Vermont Data Privacy Law and Healthcare: HIPAA vs. State Requirements (2026 Guide)

You operate in one of the strictest privacy environments in the country. This 2026 guide clarifies how Vermont’s healthcare privacy rules intersect with HIPAA, where state law goes further, and what you must do to stay compliant—especially around breaches, telehealth, substance use disorder data, biometrics, AI note‑taking, and consumer privacy obligations.

Vermont Data Breach Notification Requirements

Who is covered and what triggers notice

Vermont’s Security Breach Notice Act applies to any “data collector” that owns, licenses, maintains, or possesses computerized personally identifiable information (PII) or login credentials about Vermonters. PII expressly includes unique biometric data, genetic information, and specified health information (for example, health records, a provider’s diagnosis or treatment, or a health insurance policy number). A “security breach” means the unauthorized acquisition—or reasonable belief of such acquisition—of electronic data that compromises the security, confidentiality, or integrity of PII or login credentials. ([legislature.vermont.gov](https://legislature.vermont.gov/statutes/section/09/062/02435))

Deadlines and who to notify

You must notify affected consumers “in the most expedient time possible and without unreasonable delay,” and no later than 45 days after discovering or being notified of the breach. Separately, you must send a preliminary description of the incident to the Vermont Attorney General (or to the Department of Financial Regulation if you are DFR‑regulated) within 14 business days of discovery or when you send consumer notices—whichever comes first. ([legislature.vermont.gov](https://legislature.vermont.gov/statutes/section/09/062/02435))

The Attorney General’s published guidance reiterates the 14‑business‑day preliminary notice, clarifies that law enforcement may delay consumer notice (but not the preliminary notice), and outlines what your consumer notice must contain. ([ago.vermont.gov](https://ago.vermont.gov/sites/ago/files/wp-content/uploads/2018/06/Security-Breach-Guidance.pdf))

HIPAA coordination

If you are a HIPAA covered entity and the breach is limited to certain health data elements listed in 9 V.S.A. § 2430(10)(A)(vii), you are deemed compliant with Vermont’s law if you provide notices consistent with HIPAA’s Breach Notification Rule (45 C.F.R. Part 164, Subpart D). Even then, Vermont still expects the Attorney General/DFR notice described above. ([legislature.vermont.gov](https://legislature.vermont.gov/statutes/section/09/062/02435))

Biometric data breach notification

Because Vermont’s PII definition includes “unique biometric data,” a compromise of fingerprints, facial or iris templates, or other biometric identifiers triggers Vermont notice obligations in addition to any HIPAA duties you may have. Build this into your incident response and your vendor contracts. ([legislature.vermont.gov](https://legislature.vermont.gov/statutes/fullchapter/09/062))

Vermont Healthcare Privacy Laws and Telehealth

Informed consent, security, and no‑recording rule

Before delivering telemedicine services, you must obtain and document the patient’s informed consent. Vermont law also requires that telemedicine run over a secure connection that complies with HIPAA. Critically, Vermont prohibits both providers and patients from creating recordings of a provider’s telemedicine consultation with a patient. This prohibition also applies to audio‑only encounters under the audio‑only telehealth statute. ([legislature.vermont.gov](https://legislature.vermont.gov/statutes/section/18/219/09361))

Coverage and platform expectations

Vermont’s insurance code defines telemedicine and ties it to secure, HIPAA‑compliant connections; Medicaid rules likewise require HIPAA compliance and appropriate informed consent for telehealth. Choose platforms that support encryption, access controls, and audit logging, and execute business associate agreements as needed. ([legislature.vermont.gov](https://legislature.vermont.gov/statutes/section/08/107/04098a))

Licensing and cross‑border practice

Professionals practicing via telehealth remain subject to Vermont jurisdiction and must follow Vermont law, including the telehealth consent and no‑recording provisions. If you hold a Vermont telehealth license or registration, you must document telehealth services to the same standard as in‑person care. ([legislature.vermont.gov](https://legislature.vermont.gov/statutes/fullchapter/26/056))

Vermont Substance Abuse Record Privacy Standards

42 CFR Part 2 plus Vermont‑specific layers

Substance use disorder (SUD) records in Vermont remain governed by 42 CFR Part 2’s strict consent and redisclosure limits, in addition to HIPAA. State programs and agencies emphasize adherence to Part 2 and HIPAA when handling SUD data. Build processes that verify patient consent before any SUD record disclosure and that flag prohibitions on redisclosure. ([healthvermont.gov](https://www.healthvermont.gov/alcohol-drugs/grantees-contractors/federal-and-state-authority))

Prescription monitoring confidentiality

Vermont’s Prescription Monitoring System (VPMS) statute protects controlled‑substance dispensing data and restricts access to defined users (for example, treating prescribers/pharmacies, specified oversight entities). Ensure your VPMS workflows match the law’s access, use, and documentation requirements. ([legislature.vermont.gov](https://legislature.vermont.gov/statutes/section/18/084A/04284))

Mental health confidentiality

Vermont law also codifies confidentiality for mental health information, with disclosures typically requiring written consent or a court order, subject to narrow exceptions. Align your release‑of‑information process and forms accordingly. ([legislature.vermont.gov](https://legislature.vermont.gov/statutes/section/18/171/07103))

Vermont Biometric Privacy Regulations

No standalone BIPA—use breach, data broker, and minors’ privacy laws

Vermont does not have a standalone biometric privacy act akin to Illinois’ BIPA. Instead, biometric identifiers are protected through multiple statutes. First, biometric data is part of “personally identifiable information” under Vermont’s breach law, which means a compromise triggers Vermont’s notice requirements. Second, Vermont’s data broker framework imposes registration and security duties on entities in the business of collecting and selling “brokered personal information.” Third, the Vermont Age‑Appropriate Design Code (effective January 1, 2027) defines “biometric data” and adds obligations for online services used by minors, with a carve‑out for HIPAA‑regulated PHI. ([legislature.vermont.gov](https://legislature.vermont.gov/statutes/fullchapter/09/062))

Practical takeaways for healthcare

In healthcare settings, treat biometric templates (for example, palm vein access, voiceprints) as PHI when linked to a patient; apply HIPAA safeguards and vendor BAAs. For any non‑HIPAA contexts—patient‑facing apps, research registries, or employee timekeeping—account for Vermont’s breach law and data broker prohibitions on fraudulent acquisition and harmful uses of brokered personal information. ([legislature.vermont.gov](https://legislature.vermont.gov/statutes/section/09/062/02435))

Vermont Health Data Protection Compliance

Core HIPAA compliance mapped to Vermont law

• Run and document a risk analysis; implement safeguards suited to your systems, including telehealth platforms and AI tools. ([regulations.justia.com](https://regulations.justia.com/states/vermont/agency-13/sub-agency-174/chapter-003/section-13-174-003/))
• Honor Vermont’s additional guardrails on protected health information disclosure: covered entities and business associates may not disclose PHI unless permitted by HIPAA, and Vermont further restricts disclosures related to “legally protected health care activity.” Train staff and update your release‑of‑information SOPs. ([legislature.vermont.gov](https://legislature.vermont.gov/statutes/section/18/042B/01881))
• Build a breach‑response playbook for Vermont: 14‑business‑day preliminary notice to the Vermont Attorney General/DFR, 45‑day consumer notices, HIPAA coordination, and law‑enforcement delay procedures. ([legislature.vermont.gov](https://legislature.vermont.gov/statutes/section/09/062/02435))
• Document telehealth informed consent and enforce the no‑recording rule for all Vermont telemedicine encounters. ([legislature.vermont.gov](https://legislature.vermont.gov/statutes/section/18/219/09361))
• Implement 42 CFR Part 2 workflows for SUD data and enforce VPMS access limits in clinical operations. ([healthvermont.gov](https://www.healthvermont.gov/alcohol-drugs/grantees-contractors/federal-and-state-authority))

Vermont Health Information Exchange (VHIE) consent

Vermont’s statewide HIE operates on an opt‑out model. Provide patients with clear education and a simple way to opt out; confirm that your Notice of Privacy Practices references VHIE participation and that your intake workflows capture patient preferences. ([vitl.net](https://vitl.net/resources/vhie-consent/))

Vermont Medical and AI Recording Laws

Telehealth: recordings are prohibited

Vermont law expressly prohibits both the provider and the patient from creating or causing a recording of a provider’s telemedicine consultation. This statutory ban complicates “ambient” AI documentation that relies on audio capture for telehealth visits. Some proposals under consideration would allow consent‑based recordings, but as of May 18, 2026, the prohibition remains in effect—plan around it. ([legislature.vermont.gov](https://legislature.vermont.gov/statutes/section/18/219/09361))

In‑person visits and general recording rules

For in‑person care, Vermont has no specific state statute governing recording of conversations; federal one‑party consent rules apply, but facilities may set stricter policies, and HIPAA prohibits workforce members from making unauthorized recordings of PHI. Adopt a clear clinic policy stating when, how, and with whose consent recordings or AI scribes may be used on‑site. ([rcfp.org](https://www.rcfp.org/reporters-recording-guide/vermont/))

Vermont Consumer Data Privacy Measures

Vermont data broker registration and safeguards

If your organization—or an affiliated unit—qualifies as a “data broker” (collecting and selling brokered personal information without a direct relationship to the consumer), you must register annually by January 31 with the Vermont Secretary of State, disclose specified practices (including any opt‑out mechanisms), and maintain a written information security program. Penalties apply for failure to register. ([legislature.vermont.gov](https://legislature.vermont.gov/statutes/fullchapter/09/062))

Prohibitions on misuse of brokered data

Vermont prohibits acquiring brokered personal information through fraudulent means or using it for stalking, harassment, or fraud. Verify that any marketing, research, or analytics use of consumer data sourced from third parties complies with these prohibitions. ([legislature.vermont.gov](https://legislature.vermont.gov/statutes/fullchapter/09/062))

New youth‑privacy obligations coming in 2027

Vermont’s Age‑Appropriate Design Code takes effect January 1, 2027. It defines “biometric data,” imposes a minimum duty of care for minors, and mandates protective defaults and transparency for online services likely to be accessed by minors, with explicit exemptions for HIPAA‑regulated PHI. If you operate patient portals, apps, or digital tools used by minors, begin aligning designs now. ([legislature.vermont.gov](https://legislature.vermont.gov/statutes/fullchapter/09/062))

Watch pending “Delete Act”–style proposals

Lawmakers are considering stronger consumer privacy legislation modeled on California’s delete‑across‑brokers approach. Track this debate to anticipate expanded deletion and opt‑out duties for data brokers and other businesses in Vermont. ([vermontpublic.org](https://www.vermontpublic.org/local-news/2026-03-24/lawmakers-want-to-strengthen-data-privacy-protections-by-giving-vermonters-the-right-to-say-no))

Conclusion

In Vermont, HIPAA is your baseline—but state law adds crucial layers: accelerated breach reporting to the Vermont Attorney General/DFR, explicit telehealth privacy provisions (including a no‑recording rule), enhanced protections around legally protected health care activity, VPMS confidentiality, biometric data coverage in breach law, and robust data broker oversight. Map these Vermont‑specific duties into your HIPAA program, update telehealth and AI‑scribe workflows, and monitor 2026–2027 consumer‑privacy developments.

FAQs

What are the key differences between HIPAA and Vermont healthcare privacy laws?

Vermont overlays HIPAA with additional rules: faster breach reporting to the Vermont Attorney General/DFR (preliminary notice within 14 business days; consumer notice within 45 days), a statutory ban on recording telemedicine visits, explicit telehealth informed‑consent requirements, VPMS confidentiality, and added limits on protected health information disclosure related to “legally protected health care activity.” ([legislature.vermont.gov](https://legislature.vermont.gov/statutes/section/09/062/02435))

How does Vermont handle healthcare data breach notifications?

You must deliver consumer notices without unreasonable delay and no later than 45 days, and you must send a preliminary description to the Vermont Attorney General or DFR within 14 business days. HIPAA‑covered entities are deemed compliant with Vermont’s notice requirements if the breach is limited to specified health information and HIPAA’s Breach Notification Rule is followed, but Vermont’s AG/DFR notice still applies. ([legislature.vermont.gov](https://legislature.vermont.gov/statutes/section/09/062/02435))

Are there special rules for substance abuse record privacy in Vermont?

Yes. 42 CFR Part 2 governs SUD records in addition to HIPAA’s rules. Vermont’s VPMS statute restricts access to prescription monitoring data to defined users and purposes, which your policies and EHR/PDMP workflows must respect. ([healthvermont.gov](https://www.healthvermont.gov/alcohol-drugs/grantees-contractors/federal-and-state-authority))

Does Vermont regulate biometric data in healthcare settings?

Vermont treats unique biometric data as PII under its breach law, so a compromise triggers Vermont notice obligations. For services used by minors, Vermont’s Age‑Appropriate Design Code (effective January 1, 2027) also defines “biometric data” and imposes safeguards, while expressly excluding HIPAA‑regulated PHI from its scope. Within covered healthcare, handle biometric identifiers as PHI under HIPAA and apply BAAs and security controls accordingly. ([legislature.vermont.gov](https://legislature.vermont.gov/statutes/fullchapter/09/062))