Pennsylvania Health Data Privacy Laws: Complete Guide
Pennsylvania protects 13 million residents through a combination of federal HIPAA requirements, state-specific breach notification laws, consumer protection statutes, and enhanced confidentiality protections for HIV and mental health information.
Pennsylvania's commitment to health data protection
Quick Summary: PA Health Privacy Laws
Updated October 2025 - Everything you need to know in 2 minutes
Your Legal Protections in Pennsylvania:
- Federal HIPAA Rights: Access records, amend errors, restrict disclosures, receive breach notifications
- 72-Hour Breach Notification: Entities must notify PA Attorney General within 3 days of data breaches (73 PS § 2303)
- UTPCPL Protection: Pennsylvania Unfair Trade Practices Act prohibits deceptive health data practices
- HIV Confidentiality: Act 148 (35 PS § 7601) requires written consent for HIV-related disclosures
- Mental Health Protections: Mental Health Procedures Act (50 PS § 7101) strictly limits mental health record disclosures
- Substance Abuse Records: 42 CFR Part 2 federal protections plus PA Drug and Alcohol Abuse Control Act
6 Actionable Steps You Can Take Today:
- 1. Request Medical Records: Submit written request to any PA provider - must respond within 30 days (HIPAA) or per state regulation
- 2. File UTPCPL Complaints: Report unfair health data practices to PA Attorney General at 717-787-3391
- 3. Monitor Large Systems: Review data practices of UPMC, Penn Medicine, Jefferson Health networks
- 4. Report Breaches: Contact PA Department of Health (717-787-6436) and HHS OCR (800-368-1019)
- 5. Exercise Special Rights: Use Act 148 protections for HIV info, Mental Health Procedures Act for psych records
- 6. Document Violations: Keep records of any unauthorized disclosures or delayed breach notifications
Important Limitation: Pennsylvania does NOT have a comprehensive consumer data privacy law like California's CCPA, Colorado's CPA, or Connecticut's CTDPA. PA residents rely on federal HIPAA for healthcare data + state UTPCPL for unfair practices + specialty protections for HIV/mental health.
⚡ Get Automated Privacy Protection
HealthConsent automatically exercises your HIPAA rights, files UTPCPL complaints, monitors breach notifications, and enforces your HIV/mental health confidentiality protections across all PA providers.
Section 1: Pennsylvania Health Privacy Landscape
Constitutional Foundation: The Pennsylvania Constitution guarantees a right to informational privacy, giving residents fundamental control over their personal health data. This constitutional protection underpins all state health privacy laws.
Pennsylvania's Unique Position in Health Privacy
Major Healthcare Ecosystem:
- • UPMC: 40 hospitals, largest integrated delivery network in PA
- • Penn Medicine: Academic medical center with 6 hospitals
- • Jefferson Health: 18 hospitals across PA and NJ
- • Geisinger: Central/northeastern PA integrated system
- • Lehigh Valley Health Network: Eastern PA regional leader
Privacy Law Characteristics:
- • No comprehensive consumer privacy law (unlike CA, CO, CT, VA)
- • Relies on federal HIPAA as primary healthcare privacy framework
- • Strong specialty protections for HIV, mental health, substance abuse
- • Active AG enforcement under UTPCPL for unfair practices
- • Stricter breach notification than federal requirements
Why Pennsylvania Needs Comprehensive Privacy Legislation
As of October 2025, Pennsylvania has NOT passed a comprehensive consumer data privacy act. Multiple bills have been introduced in recent legislative sessions, but none have been enacted into law. This means:
- • No statutory right to delete health data held by non-HIPAA entities (apps, data brokers)
- • No "opt-out of sale" right for health information outside HIPAA
- • Limited recourse against non-covered entities that misuse health data
- • Gap in protections compared to neighboring states (NJ considering legislation)
PA residents should advocate for comprehensive privacy legislation while using existing HIPAA and UTPCPL protections.
Section 2: Your Privacy Rights Under Pennsylvania & Federal Law
Pennsylvania residents benefit from federal HIPAA protections plus state-specific enhancements. Learn more about your HIPAA patient rights → and when state laws override federal HIPAA →
Federal HIPAA Rights (Apply to All PA Providers)
- Right to Access: Request and receive copies of your medical records within 30 days (or 15 days if electronic). Providers may charge reasonable, cost-based fees but cannot charge retrieval fees.
- Right to Amendment: Request corrections to inaccurate or incomplete health information. Provider must respond within 60 days and either make the amendment or provide a written denial with your right to submit a statement of disagreement.
- Right to Restrict Disclosures: Request limitations on how your health information is used or shared. Providers MUST agree to restrict disclosures to health plans for services you paid out-of-pocket in full.
- Right to Accounting of Disclosures: Request a list of who your provider shared your health information with in the past 6 years (excluding treatment, payment, operations). First accounting per 12 months is free.
- Right to Breach Notification: Receive notification within 60 days if your unsecured health information has been improperly accessed or disclosed. Notification must include what happened, what information was involved, and steps you should take.
- Right to Confidential Communications: Request that your provider communicate with you at an alternative address or by alternative means (e.g., call your work phone instead of home). Provider must accommodate reasonable requests.
- Right to File Complaints: File complaints about HIPAA violations with your provider or with HHS Office for Civil Rights. Provider cannot retaliate against you for filing a complaint.
Pennsylvania-Specific Enhanced Protections
- 72-Hour AG Breach Notification (73 PS § 2303): Healthcare entities must notify the Pennsylvania Attorney General within 72 hours of discovering a breach affecting personal information. This is MUCH stricter than HIPAA's 60-day requirement and enables faster AG response.
- HIV Confidentiality (Act 148 / 35 PS § 7601): HIV-related information has enhanced protections. Disclosure requires specific written authorization from the individual, separate from general medical release forms. Unauthorized disclosure can result in civil liability. Limited exceptions for treatment, mandatory reporting, and emergency situations.
- Mental Health Records (50 PS § 7101 - Mental Health Procedures Act): Mental health treatment records require patient consent or court order for disclosure beyond treatment providers. This provides STRONGER protection than HIPAA's general rule. Patients have explicit rights to control mental health information sharing.
- Substance Abuse Treatment Records: Pennsylvania Drug and Alcohol Abuse Control Act works alongside federal 42 CFR Part 2 regulations, requiring written consent for most disclosures of substance use disorder treatment records. These are among the most protected medical records.
- UTPCPL Consumer Protection: Pennsylvania's Unfair Trade Practices and Consumer Protection Law (73 PS § 201-1 et seq.) prohibits unfair or deceptive practices in the collection, use, and disclosure of health information. Violations can result in Attorney General enforcement, civil penalties, and consumer restitution.
- Medical Records Access Regulations: Pennsylvania regulations (28 Pa. Code § 115.29 for hospitals) establish that patients have the right to access their medical records. While the timeline generally aligns with HIPAA, state regulations provide additional enforcement mechanisms through the Department of Health.
- Health Information Exchange (HIE) Opt-Out Right (Act 76 of 2016): Pennsylvania operates the PA Patient & Provider Network (P3N), a statewide Health Information Exchange connecting regional HIEs. Under Act 76, you have the RIGHT TO OPT OUT of having your medical records shared across this network. By default, your providers can access your records from other connected hospitals/clinics to improve care—but you can withdraw from the P3N network at any time if you prefer your records not be shared statewide. Contact your provider or the P3N directly to exercise this opt-out right.
- Insurance Privacy Protections (31 Pa. Code § 146b): Pennsylvania insurance regulations define "nonpublic personal health information" and prohibit insurers from disclosing your health data without authorization, except for specific business purposes (claims, underwriting, fraud detection). Insurers must follow these state-specific privacy rules in addition to HIPAA, giving you enhanced control over how health plans use and share your information.
Key Advantage: Pennsylvania's HIV and mental health protections are STRONGER than standard HIPAA. If you're seeking care for these conditions, you have enhanced confidentiality rights that go beyond federal law. Always confirm with providers that they're applying Pennsylvania's stricter standards.
Section 3: Recent Law Updates & Enforcement (2023-2025)
Enhanced Healthcare System Cybersecurity Requirements
2024Pennsylvania strengthened oversight of major healthcare systems with enhanced cybersecurity requirements, mandatory risk assessments, and increased reporting obligations to the Department of Health and Attorney General. This follows several major data breaches affecting Pennsylvania residents at large health systems.
Impact for Patients: Larger health systems (UPMC, Penn Medicine, Jefferson) now face enhanced accountability for protecting patient data, with more frequent security audits and faster breach response requirements.
Act 151 of 2022 & SB 824 of 2024: Major Breach Notification Overhaul
2022-2024Act 151 (2022) completely revised Pennsylvania's Breach of Personal Information Notification Act, clarifying definitions and strengthening enforcement. SB 824 (Act 92 of 2024) further amended the law to require entities to notify the PA Attorney General when a breach affects more than 500 residents, lowered reporting thresholds, and confirmed that HIPAA-covered entities report to HHS while state agencies follow state notification rules.
Impact for Patients: Faster breach notifications (AG notified within 72 hours for large breaches), broader coverage of sensitive data, and enhanced Attorney General enforcement authority under UTPCPL for notification failures.
Act 32 amended the Mental Health Procedures Act and Act 33 amended the Drug and Alcohol Abuse Control Act to align Pennsylvania's mental health and substance use disorder confidentiality rules with federal HIPAA and 42 CFR Part 2 standards. This allows providers, facilities, and insurers to share patient information for treatment, payment, and healthcare operations under HIPAA rules—simplifying care coordination while maintaining strong protections.
Impact for Patients: Easier coordination of mental health and addiction treatment across providers while retaining your core consent rights. Pennsylvania's stricter protections still apply where they exceed HIPAA (e.g., requiring your consent for disclosures beyond treatment team).
Attorney General Healthcare Privacy Initiative
2023-2025 OngoingPennsylvania Attorney General launched a comprehensive healthcare privacy enforcement initiative targeting data brokers, health apps, and large healthcare systems for UTPCPL violations. This includes investigating unauthorized data sales, deceptive privacy practices, and failure to obtain proper consent for data sharing.
Impact for Patients: Increased enforcement against entities misusing health data, ability to file complaints that will be actively investigated, and potential for restitution in cases where data was improperly sold or disclosed.
Federal 42 CFR Part 2 Alignment for Substance Use Records
2024Pennsylvania updated its Drug and Alcohol Abuse Control Act regulations to align with revised federal 42 CFR Part 2 rules, clarifying when substance use disorder treatment records can be disclosed for care coordination while maintaining strong consent requirements.
Impact for Patients: Slightly easier care coordination for substance use disorder treatment while maintaining core consent protections. Patients retain the right to restrict disclosures and must provide written consent for most uses beyond direct treatment.
📋 Pending Legislation (2025)
Legislative Alert: Pennsylvania is considering major privacy legislation in 2025. Monitor these bills:
Comprehensive data privacy law similar to Virginia and Colorado privacy acts. Would create consumer rights (access, deletion, opt-out of sale) for ALL personal data including health information from non-HIPAA entities (apps, data brokers, etc.). HB 78 passed PA House in October 2025, awaiting Senate action.
Potential Impact: If enacted, PA residents would gain deletion rights and opt-out rights for health data held by apps, wearables, and data brokers—filling the gap where HIPAA doesn't apply.
Would amend Pennsylvania Rules of Evidence to require explicit written consent before reproductive healthcare records (abortion, pregnancy care, contraception) can be disclosed to law enforcement or in legal proceedings. HB 1640 and SB 939 aim to prevent patients' reproductive health records from being accessed without permission.
Potential Impact: Enhanced confidentiality for reproductive health information, with stricter consent requirements than general medical records.
Section 4: How to Exercise Your Rights (Step-by-Step)
Ready to take action? Here's your complete guide to exercising your health privacy rights →
1
Request Your Medical Records
Submit a written request to your healthcare provider's medical records department or privacy officer.
What to Include:
- • Your full name, date of birth, and contact information
- • Specific records requested (date range, type of records)
- • Format preference (paper or electronic)
- • Delivery method (mail, pickup, secure email)
Timeline:
Provider must respond within 30 days (can extend to 60 days with written notice).
2
File UTPCPL Complaints for Unfair Practices
Use Pennsylvania's strong consumer protection law to challenge deceptive or unfair health data practices.
When to File:
- • Provider sold your data without clear authorization
- • Deceptive privacy policies or practices
- • Unauthorized marketing using your health info
- • Failure to honor opt-out requests
How to File:
Contact PA Attorney General's Bureau of Consumer Protection at 717-787-3391 or file online at attorneygeneral.gov
3
Report Breach Notification Violations
If you discover a breach wasn't properly reported or you weren't notified within legal timeframes.
Red Flags:
- • You found out about a breach through news, not direct notification
- • Notification came more than 60 days after breach discovery
- • Incomplete information about what data was compromised
- • No offer of credit monitoring or identity protection after major breach
Who to Contact:
4
Exercise Special HIV/Mental Health Rights
Pennsylvania's enhanced protections require extra steps from providers before sharing this sensitive information.
HIV Information (Act 148):
- • Demand separate, specific written authorization for HIV disclosures
- • General medical release forms are NOT sufficient
- • Unauthorized disclosure creates private right to sue
Mental Health Records:
- • Your consent required for disclosures beyond treating providers
- • Court order needed if you don't consent
- • You can revoke authorization at any time
HealthConsent files requests, monitors responses, and escalates violations automatically
Section 5: Enforcement Mechanisms & Penalties
Pennsylvania enforces health privacy through multiple agencies. See major health data breach cases →
Recent Major Pennsylvania Cases
Federal HIPAA Enforcement
Up to $1.92M per violation category/yearHHS Office for Civil Rights enforces HIPAA Privacy and Security Rules with tiered civil penalties based on culpability level:
Civil Penalties (per violation):
- • Tier 1 (unknowing): $127-$63,973
- • Tier 2 (reasonable cause): $1,280-$63,973
- • Tier 3 (willful neglect, corrected): $12,794-$63,973
- • Tier 4 (willful neglect, not corrected): $63,973-$1,919,173
Criminal Penalties:
- • Up to 1 year + $50,000 fine (knowing violations)
- • Up to 5 years + $100,000 (false pretenses)
- • Up to 10 years + $250,000 (intent to sell/profit)
Recent Major PA Cases: Multiple Pennsylvania hospitals and health systems have faced HIPAA investigations and settlements in recent years for impermissible disclosures, inadequate security measures, and delayed breach notifications.
Pennsylvania Attorney General (UTPCPL)
Active Healthcare Privacy EnforcementPennsylvania AG uses UTPCPL (73 PS § 201-1 et seq.) to prosecute unfair or deceptive health data practices with broad enforcement authority:
Enforcement Powers:
- • Civil penalties for each violation
- • Injunctive relief (court orders to stop practices)
- • Consumer restitution (refunds/compensation)
- • Corrective advertising requirements
- • Revocation of business registration
- • Cooperation with multi-state investigations
What Constitutes UTPCPL Violation in Health Data Context:
- • False or misleading privacy policy statements
- • Selling health data without clear, conspicuous authorization
- • Failing to honor opt-out requests
- • Inadequate security leading to preventable breaches
- • Using health data for purposes not disclosed in privacy notice
- • Marketing to patients using improperly obtained health information
Pennsylvania Department of Health Oversight
Healthcare Facility Licensing AuthorityPA Department of Health oversees healthcare facilities through licensing and regulatory compliance, including data protection and confidentiality requirements:
Enforcement Authority:
- Healthcare Facility Surveys: Regular inspections of hospitals, nursing homes, and other facilities include review of patient confidentiality practices and medical records management
- Corrective Action Plans: Can require facilities to implement specific improvements to protect patient privacy, with follow-up monitoring to ensure compliance
- Licensing Sanctions: In severe cases, can suspend or revoke a facility's license to operate for persistent privacy violations
- Civil Penalties: Authority to impose fines for violations of state healthcare facility regulations, including those related to patient confidentiality
- Coordination with AG: Works with Attorney General's office on cases involving both regulatory violations and consumer protection issues
Private Rights & Civil Remedies
Limited but AvailablePennsylvania provides some private rights of action for health privacy violations:
HIV Confidentiality (Act 148):
Individuals can sue for unauthorized disclosure of HIV-related information. Potential remedies include compensatory damages, injunctive relief, and possibly punitive damages in egregious cases.
Common Law Privacy Torts:
Pennsylvania courts recognize common law causes of action for invasion of privacy, including public disclosure of private facts. Unauthorized disclosure of sensitive health information may support such claims.
Breach of Confidentiality:
Healthcare providers owe a duty of confidentiality to patients under Pennsylvania law. Breach of this duty through unauthorized disclosure can support a malpractice or breach of contract claim.
Important Limitation: Unlike some states, Pennsylvania does NOT provide a general private right of action under UTPCPL. Only the Attorney General can bring UTPCPL enforcement actions. However, you CAN file complaints that trigger AG investigation.
Section 6: Protecting Your Health Data in Pennsylvania
Beyond knowing your rights, take proactive steps to secure your health information. Check out our complete privacy protection checklist →
Proactive Privacy Strategies
Monitor Large Health Systems
Pennsylvania's major integrated delivery networks handle millions of patient records. Stay vigilant about their data practices.
- • Request privacy notices from UPMC, Penn Medicine, Jefferson Health
- • Review data sharing agreements before signing any authorizations
- • Ask about third-party access to your health information
- • Check breach notification websites of major systems regularly
- • Exercise restriction rights to limit inter-facility sharing
- • Monitor EOBs (Explanation of Benefits) for unexpected disclosures
Leverage UTPCPL Protection
Use Pennsylvania's strong consumer protection law as a powerful tool against unfair health data practices.
- • File UTPCPL complaints for any deceptive privacy practices
- • Document all communications about your health data usage
- • Save privacy policies and note when they change
- • Report data broker activities to Attorney General
- • Challenge unauthorized marketing using your health info
- • Request restitution if your data was improperly sold
Engage Enforcement Mechanisms
Pennsylvania has active enforcement—don't hesitate to use it when your privacy rights are violated.
- • Report privacy violations to PA Attorney General immediately
- • Document breach delays beyond 60-day HIPAA or 72-hour AG requirements
- • File HHS OCR complaints for HIPAA violations
- • Contact PA Dept of Health for facility-specific issues
- • Support enforcement actions by providing evidence/testimony
- • Request AG investigation of systemic privacy problems
🔒 Modern Technology Protections
FTC Health Breach Rule (2024): Health apps, fitness trackers, and wearables that fall OUTSIDE HIPAA are now covered by the FTC's Health Breach Notification Rule. If your fitness app or wellness platform experiences a data breach, they must notify you and the FTC. This fills the gap where HIPAA doesn't apply to consumer health technologies.
Public Health Gateway (PHG): Pennsylvania operates a secure, HIPAA-compliant Public Health Gateway connecting state health registries (immunizations, lab reporting, cancer registry). All PHG connections use encryption, access controls, and data use agreements to protect patient data during mandatory public health reporting. Your providers report required health data securely through this system.
Specific Actions for HIV & Mental Health Privacy
HIV-Related Information (Act 148):
- ✓ Insist on separate authorization forms for any HIV-related disclosure
- ✓ Never sign blanket releases for HIV information
- ✓ Review who has access to your HIV test results
- ✓ Ask about electronic health record access controls for HIV data
- ✓ Consider legal action for unauthorized HIV disclosure
- ✓ Request audit logs showing who viewed your HIV information
Mental Health Records:
- ✓ Understand Mental Health Procedures Act protections are stronger than standard HIPAA
- ✓ Confirm consent requirements before any mental health disclosure
- ✓ Keep psychotherapy notes separate from general medical records
- ✓ Revoke authorizations if you change your mind about sharing
- ✓ Challenge inappropriate court orders with legal assistance
- ✓ Verify provider understands PA's stricter mental health confidentiality rules
Automate Your Pennsylvania Privacy Protection
HealthConsent® monitors your providers, files requests, reports violations, and enforces your PA privacy rights automatically— including HIPAA, UTPCPL, Act 148, and Mental Health Procedures Act protections.
Start Comprehensive PA Privacy Protection →Covers all Pennsylvania providers • Handles all compliance automatically • Cancel anytime
Section 7: Pennsylvania Privacy Resources & Official Contacts
Need more information? Browse our complete collection of privacy resources →
Pennsylvania Attorney General
Consumer Protection & Healthcare Privacy Enforcement
File online complaints, view enforcement actions, access consumer resources
What They Handle: UTPCPL violations, deceptive health data practices, data broker complaints, breach notification violations, multi-state healthcare privacy investigations
Pennsylvania Department of Health
Healthcare Facility Oversight & Regulation
Healthcare facility licensing, complaint reporting, regulatory guidance
What They Handle: Healthcare facility violations, hospital/nursing home complaints, medical records management issues, facility licensing enforcement, patient confidentiality at licensed facilities
PA State Board of Medicine
Physician Licensing & Disciplinary Actions
File complaints about physicians, check licensure status, disciplinary actions
What They Handle: Physician misconduct including privacy violations, inappropriate disclosure of patient information, licensing discipline, professional standards enforcement
HHS Office for Civil Rights
Federal HIPAA Enforcement (Philadelphia Region)
File HIPAA complaints online, access HIPAA guidance, breach reporting
What They Handle: HIPAA Privacy Rule violations, HIPAA Security Rule violations, breach notification failures, patient access denials, federal healthcare privacy enforcement
Pro Tip: File complaints with MULTIPLE agencies when appropriate. For example, a hospital privacy violation could be reported to: (1) HHS OCR for HIPAA violation, (2) PA Attorney General for UTPCPL violation, (3) PA Department of Health for facility violation. Multi-agency complaints increase chances of enforcement action.
Let HealthConsent® Secure Your Pennsylvania Privacy Rights
Pennsylvania protects 13+ million residents through federal HIPAA, state breach notification laws, UTPCPL consumer protection, and enhanced HIV/mental health confidentiality. HealthConsent® automates enforcement of ALL your PA privacy rights across every provider, health system, and data broker.
Start Protecting Your DataTake advantage of Pennsylvania's comprehensive enforcement mechanisms—HIPAA, UTPCPL, Act 148, and Mental Health Procedures Act—all automated through one platform