Virginia Health Data Protection Requirements: HIPAA, VCDPA, and State Health Records Rules Explained

HIPAA Privacy Rule Compliance

Under the HIPAA Privacy Rule, you may use or disclose Protected Health Information (PHI) without an individual’s consent for treatment, payment, and health care operations, but most other uses require Patient Authorization. You must apply the minimum necessary standard, furnish a Notice of Privacy Practices, honor access and amendment rights, and maintain appropriate privacy policies and documentation.

When Patient Authorization is required

• Non‑TPO purposes such as most marketing, sale of PHI, and many research disclosures.
• Psychotherapy notes, with narrow exceptions.
• Any disclosure not expressly permitted or required by HIPAA or other law.

Authorizations must be specific, time‑bounded or revocable, and include required statements about the right to revoke and potential redisclosure. Limited disclosures without authorization are allowed when another law requires it, for certain public health and oversight activities, and in specified emergencies, subject to strict conditions. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html?Channel=Google_PPC&field_insight_category_target_id=2&utm_source=openai))

HIPAA Security Rule Safeguards

The Security Rule requires you to protect electronic PHI through Administrative Safeguards, Physical Safeguards, and Technical Protections. Start with an organization‑wide risk analysis and risk management plan, assign a security official, train your workforce, manage vendors via BAAs, and maintain policies with six‑year documentation retention.

Administrative, physical, and technical protections

• Administrative Safeguards: risk analysis, risk management, workforce security, incident response, contingency planning, periodic evaluations.
• Physical Safeguards: facility access controls, workstation security, device/media controls and secure disposal.
• Technical Protections: access controls (unique IDs, authentication), audit controls, integrity, and transmission security (encryption as appropriate).

Implement reasonable and appropriate measures based on your size, complexity, and risks; document decisions, review them periodically, and adjust after environmental or operational changes. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/index.html?utm_source=openai))

VCDPA Exemptions for Health Data

The Virginia Consumer Data Protection Act (VCDPA) generally exempts HIPAA‑regulated organizations and information. Specifically, it excludes covered entities and business associates, Protected Health Information, “health records” for purposes of Title 32.1, certain substance‑use treatment records, and health data that are de‑identified under HIPAA. If your data or organization falls outside these exemptions (for example, consumer health apps not subject to HIPAA), VCDPA obligations may apply. ([law.lis.virginia.gov](https://law.lis.virginia.gov/vacode/title59.1/chapter53/section59.1-576/))

State Health Records Privacy Rights

Virginia’s Health Records Privacy statute recognizes an individual’s privacy interest in health records and sets clear access rules. When a properly authorized requester seeks copies or electronic access, a health care entity must respond within 30 days by providing the records, explaining why they cannot be found, directing the requester to the custodian if known, or issuing a legally supported denial. Reasonable cost‑based fees are permitted. If denial is based on risk of harm, the patient may designate an equivalent professional for independent review. ([law.lis.virginia.gov](https://law.lis.virginia.gov/vacode/32.1-127.1%3A03/32.1-127.1%3A03/))

Health Records Disclosure Procedures

Patient‑directed disclosures

• Verify identity and authority and ensure the Patient Authorization includes required elements before releasing records.
• Apply minimum necessary and use secure transmission; psychotherapy notes require specific written authorization.

Subpoenas and legal requests in Virginia

• For a subpoena duces tecum, no return date may be earlier than 15 days from the subpoena date unless a court orders otherwise.
• Do not disclose until you receive written certification that the 15‑day motion‑to‑quash window has closed or the court has ruled; if a motion is filed, send records under seal to the court.
• Upon proper certification, respond by the subpoena return date or within five days of certification, whichever is later.

Follow state procedural notices precisely and maintain an auditable trail for each Health Records Disclosure. ([law.lis.virginia.gov](https://law.lis.virginia.gov/vacode/32.1-127.1%3A03/32.1-127.1%3A03/))

Medical Record Retention Standards

HIPAA sets a six‑year retention rule for documentation of your privacy and security compliance, but it does not prescribe how long to keep clinical medical records; you must protect PHI for as long as you retain it. In Virginia, licensed hospitals must preserve medical records for at least five years after discharge; for minors, keep records for at least five years after the patient turns 18. Birth and death information must be retained for 10 years. ([law.lis.virginia.gov](https://law.lis.virginia.gov/admincode/title12/agency5/chapter410/section370/))

Record Retention for Healthcare Practitioners

Virginia practitioners regulated by the Board of Medicine must maintain patient records for a minimum of six years after the last patient encounter. Emancipated Minors Records, and all minor children’s records (including immunizations), must be retained until the minor turns 18 or becomes emancipated, with at least six years from the last encounter. Practitioners must inform patients about Record Retention Periods and destroy records securely when the time elapses. ([law.lis.virginia.gov](https://law.lis.virginia.gov/admincode/title18/agency85/chapter20/section26/))

Separately, Virginia law provides that most practitioner records need not be retained longer than 12 years from the date of creation, except for minors’ records and where contracts or federal rules require a longer period. Align your schedule so the six‑year minimum, minor‑specific rules, and the 12‑year cap all remain satisfied. ([law.justia.com](https://law.justia.com/codes/virginia/title-54-1/chapter-29/section-54-1-2910-4/))

FAQs

What are the key HIPAA requirements for health data in Virginia?

You must handle PHI under the HIPAA Privacy Rule and implement Security Rule safeguards. In practice, that means limiting uses and disclosures to what HIPAA permits or what a valid Patient Authorization covers, honoring access and amendment rights, training staff, managing vendors, and applying Administrative Safeguards, Physical Safeguards, and Technical Protections based on documented risk analysis. State rules add timing and process details for access and disclosures.

How does VCDPA affect health data protection?

Most HIPAA‑regulated data and entities are exempt from VCDPA, along with “health records” under Title 32.1 and certain de‑identified or research data. If you offer health‑related services or apps outside HIPAA (for example, consumer wellness platforms), VCDPA may apply, requiring clear notices, data‑minimization, and honoring consumer rights such as access, correction, deletion, and opt‑outs for targeted advertising or sale of personal data.

What are Virginia’s rules on medical record retention?

Hospitals must keep records at least five years after discharge; for minors, at least five years after the 18th birthday; birth and death information is kept 10 years. Practitioners keep records at least six years after the last encounter; for minors (including emancipated minors), retain until 18 or emancipation, with a six‑year minimum from the last visit. A general 12‑year cap from creation applies to most practitioner records unless longer retention is required by contract or federal law.

How must health records be disclosed under Virginia law?

For patient‑directed releases, verify identity/authority and ensure a complete authorization before disclosing. For subpoenas, allow a 15‑day motion‑to‑quash period, hold records until you receive proper certification, and, if a motion is filed, send records under seal to the court. For access requests, respond within 30 days by providing records, explaining why they’re unavailable, pointing to the custodian if known, or issuing a lawful denial with an option for professional review.