HIPAA Compliance for Indiana Clinics: Federal and State Requirements

Indiana clinics face a new compliance layer starting January 1, 2026: the Indiana Consumer Data Protection Act (ICDPA). It joins the state’s existing breach notification requirements and medical records access statute to create obligations that, in several areas, exceed HIPAA. Your HIPAA program does not automatically satisfy any of the three Indiana frameworks.

This guide covers the HIPAA federal baseline every Indiana clinic must meet, then Indiana’s Consumer Data Protection Act (IC 24-15), breach notification under IC 24-4.9, and patient access to records under IC 16-39-1-1.

The HIPAA Baseline for Indiana Clinics

Indiana clinics that transmit health information electronically in standard transactions are HIPAA covered entities subject to the Privacy Rule, Security Rule, and Breach Notification Rule. The operational baseline: documented risk analysis, risk management, workforce training, Business Associate Agreements with vendors handling PHI (see how small clinics track vendor BAAs), written policies, and incident response capabilities calibrated to breach notification requirements.

See HIPAA administrative safeguards for the full requirements under 45 CFR § 164.308.

HIPAA’s preemption provisions at 45 CFR § 160.203 preserve Indiana state laws that are more protective of patient rights.

Indiana Consumer Data Protection Act: IC 24-15

The Indiana Consumer Data Protection Act (ICDPA) follows the model of other second-generation state privacy laws. It applies to entities that conduct business in Indiana or produce products or services targeted to Indiana consumers, and that during a calendar year control or process personal data of at least 100,000 Indiana consumers, or control or process the personal data of at least 25,000 Indiana consumers and derive more than 50% of gross revenue from the sale of personal data.

Sensitive data under the ICDPA

The ICDPA defines sensitive data to include:

• Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship status;
• Genetic and biometric data;
• Precise geolocation data;
• Personal data of a known child.

Mental and physical health diagnoses are sensitive data under the ICDPA. Processing sensitive data requires consumer consent under opt-in requirements.

HIPAA exemption

The ICDPA exempts HIPAA-covered entities from its requirements to the extent they process personal data that constitutes PHI governed by HIPAA. Core clinical patient records at a covered entity are outside the ICDPA’s scope.

The exemption is data-specific, not entity-wide in all circumstances. An Indiana clinic that also operates a consumer wellness program, a patient-facing app that collects health data from non-patients, or digital advertising targeting individuals based on health conditions may be collecting health data outside the HIPAA framework. That data may be subject to ICDPA requirements.

Consumer rights under the ICDPA

For personal data subject to the ICDPA, consumers have the right to:

• Access personal data the controller processes about them;
• Correct inaccurate personal data;
• Delete personal data;
• Obtain a portable copy;
• Opt out of targeted advertising, sale of personal data, and certain profiling.

For sensitive data including health diagnoses, consent must be obtained before processing — consent here means an opt-in, not an opt-out.

Data protection assessments

The ICDPA requires controllers to conduct data protection assessments before processing activities that present heightened risk — including processing sensitive data such as health diagnoses. If an Indiana clinic processes health data outside the HIPAA framework and subject to the ICDPA, it must conduct and document a data protection assessment for those processing activities.

ICDPA enforcement

Indiana’s AG has exclusive enforcement authority. There is no private right of action under the ICDPA. Civil penalties may reach $7,500 per violation. The AG must provide a 30-day cure period before initiating enforcement action.

Indiana Breach Notification: IC 24-4.9

Indiana’s Disclosure of Security Breach statute (IC 24-4.9) applies to any entity that owns or licenses computerized data that includes personal information about Indiana residents. A breach of security requires disclosure to affected Indiana residents.

Timing and the reasonable diligence standard

IC 24-4.9-3-1 requires disclosure in the most expedient time possible and without unreasonable delay following discovery of a breach. Indiana does not specify a numeric deadline in the statute, unlike Arizona (45 days) or Washington (30 days). However, prompt action — generally within 45 to 60 days of discovery — is the practical expectation. Since HIPAA’s ceiling is 60 days, Indiana clinics should target notification well before that ceiling when Indiana residents are affected.

Definition of personal information

Indiana’s personal information definition includes a name or number, combined when unencrypted with any of: Social Security number, driver’s license number, financial account numbers, health insurance policy number or subscriber identification number, and any medical history or health information. Medical information explicitly triggers the notification obligation in Indiana, making any breach of patient records presumptively subject to IC 24-4.9.

AG notification

IC 24-4.9-3-2 requires entities to notify the Indiana AG of a breach when the breach requires notification to more than 500 Indiana residents. The AG notification must be made at the time individual notices are sent. This is an additional obligation alongside HIPAA’s requirement to notify HHS for breaches affecting 500 or more individuals in a state — Indiana’s threshold is also 500 but the state AG and HHS are separate notifications.

Notice content requirements

Indiana law requires breach notices to include:

• A description of the breach;
• The type of information disclosed;
• The entity’s contact information;
• Toll-free numbers for credit reporting agencies if applicable.

This is less detailed than HIPAA’s required notice content under 45 CFR § 164.404(c), but clinics should meet the more detailed HIPAA standard because it satisfies both. See HIPAA breach notification templates for a template framework.

Patient Access to Medical Records: IC 16-39-1-1

Indiana Code 16-39-1-1 establishes the patient’s right to access their own health records from a healthcare provider. The provision requires healthcare providers to respond to patient requests for records within a reasonable time.

The 30-day standard

While Indiana’s statute does not specify a numeric deadline in all circumstances, a 30-day response time is the practical standard, consistent with HIPAA’s default access timeline. Indiana clinics should target 30-day fulfillment of records requests without relying on the HIPAA 30-day extension provision unless the circumstances genuinely require it.

What records patients can access

IC 16-39-1-1 covers all records relating to the patient’s health care maintained by a healthcare provider. This includes office visit notes, lab results, imaging reports, medication records, and other clinical documentation. Indiana law gives patients both the right to inspect records (in person review) and to obtain copies.

Fees for records

Indiana law permits providers to charge reasonable fees for copying records. The fee structure must not be used as a barrier to patient access. For electronic records, the applicable standard from HIPAA guidance — limiting fees to the actual labor cost of providing an electronic record — is the most defensible approach under both HIPAA and state law.

Mental health and substance use records

Indiana addresses access to mental health records through a separate framework. Providers should consult IC 12-7-2-128 (definitions of mental health records) and IC 12-21-2-7 (confidentiality of mental health facility records) for records created in licensed mental health facility settings. Outpatient providers with integrated behavioral health programs should review these provisions with Indiana counsel.

Four Action Items for Indiana Clinics

1. Assess ICDPA obligations for non-PHI health data. Now that the ICDPA is in effect (January 1, 2026), audit your digital tools and data collection practices for any health data collected outside the HIPAA-covered treatment relationship. Identify consumer wellness programs, patient-facing apps used by non-patients, and website analytics that may collect health-related information. Evaluate whether the ICDPA applies and whether consent and data protection assessment procedures are in place.

2. Build a prompt breach response capable of acting within 60 days — targeting 45 or fewer. Update your incident response procedure to target prompt notification. Build in a check for breaches affecting more than 500 Indiana residents — those require concurrent AG notification. Confirm your notification template satisfies both HIPAA’s content requirements and Indiana law.

3. Confirm your patient records access process meets the 30-day standard. Verify your records request intake, review, and fulfillment process. Train staff that 30 days is the target. Document the fee structure you use for copying records, calibrated to actual cost for electronic records.

4. Document a risk analysis incorporating Indiana-specific factors. Use the HIPAA risk analysis worksheet as a foundation and add Indiana-specific risks: ICDPA applicability, breach response timeline, and records access procedures. Document your risk management decisions in writing.

Indiana Compliance Going Forward

ICDPA enforcement posture will develop through AG guidance and enforcement actions in 2026 and beyond. Indiana clinics should monitor the Indiana AG’s consumer protection publications and the Indiana State Medical Association’s compliance resources for updates.

PHIGuard supports Indiana clinics with HIPAA compliance management, policy documentation, vendor BAA tracking, and incident response — with current plan and BAA details published on the pricing page. Visit PHIGuard HIPAA or review pricing.