HIPAA Compliance for Michigan Medical Clinics

Michigan medical clinics must satisfy HIPAA plus four Michigan-specific frameworks: the Identity Theft Protection Act (MCL § 445.63) for breach notification, the Public Health Code for 30-day patient records access, the Mental Health Code for mental health record disclosures, and HIV/AIDS confidentiality protections that restrict disclosure beyond HIPAA’s treatment exception. Your HIPAA program addresses none of these Michigan requirements directly.

HIPAA Baseline Requirements

Michigan medical clinics that transmit health information electronically in connection with covered transactions are HIPAA-covered entities. The federal HIPAA baseline includes:

• Risk analysis and risk management under 45 CFR § 164.308(a)(1)
• Administrative, physical, and technical safeguards under 45 CFR §§ 164.308–164.316
• Business associate agreements with all business associates
• Notice of Privacy Practices provided to patients
• Patient rights — access within 30–60 days, amendment, accounting of disclosures
• Breach notification procedures under the Breach Notification Rule

For administrative safeguard requirements, see HIPAA administrative safeguards. For technical safeguard audit requirements, see HIPAA audit log requirements for small clinics.

Michigan Identity Theft Protection Act: Breach Notification

MCL § 445.63, Michigan’s Identity Theft Protection Act, requires any agency — a term that includes healthcare providers — that owns or licenses personal information about Michigan residents to notify affected individuals following a security breach of a database containing their personal information.

Definition of personal information

Michigan’s personal information definition includes a Michigan resident’s first name or first initial and last name, combined with:

• Social Security number
• Driver’s license or state ID number
• Financial account numbers with security codes
• Medical records number or medical history
• Health insurance policy or certificate number, subscriber identification number, or any unique identifier used by a health insurer

The medical records number and medical history categories mean that a breach involving patient names and medical record numbers triggers Michigan breach notification alongside HIPAA’s Breach Notification Rule.

Notification timeline

MCL § 445.63(2) requires disclosure to affected Michigan residents in the most expedient time possible and without unreasonable delay following discovery of the breach. Michigan does not set a statutory maximum number of days. For HIPAA-covered breaches, HIPAA’s 60-day ceiling provides the outer limit — but Michigan’s “expedient time” standard strongly encourages acting sooner.

For breaches affecting 1,000 or more Michigan residents, MCL § 445.63(6) requires simultaneous notification to the Michigan AG.

Security program requirement

MCL § 445.72a requires agencies that own or license personal information to implement and maintain reasonable security procedures and practices appropriate to the nature of the information and the nature and size of the business. For HIPAA-covered Michigan clinics, a Security Rule-compliant security program satisfies this requirement for PHI. Non-PHI personal data — financial information, employee records — must also be covered by reasonable security procedures.

Michigan Public Health Code: Medical Records Access

MCL § 333.26269 requires healthcare providers to make health records available for inspection within a reasonable time following a patient’s request and to provide copies on request. Michigan does not define “reasonable time” with a specific number of days in the statute, but regulatory guidance and healthcare practice treat 30 days as the standard.

Comparison with HIPAA

HIPAA’s access right at 45 CFR § 164.524(b)(2) gives covered entities 30 days to respond to access requests, with one 30-day extension available when records are not maintained or accessible on site. Michigan law does not expressly provide for an equivalent extension. Michigan clinics should treat 30 days as the practical deadline for patient records access requests.

Michigan allows providers to charge a reasonable fee for copies, but the fee must not act as a barrier to access. The Michigan Department of Licensing and Regulatory Affairs (LARA) has provided guidance on reasonable fee structures.

Prohibited denials

MCL § 333.26269 makes it a violation of the Public Health Code for a healthcare provider to withhold health records as leverage in a billing dispute or to use access as a condition of payment for services rendered. This mirrors HIPAA’s prohibition on withholding access for non-payment.

Michigan Mental Health Code: MCL § 330.1748

The Michigan Mental Health Code, at MCL § 330.1748, provides that records of any person who has received mental health services are confidential and may not be disclosed except:

• With the person’s consent
• To healthcare providers participating in the treatment and requiring access for treatment purposes
• In legal proceedings where the person’s mental health condition is directly at issue
• To the Michigan Department of Health and Human Services for oversight purposes
• In certain emergency situations involving risk to the person or others

The treatment exception under §330.1748 is more specific than HIPAA’s TPO exception. If your clinic provides mental health services — including outpatient behavioral health, psychiatric medication management, or crisis intervention — you must implement access controls that limit Mental Health Code records to providers directly participating in the patient’s care.

Michigan’s Mental Health Code also governs records for patients receiving substance use disorder treatment services through community mental health programs, creating an additional layer of confidentiality for those records beyond 42 CFR Part 2 for federally assisted programs.

Michigan HIV/AIDS Confidentiality

The Michigan Public Health Code contains HIV-specific confidentiality provisions. Under MCL § 333.5131, information regarding a person’s HIV status that comes to the knowledge of a healthcare provider, public health official, or other person in the course of providing treatment or services is confidential. The information may not be disclosed without the patient’s written consent except:

• To healthcare providers with a direct treatment relationship and clinical need to know
• To the Michigan Department of Health and Human Services for public health surveillance and partner notification
• In specific court proceedings under procedures that protect confidentiality
• For certain emergency medical care disclosures

Your clinic must maintain EHR access controls that limit HIV status information to providers with documented direct treatment relationships.

Five Action Items for Michigan Clinics

1. Update breach response procedures. Set a 30-day internal target for notifying Michigan residents — consistent with “expedient time” expectations — and build the AG notification trigger at 1,000 affected Michigan residents into your incident response plan. The HIPAA breach notification templates provide a working framework to adapt for Michigan.

2. Build records access procedures around a 30-day deadline. Treat 30 days as the operative deadline for Michigan patient records access requests. Do not rely on HIPAA’s 30-day extension provision for Michigan patients. Train medical records staff on Michigan’s access standard.

3. Implement Mental Health Code access controls. If providing mental health services, configure your EHR to segregate Michigan Mental Health Code records and restrict access to providers directly participating in care. Train staff that Mental Health Code records require separate authorization review before disclosure.

4. Create HIV-specific disclosure procedures. Build a disclosure review step for any record containing HIV-related information. Train records release and care coordination staff on Michigan’s HIV confidentiality requirements. Confirm that EHR access controls limit HIV status visibility appropriately.

5. Audit vendors for Michigan compliance. Vendors receiving personal information about Michigan residents need contracts addressing Michigan’s breach notification law. See how small clinics track vendor BAAs for a vendor management approach.

PHIGuard supports Michigan clinics in maintaining the documentation, access control records, and breach notification timelines that HIPAA and Michigan state law require. Pricing details are published on the pricing page, pricing details published on the pricing page. See PHIGuard’s compliance tools or review pricing.