HIPAA Compliance for Virginia Clinics: Federal and State Requirements

Virginia clinics now manage four overlapping compliance frameworks: HIPAA, the CDPA’s health data provisions (effective January 1, 2023), Virginia’s breach notification requirements, and a patient access statute that predates HIPAA. Knowing which framework controls in each situation determines where your compliance work is sufficient and where your HIPAA program alone leaves you exposed.

This guide addresses the HIPAA foundation, then covers the three Virginia-specific frameworks most relevant to small clinic operations: the Virginia CDPA (Code of Va. § 59.1-575 et seq.), breach notification under Code of Va. § 18.2-186.6, and medical records access under Code of Va. § 32.1-127.1:03. For a full CDPA vs. HIPAA comparison, see Virginia CDPA vs HIPAA.

The HIPAA Baseline for Virginia Clinics

Virginia clinics transmitting health information electronically in standard transactions are HIPAA covered entities. The full requirements of the Privacy Rule, Security Rule, and Breach Notification Rule apply. At the operational level this means: a current risk analysis, documented risk management, workforce training, Business Associate Agreements with vendors (see how small clinics track vendor BAAs), written policies and procedures, and an incident response capability calibrated to breach notification requirements.

See HIPAA administrative safeguards for a detailed breakdown of the required safeguards under 45 CFR § 164.308.

HIPAA’s preemption provisions at 45 CFR § 160.203 preserve state laws providing greater protection for patient rights. Where Virginia law is stricter than HIPAA, Virginia law governs.

Virginia Consumer Data Protection Act: Code of Va. § 59.1-575

The Virginia CDPA applies to entities that conduct business in Virginia or produce products or services targeted to Virginia residents, and that either process the personal data of 100,000 or more consumers annually, or derive over 50% of gross revenue from the sale of personal data and process the data of 25,000 or more consumers annually.

Sensitive data and health information

The CDPA defines sensitive data to include:

• Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship status;
• Genetic or biometric data processed for identification;
• Personal data from a known child.

Health diagnoses and mental health treatment records are sensitive data under the CDPA. Processing sensitive data requires obtaining consumer consent.

HIPAA exemption

The CDPA exempts HIPAA-covered entities from its requirements to the extent the personal data is PHI subject to HIPAA. Similarly, PHI maintained by covered entities and business associates is not “personal data” under the CDPA.

The exemption applies at the entity level for HIPAA compliance purposes: a HIPAA-covered clinic that handles PHI within the scope of HIPAA’s requirements is exempt from CDPA obligations for that data. The exemption does not extend to health data the clinic collects or processes outside the HIPAA framework — such as data from a consumer wellness portal, a scheduling tool used by non-patients, or marketing activities that associate individuals with health conditions.

Consumer rights under the CDPA

For data subject to the CDPA (i.e., health data outside the HIPAA exemption), Virginia residents have rights to:

• Confirm whether the entity is processing their personal data and access that data;
• Correct inaccurate personal data;
• Delete personal data the consumer provided;
• Obtain a portable copy of personal data;
• Opt out of targeted advertising, sale of personal data, and profiling decisions that produce legal or significant effects.

For sensitive data including health diagnoses, opt-in consent is required before processing.

Data protection assessments

The CDPA requires data protection assessments for processing activities that present heightened risk, including processing sensitive data such as health diagnoses and mental health treatment information. If a Virginia clinic processes health data outside the HIPAA framework, it must conduct and document a CDPA data protection assessment.

Enforcement: Virginia AG

The Virginia AG has exclusive enforcement authority under the CDPA. There is no private right of action — patients cannot sue directly under the CDPA. The AG may impose civil penalties of up to $7,500 per willful violation. The AG must provide a 30-day cure period before initiating enforcement. Take AG enforcement letters seriously even without private litigation risk — civil penalties reach $7,500 per willful violation.

Virginia Data Breach Notification: Code of Va. § 18.2-186.6

Virginia’s breach notification statute requires any entity that conducts business in Virginia and owns or licenses computerized personal information to notify affected Virginia residents of a breach of security. Notification must occur without unreasonable delay and no later than 60 days following discovery.

Alignment with HIPAA

Virginia’s 60-day ceiling aligns with HIPAA’s Breach Notification Rule. However, the two laws have different triggering conditions, definitions, and content requirements that create a dual compliance obligation rather than a simple pass-through.

Virginia’s definition of personal information includes a Virginia resident’s first and last name, or first initial and last name, combined with one of the following when unencrypted: Social Security number, driver’s license number, financial account numbers, or passport number. Unlike some state breach notification laws, Virginia’s statute does not explicitly include health information as a triggering category in the same way as some other states. However, health information combined with name and identifier data clearly meets the Virginia definition.

AG notification for large breaches

When a breach affects more than 1,000 Virginia residents at one time, Code of Va. § 18.2-186.6(C) requires the entity to notify the Virginia AG in addition to affected individuals. The AG notification obligation is an additional step beyond HIPAA’s HHS reporting requirement for breaches affecting 500 or more individuals in a state.

Substitute notice

When individual notification is not feasible, Virginia law permits substitute notice — posting on the entity’s website and notifying major statewide media — similar to HIPAA’s substitute notice provision. However, Virginia’s conditions for using substitute notice differ from HIPAA’s in detail. Clinics should not assume that HIPAA-compliant substitute notice automatically satisfies Virginia law.

Medical Records Access: Code of Va. § 32.1-127.1:03

Code of Virginia § 32.1-127.1:03 establishes comprehensive patient rights to access, inspect, and obtain copies of their own health records. The statute applies to healthcare providers as defined under Virginia Code.

Patient access rights

Under § 32.1-127.1:03, patients have the right to:

• Inspect their medical records during normal business hours;
• Receive copies of their records within a reasonable time upon payment of reasonable fees;
• Add a written statement to the record if they disagree with its contents;
• Have corrections or amendments made to records that are inaccurate.

The statute requires healthcare providers to develop procedures for responding to patient access requests. It does not impose a specific day-count deadline the way some state access laws do — it uses “reasonable time” language. The practical standard is the HIPAA 30-day window, and Virginia clinics should target that timeline.

Fees for medical records

Virginia law permits providers to charge reasonable fees for copies of records, including search and handling fees. The statute directs that fees must be reasonable and cannot be used as a barrier to patient access. HHS guidance on reasonable fees under the HIPAA access rule — limiting fees to the labor cost of providing an electronic record when the record is already maintained electronically — provides a useful benchmark for what Virginia considers reasonable.

Mental health and substance use records

Code of Va. § 37.2-400 addresses confidentiality of records of individuals receiving services from providers licensed under the behavioral health code. These records are subject to confidentiality requirements beyond general medical records protections. Clinics providing behavioral health services must implement separate authorization procedures for those records, consistent with both § 37.2-400 and HIPAA’s protections for psychotherapy notes.

Four Action Items for Virginia Clinics

1. Assess CDPA exposure for health data outside the HIPAA framework. Audit your digital touchpoints — website analytics, scheduling tools, consumer-facing wellness resources — to identify any health data collection outside the HIPAA-covered treatment relationship. If the CDPA applies, document consent procedures, a data protection assessment, and a consumer rights response process.

2. Verify your breach response aligns with both HIPAA and Virginia requirements. Confirm your incident response procedure addresses Virginia’s 60-day ceiling (which matches HIPAA’s), the AG notification requirement for breaches affecting more than 1,000 Virginia residents, and Virginia’s notice content requirements. Use the HIPAA breach notification templates as a baseline and verify Virginia-specific elements.

3. Build a patient records access procedure consistent with § 32.1-127.1:03. Document the intake, review, and fulfillment process for records requests. Train staff on the requirement to facilitate access within a reasonable time and on the limits that Virginia and HIPAA impose on fees for electronic records. Include a step for handling corrections and amendments.

4. Conduct a risk analysis with Virginia-specific inputs. Use the HIPAA risk analysis worksheet and add Virginia-specific risk factors: CDPA applicability to non-PHI health data, AG enforcement posture, and behavioral health records procedures under § 37.2-400.

Staying Current in Virginia

The Virginia CDPA is one of the first state privacy laws in the country and the AG’s enforcement approach continues to develop. Virginia clinics should monitor the AG’s Consumer Protection Section for guidance on CDPA enforcement and review their compliance posture annually, particularly for any digital health tools that may be outside the HIPAA-covered framework.

PHIGuard supports Virginia clinics with HIPAA compliance management, policy documentation, vendor BAA tracking, and incident response — with current plan and BAA details published on the pricing page. Visit PHIGuard HIPAA or see pricing.