25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

How Michigan HIPAA Laws Might be Changing

Posted By on Nov 17, 2022

Michigan HIPAA laws are the regulations that Michigan-based HIPAA Covered Entities and Business Associates have to comply with when the state´s laws provide more stringent privacy protections or greater individuals´ rights than HIPAA. In recent years, Michigan´s state laws have been closely aligned with HIPAA, but that may be about to change.

If your organization is a HIPAA Covered Entity or Business Associate operating in Michigan – or one that creates, receives, maintains, or transmits PHI of Michigan residents – the privacy, security, and breach notification regulations you have to comply with are mostly the same as appear in the HIPAA Administrative Simplification Regulations (45 CFR Part 160 and 45 CFR Part 164).

Generally, there are relatively few times that Michigan HIPAA laws preempt HIPAA, and these mostly relate to protecting HIV and SUD-related health information and certain types of mental health records, and the mandatory reporting of injuries and illnesses attributable to child abuse, domestic abuse, and elder abuse. There are also a few nuances in the Medical Records Access Act.

However, a bill introduced in the fall of 2022 could significantly change the number of times Michigan HIPAA laws preempt HIPAA – especially with regards to the role of Business Associates. Although the origin Michigan Personal Data Privacy Act ran out of time to be properly considered by the Michigan legislature in 2022, the bill is due to be reintroduced in 2023.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

What is in the New Michigan HIPAA Laws?

The bill proposes a GDPR-style privacy framework that will require most businesses in Michigan – and businesses serving residents of Michigan – to obtain consent before collecting, processing, or storing personal data. Individuals will have the right to know how their data is being used, what it is being collected for, and who it is being shared with. They will also have the “right to be forgotten”.

Although the proposals in the original bill did not apply to HIPAA Covered Entities, there was no exemption for Business Associates. Nor was there an exemption for Protected Health Information once it is shared with a Business Associate; and, as the Personal Data Privacy Act has more stringent privacy protections than HIPAA, the Personal Data Privacy Act would apply to Business Associates.

This might not only cause an issue for Business Associates, but also for Covered Entities sharing PHI with Business Associates because of the consent requirement. Not only might it be necessary to amend existing Notices of Privacy Practices, but also to develop new policies and procedures, and train members of the workforce on the new policies and procedures.

Importantly, Covered Entities may have to more closely scrutinized business they share PHI with to ensure Security Rule and Breach Notification compliance because the Senator behind the bill – Senator Rosemary Bayer – is keen for the Michigan Personal Data Privacy Act to include a private right of action. This could mean non-compliant Covered Entities not only face enforcement action by HHS´ Office for Civil Rights and Michigan´s Attorney General, but also through the civil courts.

Get Ahead of the Changes to Michigan´s Laws

Privacy and Security Officers for Michigan-based organizations need to keep an eye out for when the proposals are reintroduced into the Senate to identify proposed changes that may affect HIPAA compliance. Senator Bayer has indicated she has bi-partisan support to get the bill passed by the fall of 2024 and has already held meetings with stakeholders to get further input.

If your organization qualifies as a Michigan-based Covered Entity or provides third-party services for a Michigan-based Covered Entity that involves the use or disclosure of PHI – or your organization creates, receives, maintains, or transmits PHI of Michigan residents – it may be worthwhile getting ahead of the changes to Michigan´s HIPAA laws by seeking professional compliance advice today.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist