openai))

Criminal penalties under 42 U.S.C. § 1320d‑6 can include fines up to $250,000 and up to 10 years’ imprisonment when offenses involve intent to sell or use PHI for commercial advantage, personal gain, or malicious harm. These criminal provisions apply nationwide, including in Illinois. ([law.cornell.edu](https://www.law.cornell.edu/uscode/text/42/1320d-6?utm_source=openai))

Illinois Health Information Exchange Regulations

Participation in ILHIE requires compliance with minimum privacy and security standards set by the State HIE office (20 ILCS 3860/20). The office may limit, suspend, or terminate participation for noncompliance. Providers relying in good faith on ILHIE data receive certain liability protections except in cases of gross negligence or willful misconduct. ([law.justia.com](https://law.justia.com/codes/illinois/2022/chapter-20/act-20-ilcs-3860/?utm_source=openai))

Beyond ILHIE, Illinois also regulates other data-sharing tools. For example, EHR integrations with the Illinois Prescription Monitoring Program (PMPnow) require a memorandum of understanding, adherence to security responsibilities, and the ability to audit user access—controls that complement HIPAA. ([law.cornell.edu](https://www.law.cornell.edu/regulations/illinois/Ill-Admin-Code-tit-77-SS-2080.207?utm_source=openai))

Access to Mental Health Records

Illinois’ Mental Health and Developmental Disabilities Confidentiality Act (740 ILCS 110) provides stronger‑than‑HIPAA protections. Patients 12 or older generally may inspect and copy their mental health records, while parents of minors ages 12–17 may access certain information unless the minor objects or a therapist finds compelling reasons to deny access. Therapist personal notes are excluded from the “record,” and disclosures beyond those entitled to access require written consent that specifies recipient, purpose, and scope. ([il.elaws.us](https://il.elaws.us/law/740ilcs110))

Biometric Data Privacy Laws

Illinois’ Biometric Information Privacy Act (BIPA) regulates collection, use, disclosure, and retention of biometric identifiers (like fingerprints and facial scans). Before collecting biometrics, a private entity must publish a retention schedule, obtain a written release, and may not sell or profit from biometric data. Individuals have a private right of action with statutory damages for negligent, reckless, or intentional violations. ([ilga.gov](https://www.ilga.gov/ftp/legislation/103/BillStatus/HTML/10300SB2979.html?utm_source=openai))

Recent BIPA developments

• Damages per person, not per scan: On August 2, 2024, Public Act 103‑0769 amended BIPA to treat multiple collections or disclosures of the same biometric from the same person via the same method as a single violation; it also clarified that electronic signatures qualify as a “written release.” ([ilga.gov](https://www.ilga.gov/ftp/legislation/103/BillStatus/HTML/10300SB2979.html?utm_source=openai))
• Limitations period: The Illinois Supreme Court held a five‑year statute of limitations applies to all BIPA claims. ([law.justia.com](https://law.justia.com/cases/illinois/supreme-court/2023/127801.html?utm_source=openai))
• Accrual: The Court held that a claim can accrue with each scan or transmission under Sections 15(b) and 15(d), a rule tempered in practice by the 2024 damages amendment. ([law.justia.com](https://law.justia.com/cases/illinois/supreme-court/2023/128004-0.html?utm_source=openai))

Health Data Privacy Act Provisions

Illinois has considered—but not yet enacted as of February 5, 2026—a comprehensive Health Data Privacy Act. The Protect Health Data Privacy Act (e.g., SB2273, 104th General Assembly) would require clear health data privacy policies; limit processing to consented or strictly necessary uses; prohibit selling health data without a valid authorization; provide rights to confirm, access, and delete health data; and create enforcement by the Attorney General along with a private right of action. Earlier efforts in the prior session (HB3603) did not pass. Monitor the bill docket if your organization processes consumer health data beyond HIPAA’s scope. ([legiscan.com](https://legiscan.com/IL/text/SB2273/id/3108482))

Medical Records Fees and Regulations

Illinois caps copy charges under 735 ILCS 5/8‑2001 and adjusts them annually. For 2026, the Illinois Comptroller lists a $36.68 handling charge, $1.38 per page for pages 1–25, $0.92 per page for pages 26–50, $0.46 per page thereafter, and $2.29 for microfilm/microfiche copies; electronic records retrieved from scanning or other digital formats may be charged at 50% of the paper per‑page rates. These state maxima do not override HIPAA’s cost‑based limits when an individual (or personal representative) exercises the HIPAA Right of Access. ([illinoiscomptroller.gov](https://illinoiscomptroller.gov/state-agencies/accounting/statutorily-required/copying-fees-adjustments?utm_source=openai))

Timing and process matter as much as fees. Illinois requires records to be provided within 30 days (or with a written explanation and firm date, no later than 60 days). HIPAA requires action within 30 days (with one 30‑day extension) and prohibits charging for retrieval, verification, or other non‑copying labor. Align your processes to meet the stricter applicable timelines and the federal fee limits. ([law.justia.com](https://law.justia.com/codes/illinois/chapter-735/act-735-ilcs-5/article-viii/?utm_source=openai))

Key takeaways

• Use HIPAA as the baseline, then layer Illinois rules like the Personal Information Protection Act, the Illinois Health Information Exchange and Technology Act, and the Medical Patient Rights Act.
• Expect enhanced obligations around exchange, public health reporting, and consumer privacy proposals; keep policies current with IDPH and ILHIE standards.
• Harden security: the HIPAA Security Rule remains enforceable today as HHS pursues a cybersecurity‑focused update.
• Price copies correctly and deliver on time—HIPAA’s Right of Access fee and timing rules often control.

FAQs

What rights do patients have under HIPAA in Illinois?

You have the HIPAA Right of Access to obtain your health information within 30 days (with one 30‑day extension) at a reasonable, cost‑based fee, plus rights to request amendments and receive an accounting of disclosures. Illinois adds privacy rights in the Medical Patient Rights Act—such as opting out of health information exchange—and state timelines and fee frameworks for records requests. When HIPAA applies, its access‑fee limits override any higher state fee caps. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html?utm_source=openai))

How does Illinois regulate biometric data privacy?

Illinois’ Biometric Information Privacy Act requires a written policy and retention schedule, informed written consent (electronic signatures count), and prohibits selling biometrics. Individuals can sue for violations, with statutory damages. A 2024 amendment limits damages to a single recovery per person for repeated collections or disclosures via the same method; courts have also clarified the statute of limitations (five years) and when claims accrue. ([ilga.gov](https://www.ilga.gov/ftp/legislation/103/BillStatus/HTML/10300SB2979.html?utm_source=openai))

What penalties exist for HIPAA violations in Illinois?

HHS can impose civil monetary penalties in four tiers (from “Did Not Know” to “Willful Neglect”), updated annually for inflation; as of the latest adjustment issued January 28, 2026, per‑violation maximums and annual caps can reach millions of dollars for identical provisions. Criminal penalties under 42 U.S.C. § 1320d‑6 include fines and imprisonment for knowing offenses, with higher penalties for offenses under false pretenses or for commercial advantage. Illinois entities are subject to both HIPAA enforcement and applicable state laws. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2026-01-28/html/2026-01688.htm?utm_source=openai))

How can patients access their mental health records in Illinois?

Under 740 ILCS 110, adult patients (and many minors 12 or older) may inspect and copy their mental health records, subject to tighter protections than general medical records. Parents of minors ages 12–17 may obtain certain information unless the minor objects or a therapist finds compelling reasons to deny access. Therapist personal notes are excluded from the record, and disclosures beyond those entitled to access require written consent specifying recipient, purpose, and scope. ([il.elaws.us](https://il.elaws.us/law/740ilcs110))