New Hampshire Data Privacy Law and Healthcare: What Providers Need to Know

New Hampshire Data Privacy Act Overview

Scope and applicability

The New Hampshire Data Privacy Act is a comprehensive consumer privacy framework that governs how organizations collect, use, and share personal data about state residents. It focuses on “controllers” that determine the purpose and means of processing and “processors” that act on a controller’s behalf.

Most traditional clinical work with protected health information (PHI) remains governed by HIPAA. However, the Act can still apply to data your practice handles outside HIPAA—such as website analytics, mobile apps, consumer marketing, and patient leads—because those datasets are treated as personal data rather than PHI.

Key obligations for healthcare organizations

• Provide a clear, accessible privacy notice describing categories of personal data, purposes, sharing practices, and personal data rights (access, correction, deletion, portability, and opt-out rights).
• Honor opt-outs from targeted advertising, data sales, and certain automated profiling that produce legal or similarly significant effects.
• Obtain opt-in consent before processing sensitive data, which typically includes precise geolocation, biometric identifiers, and data about a known child.
• Execute contracts with processors that define instructions, confidentiality, security controls, and assistance with consumer requests and audits.
• Conduct data protection assessments for high-risk activities (for example, targeted advertising or large-scale sensitive data processing).

Relationship to HIPAA and other health laws

The Act generally exempts PHI when it is created, received, or maintained by HIPAA covered entities or business associates for HIPAA purposes. That exemption is narrow: the same organization may still be a “controller” for non-PHI, so you should inventory systems that sit outside your EHR—patient-facing websites, scheduling widgets, cookies, or retail operations.

Where both laws could apply, follow the stricter rule. HIPAA’s Security Rule sets baseline healthcare data security standards; the state Act adds transparency and consumer-choice requirements for non-PHI contexts.

Health Information Privacy Law Requirements

Core HIPAA duties

Under HIPAA, you may use or disclose PHI for treatment, payment, and healthcare operations without an authorization. Other uses require a signed authorization or a specific legal allowance (for example, certain public health, law enforcement, or judicial disclosures). You must apply the minimum necessary standard, safeguard PHI under the Security Rule, and provide a Notice of Privacy Practices.

RSA 141-C and public health confidentiality

New Hampshire’s communicable disease law (RSA 141-C) requires reporting of specified conditions and protects the confidentiality of those reports. You may disclose patient information to public health authorities for investigation, surveillance, and control activities as the statute permits, but further disclosure is tightly limited. Keep public health reports segregated and restrict access on a need-to-know basis.

Patient consent requirements

Obtain written authorization for uses beyond HIPAA’s core allowances—marketing that is not face-to-face and involves remuneration, most research without a waiver, and disclosures to third parties unrelated to care. Under the state privacy Act, secure opt-in consent for sensitive personal data outside HIPAA. Align these patient consent requirements so one intake flow captures both HIPAA authorizations and state-law consents when needed.

Health information organizations

Participation in health information organizations (HIOs) can support care coordination and public health. Treat the HIO as a business associate or qualified exchange partner, ensure a binding agreement is in place, publish notices to patients, and honor any applicable opt-out or segmentation rules for specially protected data (for example, behavioral health or substance use disorder records).

Medical Records Ownership and Access

Who owns the record?

In practice, providers generally maintain and control the designated record set, while patients hold strong rights to access and obtain copies. Your policies should state that originals stay with the practice, even when a patient transfers care.

Patient access, format, and timing

You must provide timely access to inspect or receive copies in the form and format the patient requests if readily producible (for example, portal download or secure email). If not, supply a readable alternative. Document your response timeframe, permitted extensions, and verification steps for requesters, including personal representatives.

Reasonable fees and limited denials

Any fee must be reasonable and cost-based for copying, supplies, and postage; do not charge for searching or retrieving records. Deny access only for allowable reasons (for example, psychotherapy notes or information compiled for litigation) and follow required review and appeal pathways.

Use and Disclosure of Protected Health Information

Permitted uses without authorization

Use and disclose PHI for treatment, payment, and healthcare operations; certain public health and health oversight activities; and to avert serious threats as the law permits. Apply the minimum necessary rule to payment, operations, and most public health disclosures.

Authorizations, marketing, and sale of data

Obtain a valid authorization for marketing communications that involve third-party remuneration, for most non-TPO disclosures, and for any sale of PHI. Do not condition treatment on an authorization unless the law specifically permits it. Track and honor revocations promptly.

De-identification and limited data sets

Where possible, de-identify data under HIPAA’s safe harbor or expert determination standards. For research and analytics that require some identifiers, consider a limited data set with a data use agreement. Validate that any re-identification keys are safeguarded and access-controlled.

Business associates and exchanges

Execute business associate agreements (BAAs) with vendors, HIOs, and cloud services that handle PHI. BAAs should address permitted uses, breach reporting, subcontractor flow-downs, and return or destruction of data at termination. Maintain due diligence files and audit logs for oversight.

Biometric Data Classification and Consent

What counts as biometric data

Biometric data typically includes measurements used to identify a person—such as iris or retina scans, fingerprints, facial geometry, and voiceprints. Simple photographs or video without a template for identification are usually not biometric data.

Consent and limits on biometric data processing

Under the state privacy Act, biometric data is generally treated as sensitive personal data. Obtain explicit, opt-in consent before collecting or using biometric identifiers for non-HIPAA purposes (for example, portal login with facial recognition on a marketing site). For PHI contexts, apply HIPAA’s rules and any stricter state requirements.

Retention, security, and deletion

Limit biometric data collection to what is necessary, secure storage with strong encryption, restrict access, and prohibit sale without consent. Publish a retention schedule tied to the purpose and delete biometric templates when they are no longer needed or when a patient withdraws consent, subject to legal retention duties.

Compliance Strategies for Healthcare Providers

Governance and accountability

Designate a privacy lead, refresh your HIPAA risk analysis, and extend governance to cover personal data outside HIPAA. Maintain a data inventory that flags sensitive data, third-country transfers, and automated decision-making.

Consumer rights and request handling

Build workflows to authenticate and fulfill personal data rights requests within statutory timelines. Standardize responses for access, correction, deletion, and portability, and track opt-outs from targeted advertising or profiling on public-facing properties.

Vendor and contract management

Segment vendors into HIPAA business associates and state-law processors. Ensure BAAs and processor contracts mandate confidentiality, breach reporting, assistance with consumer requests, and deletion at contract end. Require security attestations and right-to-audit clauses.

Healthcare data security standards

Align controls with recognized healthcare data security standards: multi-factor authentication, least-privilege access, network segmentation, endpoint protection, email security, encryption at rest and in transit, continuous monitoring, and tested backups. Document security exceptions and compensating controls.

Training, monitoring, and continuous improvement

Deliver role-based training on patient consent requirements, phishing, secure messaging, and data minimization. Monitor access logs for anomalies, run tabletop exercises, and update policies after incidents or technology changes.

Data Breach Notification Procedures

First 24–72 hours

• Activate your incident response plan, preserve evidence, and contain the event.
• Engage privacy and security leadership, outside counsel, and forensic support as needed.
• Begin your HIPAA four-factor risk assessment and identify affected systems, data types, and individuals.

HIPAA breach analysis and notifications

Determine whether there is a low probability that PHI was compromised based on the nature and extent of PHI, the unauthorized person, whether the PHI was actually acquired or viewed, and mitigation actions. If notification is required, notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Follow HIPAA’s content rules and timelines for HHS and, where applicable, prominent media.

State-layer obligations and multi-jurisdiction events

State data breach notification laws may require additional or earlier notices to residents and the attorney general, especially when Social Security numbers or financial credentials are involved. When both HIPAA and state law apply, meet the shortest applicable deadline and the most detailed content requirement, and coordinate mailings to avoid conflicting statements.

Post-incident remediation

Offer appropriate remedies (for example, credit monitoring if identity data was exposed), rotate credentials, patch vulnerabilities, and harden configurations. Record lessons learned, update policies, retrain staff, and test controls to prevent recurrence.

Conclusion

For healthcare providers in New Hampshire, success means running HIPAA-grade security while honoring state personal data rights for non-PHI, obtaining consent for sensitive and biometric data processing, contracting tightly with vendors and health information organizations, and executing disciplined breach response. Build once, apply consistently, and default to the strictest rule.

FAQs.

What are the key provisions of the New Hampshire Data Privacy Act affecting healthcare?

The Act grants personal data rights (access, correction, deletion, portability, and opt-outs) and requires transparent notices, processor contracts, and assessments for high-risk processing. It typically exempts PHI handled under HIPAA but reaches non-PHI activities like websites, apps, marketing, and tracking. Sensitive data—such as biometric identifiers and precise location—generally requires opt-in consent.

How does RSA 141-C regulate patient health information privacy?

RSA 141-C governs communicable disease control. It mandates reporting of specified conditions to public health authorities and protects the confidentiality of those reports. Disclosures are permitted for investigation, surveillance, and control activities, with strict limits on re-disclosure. Keep these records segregated, apply minimum necessary access, and follow public health directives.

What are the obligations of healthcare providers regarding biometric data?

Classify biometric identifiers as sensitive data, collect only what is necessary, obtain explicit consent for non-HIPAA uses, secure templates with strong encryption, restrict access, and publish retention and deletion timelines. Prohibit sale or secondary use without fresh consent, and ensure vendors contractually meet the same standards.

When must healthcare providers notify patients of a data breach?

For breaches of unsecured PHI, HIPAA requires notice to affected individuals without unreasonable delay and no later than 60 days after discovery, plus notifications to HHS (and, for large events, the media). New Hampshire’s breach rules may also require resident and attorney general notices—often on faster timelines for certain identifiers—so follow the strictest applicable deadline and content requirements.