Virginia Healthcare Privacy Laws: What Patients and Providers Need to Know

Health Records Privacy in Virginia

Scope and who must comply

Virginia protects health records confidentiality through state law that complements federal rules. Hospitals, clinics, private practices, labs, pharmacies, health plans, and many other “health care entities” must safeguard identifiable information about a person’s past, present, or future physical or mental health, treatment, or payment.

What counts as a health record

Health records include notes, test results, images, prescriptions, claims, billing details, and information stored in patient portals or telehealth systems. Paper or digital, if the data identifies a patient and relates to care or payment, it is protected under Virginia’s health records privacy framework.

Core duties for providers

• Limit use and disclosure to what is necessary for care and operations.
• Maintain administrative, physical, and technical safeguards; train workforce and manage vendor agreements.
• Provide notice of privacy practices and processes for patient requests, corrections, and complaints.
• Follow breach-notification obligations under applicable federal and state laws and document responses.

HIPAA Privacy Rights in Virginia

The federal floor with state enhancements

HIPAA sets nationwide privacy, security, and breach-notification standards that apply in Virginia. Where Virginia law is more protective, the stricter rule governs. Achieving HIPAA compliance in Virginia means honoring both frameworks when handling protected health information.

Your privacy rights under HIPAA

• Access and obtain copies of your records in paper or electronic form, and direct records to a third party.
• Request corrections to inaccurate or incomplete information and add a statement of disagreement if denied.
• Ask for confidential communications (for example, alternate address or phone) and request restrictions on certain disclosures.
• Receive an accounting of certain disclosures and a clear Notice of Privacy Practices.
• File complaints without retaliation if you believe your privacy rights were violated.

Provider obligations that matter

• Apply the minimum necessary standard for non-treatment uses.
• Secure data under the HIPAA Security Rule and manage business associate agreements.
• Investigate, mitigate, and notify following suspected or confirmed breaches.

Virginia Consumer Data Protection Act

When the VCDPA applies to health data

The Virginia Consumer Data Protection Act (VCDPA) governs many businesses that handle Virginians’ personal data, including certain health-related information outside HIPAA. It generally applies to entities meeting specified consumer-volume thresholds and engaging in targeted advertising, data sales, or profiling.

VCDPA health data protections

• Sensitive data—such as information about physical or mental health, genetic or biometric data, or precise geolocation—requires opt-in consent before processing.
• Controllers must practice data minimization, purpose limitation, and conduct data protection assessments for higher-risk activities.
• Clear privacy notices and contracts with processors are required to define duties and safeguard data.

Consumer rights under the VCDPA

• Access, correct, delete, and obtain a portable copy of personal data.
• Opt out of targeted advertising, the sale of personal data, and certain profiling.
• Appeal a denied request through a defined internal process.

HIPAA-covered entities and protected health information are generally exempt, but health and wellness apps, consumer wearables, and other non-HIPAA services may fall under the VCDPA. Understanding both regimes helps close gaps in healthcare-adjacent data flows.

Confidentiality of Substance Abuse Records

Stricter protections under federal law

Substance abuse treatment confidentiality is governed by 42 CFR Part 2, which protects records from federally assisted substance use disorder programs. These records usually cannot be disclosed without the patient’s specific written consent, and they receive heightened protection against use in legal proceedings.

Limited, well-defined exceptions

• Medical emergencies to address an immediate health threat.
• Program audits, evaluations, and certain research under strict conditions.
• Disclosures pursuant to a valid court order that meets Part 2 criteria.
• Qualified Service Organization arrangements for essential services, with safeguards.

Virginia providers must apply Part 2 alongside HIPAA and state privacy rules, ensuring disclosures for coordination of care occur only with proper consent or a recognized exception.

Reproductive and Sexual Health Information Privacy

Protected like other sensitive health data

Reproductive and sexual health information—such as contraception, pregnancy care, fertility services, and STI testing—is protected under HIPAA and Virginia health records confidentiality rules. Providers should apply the minimum necessary standard and use enhanced safeguards due to the sensitivity of this data.

Special considerations for minors and privacy

Under Virginia law, minors may be able to consent to certain services, which can affect a parent or guardian’s access to those records. Providers evaluate requests case by case; you can ask for confidential communications to help protect reproductive health data privacy in sensitive circumstances.

Data beyond traditional healthcare

Consumer apps like period trackers, fitness wearables, or telehealth platforms not covered by HIPAA may be subject to VCDPA health data protections. Review privacy settings, limit location sharing, and provide only the data needed for the service you want.

Patient Rights to Access Medical Records

What you can request

You have a right to patient medical records access, including inspection and copies in paper or electronic form. You may direct a copy to another person or entity, and you can request a summary if you prefer an overview for a specific purpose.

Timelines, formats, and fees

HIPAA generally requires fulfillment within 30 days, with one possible 30-day extension and written explanation. Providers should offer readily producible electronic formats and charge only reasonable, cost-based fees; per-page fees for electronic copies are not permitted under HIPAA.

If access is limited or denied

Access may be denied for narrow reasons, such as psychotherapy notes or when disclosure could endanger someone. Denials must be explained, and you can appeal where allowed or add a statement of disagreement. You also have the right to request amendments to correct errors.

Disclosure of Health Information Without Consent

Permitted uses and health information disclosure exceptions

• Treatment, payment, and healthcare operations within and across covered entities.
• Public health reporting, including communicable diseases, immunizations, and certain exposures.
• Health oversight activities, audits, and quality review.
• Law enforcement and court orders, subpoenas with required safeguards, and coroners/medical examiners.
• To avert a serious and imminent threat to health or safety.
• Organ, eye, and tissue donation, workers’ compensation, and limited research under approved protocols.

Data minimization and documentation

When an exception applies, providers should disclose only the minimum necessary information, document the legal basis, and apply role-based access controls. De-identified or limited data sets can further reduce privacy risks when full identifiers are unnecessary.

Conclusion

Virginia healthcare privacy laws work with HIPAA and the VCDPA to safeguard health records confidentiality across clinical and consumer settings. Knowing your rights to access, correction, and confidential communication—and understanding narrowly tailored disclosure exceptions—helps you make informed choices and protect your health information.

FAQs

What rights do patients have under Virginia healthcare privacy laws?

Patients can access and obtain copies of their records, request corrections, ask for confidential communications, and receive an accounting of certain disclosures. Where Virginia law is more protective than HIPAA, the stricter rule applies, strengthening privacy and control over personal health information.

How does the VCDPA impact healthcare data privacy?

The VCDPA adds protections for health-related personal data handled outside HIPAA, such as by consumer health apps. It classifies health information as sensitive, generally requiring opt-in consent, and gives Virginians rights to access, correct, delete, and opt out of targeted ads, sales, and certain profiling.

When can health information be disclosed without patient consent?

Disclosures can occur for treatment, payment, and healthcare operations; mandated public health reporting; health oversight; certain law enforcement and court orders; organ donation; workers’ compensation; approved research; and to avert serious threats. Providers must apply the minimum necessary standard and document the basis.

What protections exist for substance abuse treatment records in Virginia?

Records from federally assisted substance use disorder programs are protected by 42 CFR Part 2, which generally requires specific written consent and provides heightened safeguards against legal use. Limited exceptions apply, such as medical emergencies, audits, and valid court orders, and providers must layer these rules with HIPAA and state law.