HIPAA Compliance for Maryland Medical Clinics

Maryland medical clinics face a layered compliance environment: HIPAA at the federal level, the Maryland Confidentiality of Medical Records Act (MCMRA) as the primary state health privacy statute, and expanded obligations under Maryland HB 35 (2023) for health data outside traditional clinical settings. The Maryland AG’s authority under the Maryland Consumer Protection Act means clinics have a second enforcement body — separate from federal OCR — with jurisdiction over health data practices.

Short Answer

Maryland clinics must comply with HIPAA and the Maryland Confidentiality of Medical Records Act. MCMRA creates independent confidentiality obligations with a 60-day patient records access deadline, and Maryland HB 35 (2023) extended health data protections to additional categories of information. The Maryland AG enforces through consumer protection statutes, creating enforcement exposure beyond federal OCR. Clinics should treat HIPAA compliance as the floor and assess whether MCMRA or HB 35 impose additional requirements in each situation.

Maryland Health Privacy Law Overview

Maryland Confidentiality of Medical Records Act (MD Code, Health-Gen §4-301 et seq.) is Maryland’s primary health record privacy statute. It defines the confidentiality rights of patients, restricts disclosure of medical records to third parties without patient authorization, and sets the obligations of healthcare providers when responding to records access requests. The MCMRA covers medical records held by Maryland healthcare providers and applies independently of HIPAA — a clinic must satisfy both statutes.

Maryland Personal Information Protection Act (MD Code, Com. Law §14-3501 et seq.) is Maryland’s general data security and breach notification law. It covers personal information, including health and medical information, and requires businesses to implement reasonable security measures and notify affected individuals when personal information is breached. Maryland clinics must satisfy this statute in addition to HIPAA’s Breach Notification Rule.

Maryland HB 35 (2023) amended Maryland’s health data privacy framework to extend protections beyond the HIPAA-covered entity model. The legislation addressed health data collected and used outside of traditional covered transactions — including health data generated by apps, wearables, and non-clinical services — and tightened consent requirements for certain data uses. Its practical impact on small medical clinics depends on the scope of their data collection activities beyond standard clinical records.

Key Differences: Maryland Law vs. HIPAA

Requirement	HIPAA Standard	Maryland Standard
Patient records access deadline	30 days, one 30-day extension available	60 days under MCMRA (MD Code, Health-Gen §4-309)
Breach notification to individuals	Within 60 days of discovery	Without unreasonable delay under the Maryland Personal Information Protection Act
Scope of health data covered	PHI in covered transactions	MCMRA covers medical records broadly; HB 35 extends to additional health data categories
Enforcement authority	OCR (federal)	Maryland AG under Consumer Protection Act — parallel track
Private right of action	None under HIPAA	Limited; AG enforcement is primary mechanism

Maryland’s patient records access deadline warrants clarification. HIPAA’s default is 30 days from receipt of a request, with one 30-day extension permitted upon written notice to the patient. MCMRA §4-309 sets a 60-day response period for Maryland healthcare providers. These are not conflicting standards — the HIPAA standard applies to HIPAA-covered access requests, and MCMRA’s 60-day standard applies to Maryland-law records access requests. A Maryland clinic receiving a patient records request must satisfy both frameworks, which in practice means responding within 30 days under HIPAA unless the specific request falls outside HIPAA’s scope.

The more operationally significant Maryland-specific issue for small clinics is the AG enforcement track. A patient complaint about a clinic’s records handling or breach response may land with the Maryland AG — not just OCR — requiring the clinic to respond to two separate regulatory inquiries about the same event.

AG Enforcement in Maryland

Maryland’s Attorney General enforces health data obligations through the Consumer Protection Division. The AG has authority under:

• Maryland Consumer Protection Act (MD Code, Com. Law §13-301 et seq.): Prohibits unfair or deceptive trade practices, which includes misrepresenting privacy practices or failing to follow published privacy policies. A clinic’s Notice of Privacy Practices is a representation the AG can evaluate.
• Maryland Personal Information Protection Act (MD Code, Com. Law §14-3501 et seq.): Covers data security obligations and breach notification for personal information including health data. The AG can investigate failures to implement reasonable security and failures to provide timely breach notification.

Maryland’s enforcement environment means a single breach event can generate parallel proceedings: OCR investigation under HIPAA, and Maryland AG inquiry under state consumer protection statutes. Clinics that can demonstrate documented compliance — written policies, training records, incident response plans, and breach response documentation — are better positioned in both proceedings.

The AG does not require a minimum number of affected individuals to open an investigation. A single patient complaint about records handling or a breach response that fails to meet statutory requirements can initiate inquiry.

5 Action Items for Maryland Clinics

1. Align your records access procedures with both HIPAA and MCMRA. Establish a records request intake process that captures the date received and applies the appropriate deadline. For HIPAA-covered access requests, comply within 30 days. For all Maryland patient records requests, ensure compliance within the MCMRA’s framework. Train your medical records staff on the distinction and maintain a log of open requests.

2. Review your Notice of Privacy Practices for MCMRA accuracy. Your NPP is a legally operative document under both HIPAA and Maryland consumer protection law. If your NPP’s description of patient rights or your disclosure practices does not accurately reflect MCMRA requirements, you face exposure under the Maryland Consumer Protection Act independent of any HIPAA violation. Have counsel review your NPP against current MCMRA requirements, particularly in light of HB 35.

3. Assess HB 35 applicability to your non-clinical data streams. If your clinic collects health data outside of standard clinical records — through patient portals, wellness programs, remote monitoring devices, or any app your practice uses — assess whether Maryland HB 35’s expanded definitions and consent requirements apply. Document the assessment. Small clinics with straightforward clinical operations may find limited HB 35 exposure; clinics with broader data collection activities should get specific legal guidance.

4. Build a dual-track breach response capability. Your incident response plan should address both OCR notification (60 days, using HHS breach notification procedures) and Maryland AG notification. Document the trigger thresholds and notification procedures for each. If a breach affects Maryland residents, you may need to satisfy Maryland Personal Information Protection Act notification requirements on a timeline that differs from the HIPAA Breach Notification Rule.

5. Maintain a current, documented risk analysis. A written risk analysis is required under the HIPAA Security Rule (45 CFR §164.308(a)(1)) and is the foundation of any defensible compliance program. Use the HIPAA compliance self-assessment as a starting point. Update it whenever you add new vendors, change record systems, or expand your services. Regulators — both OCR and the Maryland AG — evaluate your risk management program when investigating a breach.

PHIGuard supports Maryland clinics in maintaining the audit trails, policy documentation, and breach response infrastructure that HIPAA and MCMRA require — at current plan and BAA details published on the pricing page. See PHIGuard’s HIPAA compliance tools or browse the compliance operations hub for related guidance.

Frequently Asked Questions