New Hampshire HIPAA Compliance: State-Specific Requirements for Providers and Business Associates

New Hampshire HIPAA compliance goes beyond the federal baseline. In addition to HIPAA’s Privacy, Security, and Breach Notification Rules, you must account for state statutes that govern privacy, breach reporting, health information exchange, and insurance-sector cybersecurity. This guide distills what providers and business associates operating in New Hampshire need to know—and do—today.

Throughout, you’ll see how the New Hampshire Privacy Act SB 255 (codified in the Expectation of Privacy Statute N.H. Rev. Stat. 507-H), RSA 332-I on patient records and the Health Information Organization, RSA 359-C on data breach notification, and the Insurance Data Security Law (RSA 420-P) interact with HIPAA obligations such as Business Associate Agreements and Protected Health Information safeguards.

State-Specific Privacy and Security Laws

New Hampshire Privacy Act SB 255 (RSA 507-H)

Effective January 1, 2025, RSA 507-H establishes consumer data rights and controller obligations in New Hampshire. While HIPAA covered entities and business associates are exempt for PHI, you still need to comply for non-PHI consumer data you process outside HIPAA (for example, marketing analytics or mobile apps). The law:

• Defines consumer rights to access, correct, delete, and obtain a copy of personal data, and to opt out of targeted advertising, sale of personal data, and certain profiling.
• Requires reasonable security practices and prohibits processing “sensitive data” (including health data) without consent, reinforcing Protected Health Information safeguards where HIPAA doesn’t apply.
• Is enforced by the New Hampshire Attorney General (AG), with no private right of action; violations are treated as unfair or deceptive acts under RSA 358-A.

Patient Records and Uses Beyond Care (RSA 332-I)

RSA 332-I sets state rules for the use and disclosure of patient information—including marketing and fundraising—and anchors Health Information Organization compliance (see below). If a use is permitted by HIPAA but barred under RSA 332-I, New Hampshire requires you to follow the stricter state rule and, in some cases, notify the patient about the state restriction. Build your policies so that state-specific limits on marketing, fundraising, and exchange are checked before release.

Right to Privacy and General Data Security (RSA 359-C)

RSA 359-C governs protection of “personal information” and contains the state’s Breach Notification Requirements. It operates alongside HIPAA: when an incident involves non-PHI personal information, you must follow RSA 359-C regardless of HIPAA status. The statute specifies what must be included in notices and when to notify regulators—details are in the next section.

Breach Notification Obligations

When HIPAA Applies (PHI)

• Individuals: Notify without unreasonable delay and no later than 60 days after discovery of a breach of unsecured PHI.
• HHS/OCR: Report within 60 days of discovery if 500+ individuals are affected; otherwise, log and report annually.
• Media: Notify prominent media if the breach affects 500+ residents in a single state.
• Encryption/de-identification: If PHI is properly encrypted or de-identified, HIPAA’s notification duties may not trigger.

When New Hampshire Law Applies (non-PHI personal information)

• Trigger: Once you determine misuse occurred, is reasonably likely, or cannot be ruled out, notify affected individuals “as soon as possible.”
• Regulator notice: If you are subject to a sector regulator (for example, the Insurance Department), notify that regulator; all others notify the New Hampshire AG. Include the anticipated notification date and approximate number of impacted New Hampshire residents.
• Consumer reporting agencies: If 1,000+ residents must be notified, alert nationwide CRAs without unreasonable delay.
• Content: Include at minimum a general description, approximate breach date, data elements involved, and your contact information.

Insurance licensees (RSA 420-P)

• Commissioner notice: If you’re a licensee under the Insurance Data Security Law, notify the Insurance Commissioner within 3 business days when specified thresholds are met.
• Consumer notice: When Commissioner notice is required, send consumer notices that meet RSA 359-C standards and provide a copy to the Commissioner.
• Third-party service providers: Track and coordinate incident notifications involving your vendors to meet the 3-business-day and consumer-notice obligations.

Health Information Exchange Regulations

Opt-out framework and data minimization (RSA 332-I:3 and 332-I:10)

• Consent model: New Hampshire’s statewide Health Information Organization (HIO) operates under an opt-out model—patients must be offered the ability to opt out of sharing their name, address, and Protected Health Information through the HIO.
• Data minimization: The HIO may retain limited demographics solely to support accurate patient matching and query, except where restricted by the opt-out provisions.
• Provider duties: You must honor patient opt-out choices across participating systems and ensure your exchange workflows reflect New Hampshire rules in addition to HIPAA.

Health Information Organization Compliance

Policies, BAAs, and technical safeguards should explicitly cover exchange use cases: identity matching, query/response, access controls, audit logging, and minimum necessary. Reconcile any differences between HIPAA permission (treatment, payment, healthcare operations) and stricter New Hampshire limits before releasing data via the HIO.

Safe Harbor Provision for Insurance Data Security

New Hampshire’s Insurance Data Security Law (RSA 420-P) includes safe harbors that recognize existing, robust programs:

• HIPAA safe harbor (RSA 420-P:10): A licensee that maintains HIPAA-required privacy, security, and breach notification programs safeguarding PHI and other nonpublic information may qualify for compliance recognition under the insurance law.
• NYDFS safe harbor (RSA 420-P:11): Compliance with New York’s cybersecurity regulations can also satisfy New Hampshire’s insurance data security obligations for covered licensees.

Safe harbor status does not waive the 3-business-day Commissioner notice requirement for qualifying cybersecurity events, nor the duty to notify affected consumers per RSA 359-C when required.

AI Scribing Compliance Requirements

HIPAA status and contracts

• Treat AI scribe vendors as business associates if they create, receive, maintain, or transmit PHI. Execute a HIPAA Business Associate Agreement that prohibits secondary use (for example, model training) without explicit authorization and requires subcontractor flow-downs.
• Apply Protected Health Information safeguards to audio, transcripts, and generated notes: access controls, encryption in transit/at rest, retention limits, and audit trails.

Recording consent under state law

• All-party consent: New Hampshire’s wiretapping/eavesdropping statute (RSA 570-A) requires consent from all parties before recording telehealth or in-person clinical encounters. Obtain and document patient consent prior to activating any scribing audio capture.
• Notice practices: Use clear verbal and written disclosures that the visit may be recorded for clinical documentation, and capture acceptance (for example, in the EHR consent module).

Data handling and risk controls

• Scope restriction: Configure AI scribing so only necessary PHI is captured; avoid uploading extraneous identifiers. Where feasible, de-identify data before analytics or quality review.
• Environment controls: Disable vendor training on your data, restrict data residency to approved jurisdictions, and validate incident response SLAs that align with HIPAA and RSA 359-C timing.

Business Associate Agreement Mandates

Under HIPAA, you must have a written HIPAA Business Associate Agreement with any vendor that handles PHI on your behalf. A compliant BAA should, at minimum:

• Limit uses/disclosures to contractually defined purposes and require minimum necessary access.
• Mandate administrative, physical, and technical safeguards and breach reporting to you without unreasonable delay.
• Prohibit unauthorized “sale” of PHI or secondary use (such as model training) absent a valid authorization or applicable exception.
• Flow down obligations to subcontractors and require return or secure destruction of PHI at termination.

For insurers and licensees, pair BAAs with RSA 420-P vendor oversight: ensure third-party service providers implement controls consistent with your information security program and your incident reporting duties.

Enforcement and Penalties for Non-Compliance

Who enforces what, and potential exposure

• RSA 507-H (SB 255): Enforced exclusively by the New Hampshire AG. From January 1, 2025 through December 31, 2025, the AG provided a 60-day cure period where cure was possible; starting January 1, 2026, cure is discretionary. Violations are treated as unfair or deceptive acts under RSA 358-A (civil penalties up to $10,000 per violation, plus injunctive relief).
• RSA 359-C (breach notification): Enforced by the AG under RSA 358-A:4, including civil penalties and injunctive relief. The statute places the burden on the organization to demonstrate compliance.
• RSA 420-P (insurance licensees): Penalties reference RSA 400-A:15, III—administrative fines up to $2,500 per violation and potential license actions—alongside required regulator notifications.
• HIPAA: Enforced by HHS/OCR. Civil monetary penalties scale by culpability and can be significant; corrective action plans and monitoring are common outcomes.

Operational takeaways

• Map your data: Distinguish HIPAA PHI from non-PHI consumer data to know when RSA 507-H and RSA 359-C apply.
• Tighten vendor governance: Make BAAs precise, align them with RSA 420-P vendor oversight, and test breach-notification handoffs.
• Codify consent: Build New Hampshire’s all-party recording consent into any AI scribing workflow and maintain auditable proof.

Conclusion

For providers and business associates in New Hampshire, HIPAA is the floor, not the ceiling. Layer RSA 507-H’s consumer privacy duties for non-PHI, RSA 359-C’s Breach Notification Requirements, RSA 332-I’s Health Information Organization compliance, and RSA 420-P’s Insurance Data Security Law onto your HIPAA program. When policies, BAAs, and technical safeguards reflect all four pillars, you’ll meet New Hampshire’s state-specific requirements with confidence.

FAQs

What are New Hampshire's unique HIPAA privacy requirements?

HIPAA still governs PHI, but New Hampshire adds state-level rules. RSA 332-I tightens limits around marketing, fundraising, and health information exchange, sometimes requiring more than HIPAA would. Separately, the New Hampshire Privacy Act SB 255 (RSA 507-H) applies to non-PHI consumer data processed outside HIPAA, requiring reasonable security, honoring consumer rights, and obtaining consent for sensitive data. In short, apply HIPAA to PHI and RSA 507-H to non-PHI consumer data you handle in New Hampshire.

How must breaches be reported under New Hampshire law?

For PHI, follow HIPAA: notify affected individuals without unreasonable delay and within 60 days of discovery; notify HHS/OCR and, if 500+ residents in one state are affected, local media. For non-PHI personal information, RSA 359-C requires you to notify impacted residents “as soon as possible,” notify your primary regulator (or the AG if none), and, if 1,000+ residents are affected, notify nationwide consumer reporting agencies. Insurance licensees must also notify the Insurance Commissioner within 3 business days when thresholds in RSA 420-P are met.

What are compliance rules for AI scribing tools in healthcare?

Treat the AI scribe as a business associate: execute a HIPAA Business Associate Agreement, restrict secondary uses (like model training) without authorization, and require strong safeguards for audio, transcripts, and notes. Because New Hampshire is an all-party consent state, you must obtain and document patient consent before recording any clinical encounter. Align incident response so vendor breach notices to you support HIPAA’s 60-day deadline and RSA 359-C’s “as soon as possible” standard for non-PHI.

What protections exist for health information exchange in New Hampshire?

Under RSA 332-I, the statewide HIO uses an opt-out framework, requires strong security, and limits retention to necessary demographics to support patient matching. Providers must honor opt-outs and ensure exchange disclosures comply with both HIPAA and state law. Health Information Organization compliance also means auditing access, applying minimum necessary, and reconciling any state constraints that are stricter than HIPAA before sharing through the HIO.