Maryland Health Data Protection Requirements Explained: HIPAA and State Law Compliance Guide

HIPAA Privacy Rule Standards

The HIPAA Privacy Rule protects the confidentiality of Protected Health Information (PHI) and sets nationwide baseline standards for when PHI may be used or disclosed. Core concepts include permitted uses for treatment, payment, and health care operations; disclosures required by law; the minimum necessary standard; and individual rights to access and amend records, request restrictions, and receive a Notice of Privacy Practices. For Privacy Rule compliance, you should map each routine disclosure to a legal basis and apply the minimum necessary standard to non-treatment uses. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/part-164/subpart-E?utm_source=openai))

HIPAA preempts conflicting state laws unless a state law is more stringent (for example, granting faster access or stronger consent requirements). Maryland has several more-stringent provisions you must follow in addition to HIPAA. ([brickergraydon.com](https://www.brickergraydon.com/insights/resources/key/HIPAA-Regulations-Preemption-of-State-Law-Definitions-More-Stringent-160-202?utm_source=openai))

HIPAA Security Rule Safeguards

The Security Rule focuses on electronic PHI (ePHI) and requires administrative, physical, and technical Security Rule safeguards. Practically, this means performing a documented risk analysis; implementing role-based access controls; authenticating users; encrypting data in transit and at rest where reasonable and appropriate; monitoring audit logs; hardening endpoints; and training your workforce. Risk analysis and risk management are foundational because they drive which addressable controls you implement. ([hhs.gov](https://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html?utm_source=openai))

Recognized topics to include in your Security Rule program: unique user IDs, automatic logoff, transmission security, device/media controls, and contingency planning. Treat these as living controls updated after each risk analysis cycle. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/part-164/subpart-C?utm_source=openai))

Breach Notification Obligations

Under HIPAA’s Breach Notification Rule, covered entities must notify affected individuals without unreasonable delay and no later than 60 days after discovery of a breach of unsecured PHI; report to HHS (immediately for breaches affecting 500+ individuals, annually for smaller events); and notify prominent media if 500+ residents of a state or jurisdiction are affected. HIPAA also recognizes an encryption/destruction safe harbor: if PHI is properly encrypted and the key is not compromised, notice is generally not required. Business associates must notify covered entities. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

Maryland’s Personal Information Protection Act (PIPA) imposes separate breach notification requirements when “personal information” (which includes certain health, health insurance, and biometric data) is compromised. Notice to affected Maryland residents must be provided within 45 days; Maryland’s Office of the Attorney General requires specific notice content and must also be notified. Build these Breach Notification Requirements into your incident response plan so HIPAA and PIPA timelines run in parallel. ([oag.maryland.gov](https://oag.maryland.gov/i-need-to/Pages/Guidelines-for-Businesses-to-Comply-with-the-Maryland-Personal-Information-Protection-Act.aspx?utm_source=openai))

For Health Information Exchanges (HIEs) and participating organizations, COMAR 10.25.18.08 requires written notice to consumers within a reasonable timeframe, but not later than 60 days from discovery when federal or state law does not otherwise require notice; the Maryland Health Care Commission (MHCC) forwards certain notifications to the Attorney General within 30 days. ([regs.maryland.gov](https://regs.maryland.gov/us/md/exec/comar/10.25.18.08?utm_source=openai))

Maryland Health Information Exchange Regulations

Maryland regulates HIE privacy and security under COMAR 10.25.18. HIEs must execute participation agreements and Business Associate Agreements; maintain an access matrix that enforces minimum necessary; authenticate users at each login and encrypt authentication data; and support role-based access set by a designated system administrator at each participating organization. ([regs.maryland.gov](https://regs.maryland.gov/us/md/exec/comar/10.25.18.05))

State law additionally requires the State‑designated HIE to operate a Consent Management Application (CMA) so consumers can opt out or opt in and so HIEs can synchronize consent status. Registered HIEs must connect to the CMA and update consent data at least every five business days. ([regs.maryland.gov](https://regs.maryland.gov/us/md/exec/comar/10.25.18.03))

CRISP is Maryland’s State‑designated HIE and has been re‑designated by MHCC and the Health Services Cost Review Commission under Health‑General §19‑143; Maryland also directed the State‑designated HIE to function as a Health Data Utility to support public health and care coordination. ([mhcc.maryland.gov](https://mhcc.maryland.gov/mhcc/pages/home/meeting_schedule/documents/presentations/2025/20250717/ag4a_crisp_combined_sda_prst.pdf?utm_source=openai))

Maryland restricts disclosure of legally protected health information—such as mifepristone data and other sensitive health services with dates of service after May 31, 2022—by HIEs and electronic health networks, with limited exceptions (e.g., when necessary for the patient, parent/guardian in certain cases, or as otherwise permitted). Related regulations (COMAR 10.11.08) implement these restrictions. ([mgaleg.maryland.gov](https://mgaleg.maryland.gov/2026RS/Statute_Web/ghg/4-302.5.pdf?utm_source=openai))

Consumer Rights Under Maryland Law

HIE-specific rights include clear education about HIE participation; the ability to opt out and later resume participation; access to information about what PHI the HIE holds, who contributed it, and to whom it was disclosed; and help initiating amendments of inaccurate data. HIEs must acknowledge report requests within 10 business days and respond within 30 days; two disclosure reports per year must be provided at no cost. ([regs.maryland.gov](https://regs.maryland.gov/us/md/exec/comar/10.25.18.03))

Maryland’s Confidentiality of Medical Records Act (Health–General §4‑301 et seq.) also establishes patient rights beyond the HIE context. Providers must disclose medical records to a “person in interest” within a reasonable time not exceeding 21 working days after request; failure can carry penalties. Record retention rules generally require maintaining records for at least five years after creation or until the patient is 21, whichever is longer. ([mgaleg.maryland.gov](https://mgaleg.maryland.gov/mgawebsite/Laws/StatuteText?article=ghg§ion=4-309&utm_source=openai))

CRISP enables Consumer Data Opt-Out while clarifying that certain legally required exchanges, such as the Prescription Drug Monitoring Program (PDMP) and public health reporting, continue even if a patient opts out. ([crisphealth.org](https://www.crisphealth.org/for-patients/?utm_source=openai))

Data Governance Guidelines in Maryland

Maryland’s HIE framework functions as a Data Governance Framework for exchange participants. Required elements include: participation agreements and BAAs; a formal access matrix; unique user identification aligned to NIST practices; authentication at each login; and strong encryption of authentication data. Participating organizations must assign a system administrator to set, modify, and promptly terminate user access based on role. ([regs.maryland.gov](https://regs.maryland.gov/us/md/exec/comar/10.25.18.05))

HIEs must monitor access continuously; run random audits of user access logs; conduct at least quarterly audits of security measures; and adopt a monthly random-audit plan with follow-up training and remedial controls when unusual findings occur. ([regs.maryland.gov](https://regs.maryland.gov/us/md/exec/comar/10.25.18.06))

Governance also extends to secondary use: disclosures for research require data use agreements, IRB or privacy board oversight, and adherence to HIPAA authorization or waiver requirements. Sensitive health information and legally protected health information face additional limits. ([regs.maryland.gov](https://regs.maryland.gov/us/md/exec/comar/10.25.18.10?utm_source=openai))

Compliance Strategies for Health Data Protection

Build a HIPAA-first, Maryland-specific program

• Perform and document an enterprise risk analysis; implement Security Rule safeguards (access controls, audit logging, transmission security, device/media controls), then repeat the cycle regularly. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html?key5sk1=953418314db367e0c4aedc568bbb9089724e9125&utm_source=openai))
• Operationalize Privacy Rule compliance: map disclosures to legal bases, enforce minimum necessary, maintain BAAs, and keep your Notice of Privacy Practices current. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html?Channel=Google_PPC&field_insight_category_target_id=2&utm_source=openai))

Hardwire HIE and state-law requirements

• Execute HIE participation agreements; implement a role-based access matrix; authenticate each login; encrypt credentials; and designate a system administrator with authority to provision, modify, and terminate access immediately. ([regs.maryland.gov](https://regs.maryland.gov/us/md/exec/comar/10.25.18.05))
• Connect to Maryland’s Consent Management Application; synchronize Consumer Data Opt-Out status at least every five business days; notify users when a patient has restricted data sharing. ([regs.maryland.gov](https://regs.maryland.gov/us/md/exec/comar/10.25.18.03))
• Segment and filter legally protected health information (e.g., mifepristone-related data) to comply with Health–General §4‑302.5 and COMAR 10.11.08. Test controls for out-of-state disclosures. ([mgaleg.maryland.gov](https://mgaleg.maryland.gov/2026RS/Statute_Web/ghg/4-302.5.pdf?utm_source=openai))
• If you handle Part 2 substance use disorder data, ensure BAAs incorporate qualified service organization obligations and re-disclosure limits. ([regs.maryland.gov](https://regs.maryland.gov/us/md/exec/comar/10.25.18.05?utm_source=openai))

Prepare for incidents and oversight

• Integrate HIPAA’s 60‑day timeline and Maryland PIPA’s 45‑day timeline into one incident response playbook; include HHS, media, and Maryland OAG notice steps where applicable. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))
• For HIE-related issues, follow COMAR 10.25.18.08 notice procedures and coordinate with MHCC; ensure your program supports required consumer communications. ([regs.maryland.gov](https://regs.maryland.gov/us/md/exec/comar/10.25.18.08?utm_source=openai))
• Run continuous monitoring and periodic audits of HIE access logs and security measures; investigate and mitigate unusual findings; and submit independent audit results to MHCC as required. ([regs.maryland.gov](https://regs.maryland.gov/us/md/exec/comar/10.25.18.06))

Summary

In Maryland, strong Privacy Rule compliance and Security Rule safeguards are only the starting point. You also need Maryland‑specific controls around HIE participation, Consumer Data Opt-Out, sensitive health information segmentation, rigorous auditing, and dual-track Breach Notification Requirements (HIPAA and PIPA). By aligning your policies, technology, and training to these combined federal and state rules, you create a practical, defensible health data protection program. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html?Channel=Google_PPC&field_insight_category_target_id=2&utm_source=openai))

FAQs

What are the key provisions of Maryland health data protection laws?

Maryland layers state requirements onto HIPAA. Providers must disclose medical records to a person in interest within 21 working days and retain records at least five years after creation or until the patient is 21. For HIEs, COMAR 10.25.18 requires consumer education, opt‑out/opt‑in via the CMA, access and disclosure reporting, auditing, and role‑based access controls. Maryland also restricts disclosure of certain legally protected health information (e.g., mifepristone data) by HIEs and EHNs. ([mgaleg.maryland.gov](https://mgaleg.maryland.gov/mgawebsite/Laws/StatuteText?article=ghg§ion=4-309&utm_source=openai))

How does Maryland regulate health information exchanges?

COMAR 10.25.18 governs HIE privacy and security: HIEs must maintain an access matrix; authenticate and log user activity; execute participation agreements and BAAs; audit access and security controls; support Consumer Data Opt-Out through the CMA; and follow defined breach and remedial actions. Maryland designates a single State‑designated HIE—CRISP—which also serves as a Health Data Utility supporting public health. ([regs.maryland.gov](https://regs.maryland.gov/us/md/exec/comar/10.25.18.05))

What breach notification requirements must Maryland entities follow?

HIPAA requires notice to affected individuals within 60 days for breaches of unsecured PHI, plus HHS reporting and media notice for large breaches. Separately, Maryland’s PIPA requires notice to residents within 45 days and notification to the Attorney General with specified content. HIEs and participants must also follow COMAR 10.25.18.08 when another law does not already require notice. Build procedures that satisfy all three. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

How can patients opt out of health information exchanges in Maryland?

Patients (or other persons in interest) can submit a Consumer Data Opt‑Out through the State‑designated HIE’s Consent Management Application; HIEs must process opt‑out and opt‑in requests within five business days and synchronize status across connected HIEs. Opt‑out does not stop disclosures required by law, such as certain public health reporting and PDMP data. ([regs.maryland.gov](https://regs.maryland.gov/us/md/exec/comar/10.25.18.03))