New Hampshire Health Data Protection Requirements Explained: What HIPAA and State Laws Require

HIPAA Compliance Standards

HIPAA sets the baseline for how you collect, use, disclose, and safeguard Protected Health Information (PHI). Core rules include the Privacy Rule (what you may use or disclose), the Security Rule (how you protect electronic PHI), and the Breach Notification Rule (who you must notify and when if unsecured PHI is compromised). Together they require policies, workforce training, risk analysis, and documented safeguards tuned to your operations.

Key operational expectations include the minimum necessary standard, timely Right of Access (generally within 30 calendar days), and Business Associate Agreements for vendors that create, receive, maintain, or transmit PHI on your behalf. When sharing information for care, treatment, or operations, apply role-based access, audit logs, and privacy-by-design workflows.

Where records involve substance use disorder treatment, 42 CFR Part 2 imposes stricter consent and redisclosure limits than HIPAA. In those cases, the more protective rule controls. For data that do not require individual identification, HIPAA’s Safe Harbor Provision under 45 CFR 164.514(b)(2) allows de-identification by removing specified identifiers so information no longer qualifies as PHI.

New Hampshire State Regulations

New Hampshire adds important patient rights and provider duties. Under RSA 332-I:1, all medical information in a provider’s possession is deemed the property of the patient. You must provide copies within 30 days and follow state fee caps; electronic copies must be provided in electronic form when available. Marketing uses of patient-identifiable information require written authorization and are otherwise prohibited.

Health information exchange is permitted but structured. RSA 332-I:3 allows transmission of protected health information through a health information organization for treatment, care coordination, or quality assurance. Patients must be given a clear opportunity to opt out, and the HIE must maintain audit logs documenting who accessed what, and when.

New Hampshire also layers topic‑specific confidentiality rules. RSA 318-B:12 (Controlled Drug Act) requires detailed controlled-substance records and restricts disclosure. RSA 172:8-a protects client records within state substance use disorder programs. State program rules reference federal disclosure standards such as 42 CFR 401.105 alongside HIPAA and 42 CFR Part 2, underscoring the need to align state and federal requirements in your privacy program.

Patient Records Management

Build release-of-information workflows that verify identity, capture proper authorizations, and segment specially protected data. For substance use disorder records, obtain Part 2-compliant written consent and include required redisclosure warnings; do not assume a general HIPAA authorization is sufficient. For controlled-substance information, confirm that any disclosure fits a permitted use under RSA 318-B:12.

Honor access and amendment requests promptly, track disclosures when required, and maintain an audit trail for EHR access. Standardize intake forms, authorizations, and record indexing so you can retrieve information quickly for continuity of care, payer audits, and legal holds. Where appropriate, use the Safe Harbor Provision to share de-identified datasets for analytics or quality improvement without exposing PHI.

Record Retention Policies

New Hampshire prescribes minimum periods for keeping patient records, and you must also heed any longer federal, payer, or program rules that apply to your setting.

Minimum state retention timeframes

• Hospitals: retain patient records for at least 7 years after discharge; for minors, keep at least until 1 year after the 18th birthday and not less than 7 years in total.
• Physicians (Board of Medicine): keep complete patient medical records for at least 7 years from the date of last patient contact (longer for minors as above or if records are transferred earlier at patient request).
• Clinical laboratories: safeguard and retain requisitions/reports for a minimum of 4 years.
• Chiropractors: retain records for 5 years following the end of treatment or until the patient reaches the age of majority, whichever is later.

When to retain longer

• Minors and incapacitated patients: retain at least until legal majority plus the state minimum (or longer if policy dictates).
• Active investigations, litigation, or audits: implement a legal hold that suspends normal destruction.
• Program rules and payers: Medicare/Medicaid participation, research studies, and accreditation may require longer retention than state minimums.

Remember: HIPAA’s six‑year retention requirement applies to your HIPAA policies, procedures, and required documentation—not to state medical record retention, which is governed by New Hampshire law and the relevant licensing rules for your facility type.

Confidentiality and Liability

Unauthorized use or disclosure creates exposure under both HIPAA and state law. HIPAA violations can lead to corrective action plans, civil monetary penalties, and—where willful misconduct occurs—criminal penalties. Part 2 violations carry comparable enforcement tied to HIPAA’s penalty framework, and redisclosure limits apply even when data flow across systems.

New Hampshire imposes additional duties. RSA 332-I:5 requires prompt written notice to affected individuals when a use or disclosure is permissible under federal law but not allowed by state law. RSA 318-B:12 prohibits divulging controlled-drug prescriptions and related records except in defined legal or regulatory proceedings. RSA 172:8-a strictly limits access to client records in covered substance use disorder programs. Licensing boards may also take action for privacy lapses, increasing organizational risk beyond federal enforcement.

Health Information Exchange Practices

Operate your HIE connections with patient choice and traceability in mind. Offer clear opt-out instructions under RSA 332-I:3, limit access to treatment, care coordination, and quality purposes, and maintain audit logs of every transaction. Ensure your participation agreements and Business Associate Agreements reflect HIPAA, 42 CFR Part 2 (including segmentation or consent management for SUD data), and any state restrictions such as RSA 318-B:12.

Before exchanging data, classify what you will share (e.g., general PHI, controlled-substance information, Part 2 records) and confirm the legal basis and consent requirements for each. Where analytics are needed, prefer de-identified or limited data sets, applying the Safe Harbor Provision or expert determination as appropriate.

Data Security Safeguards

Meet HIPAA Security Rule expectations with a current risk analysis and risk management plan. Core controls include role-based access, unique user IDs, strong authentication, encryption of ePHI at rest and in transit, device and media controls, secure configurations, timely patching, intrusion detection, and routine audit log review. Train your workforce, test incident response, and document everything.

Protect high-sensitivity categories with extra care: segregate SUD records subject to 42 CFR Part 2, control redisclosure, and log access in detail. When sharing data externally, ensure vendors sign Business Associate Agreements and can meet your technical and administrative safeguards. For secondary uses, apply the Safe Harbor Provision to de-identify data or use expert determination when Safe Harbor would overly degrade utility.

Conclusion

In New Hampshire, compliance means layering HIPAA’s Privacy, Security, and Breach Notification requirements with state-specific rules that treat medical information as the patient’s property, restrict certain disclosures (RSA 172:8-a and RSA 318-B:12), and govern HIE participation and retention. Build your program around precise consent management, disciplined recordkeeping, strong technical safeguards, and clear patient communications to meet both federal and state expectations with confidence.

FAQs.

What are the key HIPAA requirements for New Hampshire providers?

Apply the HIPAA Privacy Rule’s minimum necessary standard, provide Right of Access within 30 days, maintain a current Notice of Privacy Practices, and execute Business Associate Agreements with vendors handling PHI. Implement Security Rule safeguards (risk analysis, access controls, encryption, auditing), and follow the Breach Notification Rule’s timelines. If records fall under 42 CFR Part 2, obtain Part 2–compliant consent and honor redisclosure limits.

How long must medical records be retained in New Hampshire?

Hospitals must keep records at least 7 years after discharge (with longer retention for minors: at least 1 year after the 18th birthday and not less than 7 years). Physicians must retain complete medical records for at least 7 years from the date of last patient contact (longer for minors). Clinical laboratories must keep requisitions and reports for at least 4 years, and chiropractors generally retain records for 5 years after treatment ends or until majority, whichever is later. Program or payer rules may require longer.

What penalties exist for unauthorized disclosure of health information?

HIPAA violations can result in significant civil monetary penalties, corrective action plans, and, for egregious conduct, criminal penalties. Part 2 violations now align with HIPAA’s civil and criminal enforcement. Under New Hampshire law, additional consequences may apply, including prompt written notification duties, licensing actions, and civil liability where state confidentiality provisions (such as RSA 332-I, RSA 318-B:12, and RSA 172:8-a) are violated.

Can patients access and obtain copies of their medical records?

Yes. HIPAA grants a general Right of Access to designated record sets, and New Hampshire law goes further by deeming medical information the property of the patient. You must provide copies within 30 days, honor requests for electronic format when records are stored electronically, and follow state fee caps. Certain narrow exceptions apply (for example, specific psychotherapy notes or situations restricted by 42 CFR Part 2), but most patients can obtain copies promptly.