Illinois healthcare providers must follow two sets of rules. One is federal HIPAA. The other is Illinois state privacy laws, which are stricter in some areas. This guide covers both layers, gives you a hands-on compliance checklist, and flags the state rules that most out-of-state guides miss entirely.
How HIPAA and Illinois Rules Interact
HIPAA (Health Insurance Portability and Accountability Act) sets the federal floor for PHI (Protected Health Information) protection. Illinois law does not replace HIPAA - it stacks on top of it. Where Illinois law is stricter, Illinois wins. Where HIPAA is stricter, HIPAA wins. Illinois healthcare providers must meet both at the same time.
These two layers of rules make Illinois one of the strictest states for healthcare compliance. A covered entity that fully follows HIPAA may still break Illinois law. This can happen if it skips state rules on breach notices, genetic data, mental health records, and HIV/AIDS privacy.
Who Qualifies as a Covered Entity in Illinois
Under HIPAA, a covered entity is a health plan, clearinghouse, or provider that sends health data in digital form for a HIPAA-covered transaction. In Illinois, this covers hospitals, doctor offices, dental practices, behavioral health providers, home health agencies, nursing homes, pharmacies, and health insurers in the state.
Illinois also has many FQHCs, major academic medical centers (Northwestern, Rush, UChicago Medicine, Loyola), and specialty practices. All must follow the same stacked federal-state rules.
Who Qualifies as a Business Associate in Illinois
Any vendor that creates, receives, stores, or sends PHI for a covered entity is a business associate under HIPAA - and must sign a BAA. Illinois examples include: EHR vendors, billing services, cloud storage providers, answering services, IT firms with system access, and revenue cycle companies. Illinois law does not define its own "business associate" class, but PIPA breach notice rules may still apply to vendors that hold personal data.
Illinois State Privacy Laws That Stack on Top of HIPAA
Illinois has four major state laws that healthcare providers must layer on top of federal HIPAA. Each one covers a different type of sensitive health data.
The Illinois Personal Information Protection Act (PIPA) - 815 ILCS 530
PIPA covers breach notice rules for any entity that owns or licenses personal data about Illinois residents. For healthcare providers, this means you must follow PIPA's notice rules on top of HIPAA's 60-day window. In many cases, you must also tell the Illinois Attorney General.
Key PIPA rules for healthcare providers:
- Notification must be made "in the most expedient time possible" after discovering a breach - for large breaches, Illinois AG guidance interprets this as within 45 days.
- If a single breach affects more than 500 Illinois residents, you must notify the Illinois Attorney General within the same timeframe you notify individuals.
- The notice must describe the incident, the type of data involved, a rough count of people affected, and contact details for the entity sending the notice.
- HIPAA-covered entities can satisfy PIPA individual notification by following HIPAA breach procedures - but the AG notification requirement is separate and does not go away.
The Illinois Genetic Information Privacy Act (GIPA) - 410 ILCS 513
GIPA governs how genetic test data is collected, used, and shared in Illinois. It is stricter than the federal GINA in several key ways:
- Healthcare providers may not disclose genetic testing results without written consent from the individual being tested, or a parent or guardian for a minor.
- GIPA creates a private right of action - meaning patients can sue healthcare providers directly for GIPA violations. This is more aggressive than HIPAA, which does not provide patients a private right of action under federal law.
- Violations can result in actual damages, statutory damages of $2,500 per negligent violation or $15,000 per intentional violation, plus attorney's fees.
- Insurers, employers, and mortgage lenders cannot tie benefits to genetic testing. This ban extends to healthcare settings where insurers might push providers for genetic data.
Illinois providers who run genetic tests, do genomic research, or treat patients in hereditary disease programs must have GIPA consent forms in place - separate from standard HIPAA forms.
The Mental Health and Developmental Disabilities Confidentiality Act (MHDDCA)
The MHDDCA (740 ILCS 110) gives mental health records much stronger protection than HIPAA does. Under HIPAA, providers can share PHI for treatment, payment, and operations without patient consent. The MHDDCA largely strips that freedom for mental health records:
- Mental health records generally cannot be disclosed without the patient's written consent, even to other treating providers, unless a specific statutory exception applies.
- Exceptions include: emergency situations, court orders, audit and evaluation activities by licensing bodies, and certain research contexts under strict IRB oversight.
- Behavioral health practices, psychiatry groups, substance abuse programs, and integrated care groups must keep separate consent forms for mental health record sharing. HIPAA forms alone are not enough.
- Breaking the MHDDCA can lead to civil liability. Licensed providers also face discipline from the Illinois IDFPR.
This law has a big impact on care coordination. In Illinois, a primary care doctor cannot just ask for mental health records from a patient's psychiatrist under HIPAA's treatment exceptions. A MHDDCA-compliant written consent from the patient is required.
The AIDS Confidentiality Act - 410 ILCS 305
The Illinois AIDS Confidentiality Act sets stricter privacy rules for HIV/AIDS health data than HIPAA requires:
- HIV test results and AIDS diagnoses may only be disclosed with specific written consent, separate from general medical record authorization.
- Providers who order HIV tests must obtain written informed consent before testing and provide pre- and post-test counseling.
- Unauthorized disclosure of HIV/AIDS status is a Class 4 felony in Illinois.
- Positive HIV results must be reported to the Illinois IDPH. This public health reporting is allowed under HIPAA and does not conflict with the consent rules for sharing data with other parties.
Illinois Breach Notification Requirements
Illinois has one of the strictest breach notice setups in the country. Providers must track both the HIPAA clock and the PIPA clock at the same time, and meet whichever deadline comes first.
PIPA Timeline: When Illinois Beats the Federal Clock
HIPAA gives covered entities up to 60 days from breach discovery to notify affected people. PIPA says you must notify "in the most expedient time possible" - which regulators read as much faster. Illinois AG guidance treats 45 days as the upper limit in practice.
If a breach affects 500 or more Illinois residents, notify the Illinois Attorney General at the same time as you notify the individuals. This is separate from the HHS OCR notice, which HIPAA requires within 60 days for large breaches. Illinois providers filing with OCR should also prepare their AG notice if the breach meets the 500-resident mark.
What Constitutes a Breach Under Illinois Law
PIPA defines personal data as a resident's name (first or initial plus last) combined with one or more of: Social Security number, driver's license or state ID, financial account numbers, medical data, health insurance data, or unique biometric data. Note that "medical information" is read broadly - it covers any data that can pin down a person's health status, which largely overlaps with HIPAA PHI.
A breach under PIPA means someone gained access to digital data in a way that harms its security, privacy, or accuracy. Unlike HIPAA, PIPA does not require the four-factor Breach Risk Assessment before triggering notice duties - the access itself triggers the duty to notify.
Illinois AG Notification Requirement
You can file the Illinois AG notice online at the AG Data Breach Reporting portal. The filing must include: your entity's name and contact info, a description of the breach, the type of personal data involved, the estimated number of Illinois residents affected, and a copy or summary of the notice you sent.
HIPAA Penalties in Illinois
Illinois healthcare providers face enforcement from two sides: federal OCR enforcement under HIPAA, and state AG enforcement under PIPA, GIPA, and the MHDDCA.
Federal OCR Enforcement: Penalty Structure
At 2025 penalty rates, federal HIPAA civil fines are:
- Tier 1 (lack of awareness): $100-$50,000 per violation, annual cap $25,000
- Tier 2 (reasonable cause): $1,000-$50,000 per violation, annual cap $100,000
- Tier 3 (willful neglect, corrected): $10,000-$50,000 per violation, annual cap $250,000
- Tier 4 (willful neglect, not corrected): $50,000 per violation, annual cap $1,900,000
Per-violation fines under the 2025 schedule can reach $73,011, with yearly caps up to $2,190,294 for repeat offenses. Criminal penalties for willful HIPAA breaches range from $50,000 and 1 year in prison to $250,000 and 10 years for violations driven by profit or personal gain.
Illinois AG Data Breach Enforcement Actions
The Illinois AG can bring civil actions against entities that break PIPA, GIPA, or the MHDDCA. GIPA's private right of action stands out: patients can sue providers directly for genetic privacy violations without going through the AG. GIPA damages of $2,500 per negligent violation and $15,000 per willful violation add up fast in class actions.
Illinois providers should know that BIPA (Biometric Information Privacy Act, 740 ILCS 14) - while mainly aimed at employers - has healthcare effects for any group using biometric IDs such as fingerprint scanners for building access or patient check-in. BIPA's private right of action has sparked major class action cases in Illinois.
HIPAA Compliance for Illinois Healthcare Providers
Illinois Hospitals and Health Systems
Illinois hospitals and health systems must follow federal HIPAA plus all four state laws. Academic centers doing genetic research need GIPA consent forms. Behavioral health units and psychiatric wards must keep MHDDCA consent steps separate from HIPAA forms. Infectious disease units must follow the AIDS Confidentiality Act for HIV/AIDS records.
Large systems should also review their BAA lists often. Illinois's wide vendor mix (Epic, Cerner, Allscripts, and dozens of niche tools) means BAA gaps are a common audit finding.
Illinois Dental Practices
Illinois dental practices are covered entities that must follow all three HIPAA rules (Privacy, Security, Breach Notice) plus PIPA for breaches. Dental offices using biometric check-in (fingerprint or facial scan) must also follow BIPA. BIPA requires a written policy, informed consent before collection, and a data retention schedule. Fines are $1,000 per negligent violation and $5,000 per willful violation. Illinois courts have certified class actions against healthcare groups for BIPA failures.
Illinois Behavioral Health and Mental Health Providers
Mental health practices, substance abuse programs, and integrated behavioral health groups face the strictest rules in the state. The MHDDCA overrides HIPAA's treatment exception for mental health records. Providers must get MHDDCA-specific written consent before sharing records with other providers, referral sources, or care teams. Standard HIPAA forms do not meet MHDDCA rules - work with Illinois legal counsel to make sure your forms pass both.
Substance abuse programs may also fall under federal 42 CFR Part 2 rules for SUD records. These rules are stricter than HIPAA and require patient consent for nearly all sharing, even with other treating providers.
Illinois Home Health and Long-Term Care
Home health agencies and long-term care sites in Illinois often have the longest BAA lists. Vendors may provide scheduling tools, telehealth platforms, remote patient monitors, and EVV systems - and each one that touches PHI needs a signed BAA. Illinois home health agencies also face EVV rules under the Cures Act. Making sure EVV vendors have proper BAAs is a common gap.
Illinois HIPAA Compliance Checklist
| Requirement | Federal or State | Deadline / Frequency | Documentation Needed |
|---|---|---|---|
| Annual security risk assessment | Federal (HIPAA) | Annual minimum | Signed risk assessment report |
| Workforce HIPAA training | Federal (HIPAA) | At hire + material changes + annual | Completion records with dates |
| BAA with all PHI-handling vendors | Federal (HIPAA) | Before vendor access; review annually | Signed BAA on file per vendor |
| Breach notification - individuals | Federal + PIPA | Within 45 days (PIPA) / 60 days (HIPAA) | Notification records, delivery confirmation |
| Breach notification - Illinois AG | PIPA (815 ILCS 530) | Same as individual notification if 500+ IL residents | AG portal submission confirmation |
| Genetic data consent (GIPA) | State (410 ILCS 513) | Before collection or disclosure | Signed GIPA-compliant consent form |
| Mental health record consent (MHDDCA) | State (740 ILCS 110) | Before each disclosure | Signed MHDDCA consent per disclosure |
| HIV/AIDS consent (AIDS Confidentiality Act) | State (410 ILCS 305) | Before testing and disclosure | Signed written consent; counseling documentation |
| Biometric data policy (BIPA, if applicable) | State (740 ILCS 14) | Before collection | Written BIPA policy; signed consent; retention schedule |
| HIPAA Privacy Notices of Privacy Practices | Federal (HIPAA) | At first service delivery; post publicly | Signed acknowledgment or documented delivery attempt |
Frequently Asked Questions
Are there specific HIPAA requirements for healthcare providers in Chicago, Northbrook, Elk Grove Village, and other Illinois locations?
HIPAA is a federal law that applies uniformly across all states and cities. There is no separate HIPAA certification for Chicago or any other Illinois municipality. However, Illinois adds state-level requirements through the Personal Information Protection Act (PIPA) and the Biometric Information Privacy Act (BIPA) that healthcare providers in all Illinois locations must follow alongside federal HIPAA. Providers in metropolitan Chicago areas face the same compliance obligations as those in suburban communities like Northbrook or Elk Grove Village.
Does BIPA (Biometric Information Privacy Act) apply to Illinois healthcare providers?
Yes, in some cases. BIPA has a healthcare exemption for data collected under HIPAA and governed by HIPAA's privacy protections. But the exemption is narrow. Biometric data collected for non-clinical uses - such as fingerprint time clocks for employees, or biometric patient check-in kiosks that are not part of a HIPAA-covered EHR workflow - may not be exempt. Illinois healthcare groups using any biometric tech should have legal counsel review each use case for BIPA issues.
How quickly must Illinois healthcare providers notify patients of a data breach?
The HIPAA Breach Notification Rule requires notice to each person within 60 calendar days of breach discovery. Illinois's PIPA requires notice "in the most expedient time possible," which regulators read as about 45 days for most breaches. Always follow the earlier deadline. For breaches affecting 500 or more Illinois residents, also notify the Illinois Attorney General within the same window.
Are Illinois mental health records treated differently than other medical records?
Yes. The Illinois Mental Health and Developmental Disabilities Confidentiality Act (MHDDCA) has much stronger guards than HIPAA. Mental health records generally cannot be shared without explicit MHDDCA-compliant written patient consent - even between treating providers under HIPAA's treatment exception. Behavioral health providers must use MHDDCA-specific consent forms, not standard HIPAA forms.
What does GIPA mean for Illinois providers who conduct genetic testing?
The Illinois Genetic Information Privacy Act (GIPA) requires written consent before sharing genetic test results with any party. Unlike HIPAA, GIPA gives patients a direct private right of action - they can sue providers for violations without going through a government agency. Statutory damages are $2,500 per negligent violation and $15,000 per intentional violation. Providers doing genetic testing must have GIPA consent forms and sharing policies in place.
Who enforces HIPAA in Illinois?
Federal HIPAA is enforced by the HHS Office for Civil Rights (OCR), which looks into complaints and runs compliance audits. State privacy laws - PIPA, GIPA, and the MHDDCA - are enforced by the Illinois Attorney General's office. GIPA and BIPA violations can also be pursued by individual plaintiffs through private lawsuits, which is a major litigation risk unique to Illinois.
Conclusion
Illinois providers face a compliance landscape that is much harder than the federal HIPAA baseline. The MHDDCA, GIPA, AIDS Confidentiality Act, and PIPA each add rules that do not exist at the federal level - and several carry private rights of action that create direct lawsuit risk. The good news: the core steps are the same as for any covered entity. Build a solid yearly risk assessment, keep your BAAs current, train your staff, and then add the Illinois consent forms and breach notice steps on top.
One Guy Consulting helps Illinois healthcare providers build practical, audit-ready HIPAA programs. Book a consultation to review where you stand or get Illinois-specific help with MHDDCA consent forms, GIPA paperwork, or BAA audits.
Key stat: Illinois's Biometric Information Privacy Act (BIPA) carries statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation. Unlike HIPAA, BIPA allows private lawsuits. Healthcare organizations collecting fingerprints, facial scans, or other biometric data face both BIPA and HIPAA obligations simultaneously.
Key stat: Illinois's Biometric Information Privacy Act (BIPA) carries statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation. Unlike HIPAA, BIPA allows private lawsuits. Healthcare organizations collecting fingerprints, facial scans, or other biometric data face both BIPA and HIPAA obligations simultaneously.
Sources
- HHS: HIPAA for Professionals
- Illinois PIPA - 815 ILCS 530
- Illinois GIPA - 410 ILCS 513
- Illinois MHDDCA - 740 ILCS 110
- Illinois AIDS Confidentiality Act - 410 ILCS 305
- Illinois AG: Data Breach Reporting
- HHS: HIPAA Breach Notification Rule
Related Reading:
How state privacy laws interact with federal HIPAA requirements ·
HIPAA Breach Notification Rule: complete compliance guide ·
HIPAA compliance rules in New York ·
HIPAA compliance requirements in California ·
HIPAA compliance requirements in Florida ·
HIPAA compliance requirements in Texas
About the Author
Chuck Weiselberg is a C.H.P. (Certified HIPAA Professional) and Founder of One Guy Consulting, a HIPAA compliance SaaS solution. He has 20+ years helping customers reach their goals, with 10 of those years as a HIPAA compliance S.M.E. (Subject Matter Expert).
He has helped support thousands of users at healthcare groups, where he aided Compliance Officers in setting up sensible compliance solutions without any of them failing an audit, or getting a fine. This success comes from a proven process, realistic and useful policies, and easy-to-use compliance management software that requires no tech skills.