HIPAA Compliance for Tennessee Clinics: Federal and State Requirements

Tennessee clinics must now manage HIPAA alongside the Tennessee Information Protection Act (TIPA, effective July 1, 2025), the state breach notification law, and mental health records confidentiality rules — each of which exceeds HIPAA’s requirements in specific areas. Knowing what each adds to your compliance obligations determines where your HIPAA program is sufficient and where it is not.

This guide covers the federal HIPAA baseline, then TIPA, Tennessee’s breach notification law, and mental health records confidentiality requirements. Each section includes the practical implications for small clinic operations.

The HIPAA Baseline for Tennessee Clinics

Tennessee clinics that transmit health information electronically in standard transactions are HIPAA covered entities subject to the Privacy Rule, Security Rule, and Breach Notification Rule. Meeting the federal baseline requires: a current and documented risk analysis, risk management procedures, workforce training, Business Associate Agreements with vendors handling PHI (see how small clinics track vendor BAAs), written security and privacy policies, and incident response procedures.

See HIPAA administrative safeguards for the complete requirements under 45 CFR § 164.308.

HIPAA’s preemption provisions at 45 CFR § 160.203 preserve Tennessee laws that are more protective of patient rights.

Tennessee Information Protection Act: T.C.A. § 47-18-3201

TIPA took effect July 1, 2025 for large controllers and applies to entities that conduct business in Tennessee or produce products or services targeted to Tennessee residents. TIPA sets a high threshold: it applies to entities that during a calendar year control or process the personal information of at least 175,000 consumers, or control or process the personal information of at least 25,000 consumers and derive more than 25% of gross revenue from the sale of personal information.

Sensitive personal information under TIPA

TIPA designates several categories of data as sensitive personal information:

• Personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship status;
• Genetic data and biometric data;
• Precise geolocation data;
• Personal information collected from a known child.

Health diagnoses and mental health treatment records are sensitive personal information under TIPA. Processing sensitive data requires the consumer’s express consent.

HIPAA exemption

TIPA exempts HIPAA-covered entities from its requirements to the extent the personal information is PHI governed by HIPAA. Core clinical records at a covered entity fall under this exemption. The exemption does not extend to health data collected outside the HIPAA-covered treatment framework.

Small Tennessee clinics that meet TIPA’s processing thresholds should evaluate whether any digital tools — consumer wellness programs, patient-facing apps, or website analytics that collect health-related information — create TIPA obligations for data outside the HIPAA exemption.

Consumer rights under TIPA

For personal information subject to TIPA, Tennessee consumers have the right to:

• Confirm whether the entity processes their personal information and access it;
• Correct inaccurate personal information;
• Delete personal information the consumer provided;
• Obtain a portable copy;
• Opt out of targeted advertising, sale of personal information, and profiling.

For sensitive data, opt-in consent is required before processing.

TIPA enforcement

The Tennessee AG has exclusive enforcement authority. TIPA does not create a private right of action. Civil penalties may reach $7,500 per violation. The AG must provide a 60-day cure period before initiating an enforcement action. Controllers have 60 days to cure an alleged violation after receiving AG notice.

Tennessee Breach Notification: T.C.A. § 47-18-2107

Tennessee’s data breach notification law, part of the Identity Theft Deterrence Act, requires any information holder that becomes aware of a breach of security to notify affected Tennessee residents within 45 days of discovering the breach.

Why 45 days matters more than HIPAA’s 60 days

HIPAA’s Breach Notification Rule gives covered entities up to 60 calendar days from discovery to notify affected individuals. Tennessee’s 45-day deadline is stricter by 15 days. For any breach at a Tennessee clinic that meets the HIPAA breach definition and involves Tennessee residents’ personal information, the 45-day state law deadline controls.

The 45-day clock begins when your clinic discovers the breach — not when the investigation concludes. You must act quickly to assess whether notification is required and begin the process, because 45 days is not a long window for a practice without a dedicated incident response team.

What Tennessee personal information includes

Tennessee’s personal information includes first name or first initial and last name, plus any of the following when unencrypted: Social Security number, driver’s license number, account number with access credentials, medical information, or health insurance information. Health and medical information explicitly trigger the notification obligation.

Notice to the Tennessee AG

T.C.A. § 47-18-2107 requires entities that experience a data breach to provide notification to the Tennessee AG at the same time they notify affected individuals. There is no minimum threshold for AG notification in Tennessee law — any breach triggering individual notices also triggers AG notification.

Notice requirements

Tennessee notification to affected individuals must include:

• A description of what happened;
• The types of personal information involved;
• What the entity is doing to investigate and protect information;
• Contact information for the entity;
• What the individual can do to protect themselves.

This content aligns with HIPAA’s breach notice content requirements at 45 CFR § 164.404(c). A unified notification template that satisfies both is achievable — see HIPAA breach notification templates for a starting point to adapt for Tennessee’s 45-day timeline.

Mental Health Records: T.C.A. § 33-3-103

Tennessee Code Annotated § 33-3-103 governs the confidentiality of records pertaining to persons receiving mental health services. The statute applies to service providers operating under Title 33, which covers state-operated and licensed behavioral health facilities.

Disclosure restrictions

Under T.C.A. § 33-3-103, records, communications, and information pertaining to any person receiving mental health services are confidential and may be disclosed only:

• With the patient’s written consent;
• To providers directly involved in treatment;
• In a medical emergency;
• As required by mandatory reporting laws;
• Under court order in specified proceedings.

The statute does not provide a general payment exception. A Tennessee clinic providing outpatient mental health services cannot disclose mental health treatment records for insurance claims adjudication without patient consent — even though HIPAA’s payment exception would generally permit this.

Applicability to outpatient providers

The statute’s direct scope is facilities licensed or operated under Title 33. For clinics providing outpatient mental health services that are not licensed as Title 33 facilities, the statute may not apply directly. However, Tennessee courts have recognized the policy reflected in § 33-3-103 and applied similar confidentiality standards to other mental health service providers. Clinics with integrated behavioral health programs should implement § 33-3-103-compliant procedures regardless of whether the statute technically covers their facility type.

Substance use disorder records

Tennessee clinics treating substance use disorders must also comply with 42 CFR Part 2, which is stricter than both HIPAA and § 33-3-103 for SUD-specific records. The 2024 amendments to 42 CFR Part 2 changed the consent model to allow patients to authorize future disclosures for treatment/payment/operations — but the restrictions on disclosure to law enforcement and in criminal proceedings remain stronger than HIPAA’s.

Training implications

Train staff who handle records requests to identify mental health treatment records and route them through the enhanced consent process, separate from the general records release procedure. Billing staff processing claims for behavioral health services need this training too.

Four Action Items for Tennessee Clinics

1. Set breach response to 45 days and add AG notification. Update your incident response policy and breach notification procedure to reflect Tennessee’s 45-day deadline. Build in a step for AG notification concurrent with individual notices — the Tennessee AG notification requirement has no minimum threshold. Update your breach assessment template to flag Tennessee-specific requirements at the start of any incident.

2. Assess TIPA applicability to non-PHI health data. Review your digital health tools, consumer-facing platforms, and website analytics. Identify any health information collected outside the HIPAA-covered treatment relationship. If your clinic meets TIPA’s processing thresholds, evaluate whether TIPA consent requirements apply to any of those data collection activities.

3. Implement separate authorization procedures for mental health records. Audit your records release and billing procedures for mental health services. Create authorization forms and workflows specific to mental health records that meet T.C.A. § 33-3-103’s consent requirements, not just HIPAA’s general authorization framework.

4. Document risk analysis with Tennessee-specific inputs. Use the HIPAA risk analysis worksheet and add Tennessee-specific risks: 45-day breach response capability, TIPA applicability, and mental health records handling. Documentation is the foundation of your defense in both OCR and AG investigations.

Staying Current in Tennessee

TIPA is new law. The Tennessee AG’s office will issue guidance and rules as enforcement posture develops. Tennessee clinics should monitor AG consumer protection guidance and the Tennessee Medical Association’s compliance resources to stay current with the evolving framework.

PHIGuard supports Tennessee clinics with HIPAA compliance management, vendor BAA tracking, policy documentation, and incident response — with current plan and BAA details published on the pricing page. Visit PHIGuard HIPAA or review pricing.