Mississippi Healthcare Data Privacy Laws: HIPAA and State Compliance Guide

HIPAA Overview and Requirements

HIPAA establishes national standards for the privacy, security, and breach notification of Protected Health Information (PHI). Covered entities (healthcare providers, health plans, and clearinghouses) and their business associates must limit uses and disclosures, follow minimum necessary practices, and maintain written policies and procedures. PHI is defined in federal regulation and HHS guidance, and includes individually identifiable health information in any form held by a regulated entity. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.103?utm_source=openai))

You must provide individuals timely access to their PHI in a designated record set—generally within 30 calendar days, with a single 30‑day extension when documented. Fees must be cost‑based for patient requests (labor for copying, supplies, and postage) and not include retrieval charges. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html?utm_source=openai))

If an incident results in an unauthorized disclosure of unsecured PHI, the HIPAA Breach Notification Rule requires notices to affected individuals without unreasonable delay and no later than 60 days after discovery, plus additional reporting to HHS (and to prominent media when a breach affects 500+ residents of a state). ([ecfr.io](https://ecfr.io/Title-45/Section-164.404?utm_source=openai))

The HIPAA Security Rule requires Administrative Safeguards, Physical Safeguards, and Technical Safeguards, including conducting an accurate and thorough risk analysis, managing risks, workforce training, and access controls. HHS recognizes “recognized security practices” under Public Law 116‑321 that, when implemented for the prior 12 months, may mitigate enforcement exposure. ([hhs.gov](https://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html?utm_source=openai))

Keep HIPAA compliance documentation (for example, policies, procedures, training, and mitigation records) for at least six years from creation or last effective date. This is separate from clinical medical record retention rules. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.530?utm_source=openai))

Mississippi Medical Records Access Rights

In Mississippi, medical records are generally the property of the provider or facility, but patients have the right to obtain copies. State law allows “reasonable” copying charges, and HIPAA’s patient Right of Access timelines and fee limits still apply. ([msbar.org](https://www.msbar.org/for-the-public/consumer-information/a-patients-right-to-information/?utm_source=openai))

Mississippi’s fee schedule statute caps copy charges for patient records at $20 for pages 1–20, $1 per page for the next 80 pages, and $0.50 per page thereafter, plus up to 10% for postage/handling and a $15 off‑site retrieval fee; a $25 cap applies to a patient‑requested medical record affidavit. The statute expressly requires compliance with HIPAA when charging these fees. ([law.justia.com](https://law.justia.com/codes/mississippi/title-11/chapter-1/section-11-1-52/))

Under Mississippi State Board of Medical Licensure rules, a licensee must provide a copy of a patient’s record to an authorized requester within a reasonable period and may not refuse transfer to another treating provider due to unpaid bills (reasonable copy expenses may be required in advance). The rules also explain that, for unemancipated minors, records must be provided to a parent or guardian upon request, subject to applicable federal and state law. ([msbml.ms.gov](https://www.msbml.ms.gov/sites/default/files/Rules_Laws_Policies/30%20Miss.%20Admin.%20Code%20Pt.%202635%2C%20Ch.%2010%20Maintenance%2C%20Production%2C%20and%20Release%20of%20Medical%20Records.pdf))

Medical Records Retention and Disposal

Hospitals must retain complete hospital records for at least 10 years for adult patients of sound mind at discharge, at least 7 years when the patient is discharged at death, and for minors: the period of minority plus 7 years, not to exceed 28 years. Mississippi law also permits retirement of X‑ray films and other graphic data 4 years after exposure if radiologist findings are retained and specified notices or consent are in place. ([law.justia.com](https://law.justia.com/codes/mississippi/2019/title-41/chapter-9/hospital-records-preparation-preservation-and-destruction/section-41-9-69/))

Physicians licensed in Mississippi must retain medical records for a minimum of 10 years from the date the patient was last treated (applicable to all new patients and any patient seen on or after January 1, 2022). Diagnostic images and similar materials must be retained at least 5 years. Provide at least six months’ notice to patients before destroying records. ([msbml.ms.gov](https://www.msbml.ms.gov/sites/default/files/Rules_Laws_Policies/30%20Miss.%20Admin.%20Code%20Pt.%202635%2C%20Ch.%2010%20Maintenance%2C%20Production%2C%20and%20Release%20of%20Medical%20Records.pdf))

Mississippi Medicaid provider rules require retention of records supporting claims for at least 5 years (or longer if other laws apply). Remember, HIPAA’s six‑year requirement applies to compliance documentation, not clinical record content. ([law.cornell.edu](https://www.law.cornell.edu/regulations/mississippi/23-Miss-Code-R-SS-200-1-3?utm_source=openai))

For secure disposal, implement written policies to sanitize or destroy ePHI before reuse or disposal of media, and use shredding, pulping, or comparable methods for paper to prevent unauthorized disclosure. Device and media control standards in the HIPAA Security Rule require disposal and media‑reuse procedures. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/575/what-does-hipaa-require-of-covered-entities-when-they-dispose-information/index.html?utm_source=openai))

Data Breach Notification Procedures

When an incident occurs, quickly determine whether it involves PHI (HIPAA) or state‑defined “personal information,” whether the information was secured (for example, encrypted), and whether there is a risk of harm. Document your investigation and apply both HIPAA and Mississippi requirements as appropriate. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

Under HIPAA, notify affected individuals without unreasonable delay and no later than 60 days after discovery, include all required content, and report to HHS (and to prominent media for breaches affecting 500+ residents of a state). Maintain an annual log and report smaller breaches to HHS within 60 days after year‑end. ([ecfr.io](https://ecfr.io/Title-45/Section-164.404?utm_source=openai))

Mississippi’s Data Breach Notification statute applies to any person conducting business in the state who owns, licenses, or maintains computerized personal information of a resident. Notice to affected residents must occur without unreasonable delay after completing an investigation; notice may be delayed if law enforcement determines disclosure would impede an investigation. The law defines “personal information” (for example, name plus SSN, driver’s license/ID, or financial account data with required codes) and excludes data rendered unreadable or unusable (for example, encrypted). ([law.justia.com](https://law.justia.com/codes/mississippi/title-75/chapter-24/general-provisions/section-75-24-29/))

Mississippi permits substitute notice if the cost exceeds $5,000, the affected class exceeds 5,000 people, or contact data are insufficient; substitute notice must include email (if available), a conspicuous website posting, and statewide media. If you maintain but do not own the personal information, you must notify the data owner or licensee as soon as practicable after discovery when acquisition for fraudulent purposes is reasonably believed. ([law.justia.com](https://law.justia.com/codes/mississippi/title-75/chapter-24/general-provisions/section-75-24-29/))

Encryption can create a safe harbor: HHS guidance specifies that properly encrypted ePHI is not “unsecured,” so HIPAA breach notification would not be triggered; similarly, Mississippi’s statute focuses on unencrypted data. Align your encryption practices with HHS guidance. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html?utm_source=openai))

Mississippi Consumer Protection Act Compliance

Beyond HIPAA, the Mississippi Consumer Protection Act (MCPA) prohibits unfair or deceptive trade practices. Misrepresenting privacy or security practices, or failing to provide required Data Breach Notification, can be treated as an unfair practice enforced by the Attorney General. ([law.justia.com](https://law.justia.com/codes/mississippi/title-75/chapter-24/general-provisions/section-75-24-5/?utm_source=openai))

The Attorney General’s Consumer Protection Division actively enforces state consumer laws, including the data breach statute. Ensure your privacy notices, patient communications, and breach response communications are accurate, clear, and not misleading. ([attorneygenerallynnfitch.com](https://attorneygenerallynnfitch.com/divisions/consumer-protection/?utm_source=openai))

Healthcare Data Security Safeguards

Administrative Safeguards

• Conduct and document an enterprise‑wide risk analysis; manage risks with policies, training, sanction processes, and vendor oversight (business associate agreements). ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html?utm_source=openai))
• Maintain incident response and contingency plans, and keep HIPAA compliance documentation for at least six years. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.530?utm_source=openai))
• Adopt recognized security practices (for example, NIST‑aligned) to strengthen your posture and potentially mitigate enforcement exposure. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html?utm_source=openai))

Physical Safeguards

• Control facility access, secure workstations and devices, and document repairs or modifications affecting security. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.310?utm_source=openai))
• Use secure destruction methods for paper records and implement device/media controls for ePHI disposal and reuse. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/575/what-does-hipaa-require-of-covered-entities-when-they-dispose-information/index.html?utm_source=openai))

Technical Safeguards

• Implement access controls (unique IDs, role‑based access), encryption in transit and at rest where feasible, audit controls, and transmission security. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.312?utm_source=openai))
• Continuously monitor, patch, and log access to reduce the risk of unauthorized disclosure and support breach investigations. ([hhs.gov](https://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html?utm_source=openai))

State-Specific Privacy Law Considerations

Insurance licensees and certain affiliates in Mississippi must comply with the Insurance Data Security Law (Miss. Code Ann. §§ 83‑5‑801 to 83‑5‑825), which requires a written information security program, incident reporting to the Insurance Commissioner in specified scenarios, and annual certification. Healthcare entities with insurance components should align HIPAA and insurance‑sector obligations. ([mid.ms.gov](https://www.mid.ms.gov/mississippi-insurance-department/companies/mississippi-cybersecurity-law/?utm_source=openai))

Telemedicine providers must maintain complete records and ensure confidentiality consistent with state and federal law; when a patient has a primary treating physician and a telemedicine provider for the same condition, both records together form one complete patient record. ([regulations.justia.com](https://regulations.justia.com/states/mississippi/title-30/part-2635/chapter-5/rule-30-2635-5-6/))

As of March 26, 2026, Mississippi has considered—but not enacted—a comprehensive, CCPA‑style consumer privacy law. Continue to watch legislative activity (for example, 2026 proposals) while maintaining compliance with existing HIPAA, breach, insurance, and licensure rules. ([billstatus.ls.state.ms.us](https://billstatus.ls.state.ms.us/documents/2026/html/HB/1000-1099/HB1051IN.htm?utm_source=openai))

Conclusion

To comply with Mississippi healthcare data privacy laws, map HIPAA’s Privacy, Security, and Breach Notification Rules to your day‑to‑day operations, follow Mississippi’s specific access, fee, and record‑retention requirements, and prepare incident‑response workflows that satisfy both HIPAA and state Data Breach Notification. Prioritize Administrative, Physical, and Technical Safeguards, document decisions, and monitor state updates so your program remains current and defensible.

FAQs.

What are the key HIPAA requirements for Mississippi healthcare providers?

Follow HIPAA’s Privacy Rule (lawful uses/disclosures, minimum necessary, Notices of Privacy Practices), Security Rule (risk analysis and Administrative, Physical, and Technical Safeguards), and Breach Notification Rule (notify individuals within 60 days, and HHS/media when thresholds are met). Maintain BAAs and keep compliance documentation for six years. Mississippi providers must meet these federal baselines alongside state‑specific obligations. ([hhs.gov](https://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html?utm_source=openai))

How long must medical records be retained in Mississippi?

Hospitals: at least 10 years for adults of sound mind at discharge; at least 7 years when discharged at death; and for minors: the period of minority plus 7 years, capped at 28 years. X‑ray films/graphic data may be retired after 4 years if statutory conditions are met. Physicians: retain records a minimum of 10 years from the last treatment date (for all new patients and those seen on/after January 1, 2022); retain diagnostic images at least 5 years and give six months’ destruction notice. Medicaid providers must keep claim‑supporting records at least 5 years. ([law.justia.com](https://law.justia.com/codes/mississippi/2019/title-41/chapter-9/hospital-records-preparation-preservation-and-destruction/section-41-9-69/))

What are the data breach notification rules in Mississippi?

Businesses must notify Mississippi residents of a breach of unencrypted computerized personal information without unreasonable delay after investigating; notice may be delayed for law enforcement. Substitute notice is allowed when costs exceed $5,000, more than 5,000 people are affected, or contact data are insufficient. If you maintain but don’t own the data, notify the owner/licensee as soon as practicable upon discovery when fraudulent acquisition is reasonably believed. Separately, HIPAA applies to breaches of unsecured PHI and has its own 60‑day timeline and reporting duties. ([law.justia.com](https://law.justia.com/codes/mississippi/title-75/chapter-24/general-provisions/section-75-24-29/))

How does the Mississippi Consumer Protection Act affect healthcare privacy?

The MCPA prohibits unfair or deceptive practices; the Attorney General enforces it. Mississippi’s breach statute also states that failure to provide required Data Breach Notification is an unfair trade practice. In practice, inaccurate privacy promises, unreasonable security claims, or non‑compliant breach notices can trigger MCPA scrutiny in addition to HIPAA enforcement. ([law.justia.com](https://law.justia.com/codes/mississippi/title-75/chapter-24/general-provisions/section-75-24-5/?utm_source=openai))