Introduction

In Arizona, healthcare organizations and their IT partners operate under a "dual-compliance" framework. While the federal Health Insurance Portability and Accountability Act (HIPAA) provides the national baseline for data protection, Arizona state law often introduces more stringent requirements. When these regulations overlap, Arizona law mandates that providers follow the standard that is most protective of patient rights.

Accelerated Breach Reporting (A.R.S. § 18-552)

Arizona significantly tightens the timeline for responding to data compromises.

• The 45-Day Clock: Unlike the 60-day window allowed by HIPAA, Arizona law requires notifying affected individuals no later than 45 days after a breach is discovered.

• Attorney General Notification: If a breach impacts more than 1,000 Arizona residents, organizations must also notify the Arizona Attorney General and the Director of the Arizona Department of Homeland Security.

• High Financial Stakes: Willful violations of these state reporting standards can result in civil penalties up to $500,000.

Medical Record Retention Standards

While HIPAA requires organizations to keep compliance documentation for six years, it is silent on how long actual medical records must be kept. Arizona statutes fill this gap:

• Adult Records: Must be retained for at least six years after the last date of service.

• Minor Records: Must be kept for at least three years after the patient turns 18, or six years after the last date of service, whichever is later.

Health Information Exchange (HIE) Opt-Out Mandates

Arizona law (A.R.S. Title 36) provides specific governance for Health Information Organizations (HIOs) that manage the electronic exchange of data.

• Patient Autonomy: Patients have a statutory right to "opt-out" of having their identifiable information accessible through an HIE.

• 30-Day Technical Deadline: Once an HIO receives an opt-out notice, the patient's data must be made inaccessible through the exchange within 30 days.

• Mandatory HIE Training: Arizona requires that every employee or agent of an HIO receive specific privacy and security training before gaining access to the system.

Heightened Protections for Sensitive Data

Arizona identifies certain types of health information as deserving of protections that go beyond standard HIPAA "General PHI" status.

• Communicable Diseases: Information regarding HIV/AIDS or other communicable diseases is subject to strict confidentiality under A.R.S. § 36-664, often requiring specific state-defined authorizations for disclosure.

• Mental Health & Threats: Arizona law is more prescriptive regarding the "Duty to Warn." Under A.R.S. § 36-517.02, providers are specifically required to report to law enforcement if a patient poses an imminent risk of serious harm to others.