State Compliance

Michigan Healthcare Compliance: Identity Theft Protection Act + Patient Records

10 min read · Last reviewed May 23, 2026

Michigan's Identity Theft Protection Act (MCL 445.61 et seq.) and Medical Records Access Act (MCL 333.26261 et seq.) layer on top of HIPAA for any Michigan practice handling patient data. The single biggest divergence: Michigan's per-violation civil penalty of $250 per affected resident under MCL 445.72(13) is calculated on the number of unnotified individuals, not on the breach event — making notification compliance the single highest-leverage compliance control.

What Michigan ITPA and MCRAA actually require

Michigan has no comprehensive medical-privacy statute analogous to CMIA. The state's medical-data regime is built from three Public Act lineages:

  • Identity Theft Protection Act (ITPA) at MCL 445.61 to MCL 445.77. Originally Public Act 452 of 2004, governs breach notification and identity-theft prevention practices for any person or agency that owns or licenses computerized personal information of Michigan residents.
  • Medical Records Access Act (MCRAA) at MCL 333.26261 to MCL 333.26271. Public Act 47 of 2004, governs patient access to medical records held by Michigan providers.
  • Records retention under MCL 333.16213. Seven years from the date of service as the baseline, with a 15-year retention rule for the specific records described in MCL 333.16213(2)(b) (records relating to a claim or potential claim against the licensee, and other categories listed in the statute). There is no separate age-21 minor rule under § 333.16213 — the 7-year baseline and the 15-year special-record exception are the operative timelines.

Core obligations under ITPA:

  • Breach definition. MCL 445.63(b) — unauthorized access to or acquisition of computerized data that materially compromises the security or confidentiality of personal information. "Personal information" includes name combined with SSN, driver's license, state ID, or account number with access credential.
  • Individual notification. MCL 445.72(1) — written notice to affected Michigan residents "without unreasonable delay." No fixed outer numeric deadline.
  • Substitute notice. MCL 445.72(5)(c) — available when direct-notice cost exceeds $250,000 or 500,000+ Michigan residents are affected.
  • Consumer reporting agency notification when notice is required to more than 1,000 Michigan residents. MCL 445.72(8) — written notice to nationwide CRAs without unreasonable delay.
  • HIPAA safe harbor. MCL 445.72(10) — a HIPAA-regulated person or agency that complies with HIPAA's breach-notification rule is deemed in compliance with MCL 445.72. For covered entities, executing the federal notice obligations satisfies Michigan's notice regime; documentation that the HIPAA process was followed is the practical evidence the practice should maintain.

Core obligations under MCRAA:

  • Records release timing. MCL 333.26265(2) — provider furnishes a copy or summary within 30 days of a written request, or within 60 days if the records are not maintained or accessible onsite. MCL 333.26265(3) permits one 30-day extension with written notice to the patient.
  • Fee caps. MCL 333.26269(1) — specific per-page and per-record copy fee caps, with annual CPI adjustment under MCL 333.26269(6).
  • Form of request. MCL 333.26265 — MCRAA access is triggered by a written request signed and dated by the patient or the patient's authorized representative. Practices that release records pursuant to a separate written authorization should use a HIPAA-compliant authorization meeting the six elements at 45 CFR § 164.508(c); MCRAA does not impose an independent eight-element authorization regime beyond the signed-and-dated request mechanics at § 333.26265.

Where Michigan is stricter than HIPAA

The single comparative table a Michigan practice needs:

| Topic | HIPAA | Michigan | Stricter | |---|---|---|---| | Patient records access | 30 days, +30-day extension (45 CFR § 164.524(b)(2)) | 30 days under MCL 333.26265(2), 60 days if records not onsite, one 30-day extension under § 333.26265(3) | Aligned (Michigan slightly broader on the not-onsite path) | | Records retention (adults) | 6 years (45 CFR § 164.530(j)) | 7 years under MCL 333.16213, with 15-year retention for records described at § 333.16213(2)(b) | Michigan | | Records retention (minors) | 6 years (45 CFR § 164.530(j)) | 7-year baseline under MCL 333.16213, with the 15-year special-record exception | Michigan | | Breach individual notice deadline | 60 days from discovery (45 CFR § 164.404(b)) | "Without unreasonable delay" (MCL 445.72(1)), with HIPAA-compliance safe harbor (MCL 445.72(10)) | HIPAA gives the fixed ceiling that also satisfies Michigan for covered entities | | Notification to CRAs | None | Required when notice is required to >1,000 Michigan residents (MCL 445.72(8)) | Michigan | | Per-resident civil penalty | $145–$73,011 per violation, $2,190,294 annual cap per identical violation (2026 HHS-adjusted; 45 CFR § 160.404 and 45 CFR Part 102) | $250 per unnotified resident, capped at $750k total (MCL 445.72(13)) | Michigan per-resident lower but cumulative | | Authorization form content | Six required elements (45 CFR § 164.508(c)) | MCRAA access requires a signed-and-dated written request under MCL 333.26265; no independent eight-element authorization regime | HIPAA on form content | | Encryption safe harbor | Encrypted-data exclusion (45 CFR § 164.402) | Encrypted data not deemed "personal information" (MCL 445.63(b)) | Comparable |

Where Michigan practices most often trip on MCRAA is the signed-and-dated written request mechanics at MCL 333.26265 and the 60-day path for records that are not onsite. A bare HIPAA authorization under 45 CFR § 164.508 covers most release scenarios; the practical risk is treating an oral request as sufficient, missing the signed-and-dated step at § 333.26265, or assuming the 30-day clock applies to records held offsite when § 333.26265(2) gives 60 days for those.

The other consistent surprise is the per-resident penalty math. ITPA's $250-per-unnotified-resident penalty at MCL 445.72(13) is calculated on every individual the practice failed to notify. A breach affecting 1,500 Michigan residents where notification is late or incomplete generates up to $375,000 in baseline penalty before any HIPAA exposure. The penalty is per-resident, not per-incident — which makes notification quality the dominant compliance driver under Michigan law.

Where HIPAA is stricter than Michigan

The three areas where federal law is the harder rule:

  • Security Rule technical safeguards. Michigan's ITPA imposes no prescribed cybersecurity safeguards program for covered entities outside the breach-notification trigger. HIPAA's Security Rule at 45 CFR Part 164, Subpart C prescribes a structured technical, administrative, and physical safeguards program — annual risk analysis, audit logging, encryption decisions, contingency planning, sanction policy.
  • Breach risk assessment methodology. HIPAA's four-factor analysis at 45 CFR § 164.402 governs whether a security incident qualifies as a reportable breach. Michigan ITPA does not impose a comparable methodology; Michigan regulators look to the federal framework when reviewing MCL 445.72 filings.
  • AG notification path. HIPAA's 45 CFR § 164.408 HHS report imposes federal reporting on every breach. Michigan ITPA has no mandatory AG notice path (CRAs at 1,000+ is the only required filing). HIPAA's notification breadth exceeds Michigan's here.

Breach notification timeline

A Michigan practice that discovers a breach affecting MI residents runs these parallel notifications:

  1. HHS report and individual notice under HIPAA at 45 CFR § 164.408 and 45 CFR § 164.404 — 60-day individual notice; HHS report within 60 days for 500+ affected. Compliance with HIPAA's notice rule also satisfies MCL 445.72(1) for covered entities under the safe harbor at MCL 445.72(10).
  2. Consumer reporting agency notice when individual notice is required to >1,000 Michigan residents under MCL 445.72(8) — written notice to nationwide CRAs.
  3. Individual notice "without unreasonable delay" under MCL 445.72(1) for any incident involving Michigan-resident personal information held outside HIPAA (e.g., workforce personal information, a non-HIPAA business line). Documentation supporting either the HIPAA safe harbor or independent Michigan compliance is the practice's audit-ready record.

Substitute notice via statewide media is available under MCL 445.72(5)(c) when direct-notice cost exceeds $250,000 or 500,000+ affected.

Penalties + private right of action

The numbers a Michigan practice needs:

  • ITPA civil penalty. MCL 445.72(13) — $250 per unnotified Michigan resident, capped at $750,000 total per breach event, recoverable by the AG.
  • ITPA criminal penalty. MCL 445.72(15) — knowing failure to notify is a misdemeanor punishable by up to 93 days in jail and a fine of up to $5,000.
  • Consumer Protection Act exposure. MCL 445.901 et seq. — Michigan's CPA provides individual treble-damages claims for unfair or deceptive practices; plaintiffs use ITPA violations as the predicate unfair practice. The CPA has been narrowed by courts on healthcare-specific claims, but the lever is available for non-treatment data uses.
  • Common-law negligence. Michigan courts recognize negligence per se where statutory standards are violated. Plaintiffs in medical-data breach cases plead the ITPA violation as the predicate breach of duty.
  • Medical Board discipline. Failure to comply with MCRAA records-access can trigger LARA Bureau of Professional Licensing action against the physician's license.
  • HIPAA OCR penalties continue to apply in parallel under 45 CFR § 160.404.

Where Michigan diverges meaningfully from Illinois or California is the absence of statutory damages under the ITPA itself — the per-resident penalty is recoverable by the AG, not individual plaintiffs. The practical risk profile is closer to Ohio than to Illinois: AG-driven enforcement, modest per-resident penalties that scale aggressively with breach size, and CPA layering for individual claims.

Compliance checklist for in-state practices

A Michigan-specific overlay to a HIPAA program:

  • HIPAA-compliant authorization with the MCRAA signed-and-dated request mechanics at MCL 333.26265 captured on the intake form. The HIPAA six-element authorization at 45 CFR § 164.508(c) covers the substantive release; the MCRAA-specific procedural step is the signed-and-dated written request itself.
  • Records release within 30 days under MCL 333.26265(2), or 60 days if records are not onsite, with one 30-day extension available under § 333.26265(3). Document the request date, response date, and any fee assessed under MCL 333.26269(1) caps with the § 333.26269(6) CPI adjustment.
  • Records retention — 7-year baseline under MCL 333.16213 from the date of service, with 15-year retention for records described at § 333.16213(2)(b). Audit any retention schedule built off HIPAA's 6-year floor.
  • Encryption posture documentation for every device and database holding personal information of Michigan residents — for invoking the MCL 445.63(b) encryption-data carve-out if a breach occurs.
  • Breach response runbook that triggers HHS notice and individual notice on the 60-day HIPAA track (which satisfies MCL 445.72 under the MCL 445.72(10) safe harbor for covered entities), CRA notice when individual notice is required to >1,000 Michigan residents under MCL 445.72(8), and ITPA-direct notice for any Michigan-resident personal information held outside HIPAA.
  • Notification quality control — given the $250-per-unnotified-resident penalty under MCL 445.72(13), the practice's notification list and delivery confirmation are the single highest-leverage breach-response artifact. Maintain delivery evidence per resident.
  • Workforce training on Michigan statutes at hire and annually, separately documented from HIPAA training. Cover MCRAA's tighter access window and the ITPA notification math specifically.
  • LARA complaint monitoring — Bureau of Professional Licensing complaints driven by records-access delays are the most common direct discipline path; quarterly review of records-release metrics reduces this exposure.

The d3rx compliance binder state-overlay branches on Michigan and produces the stacked HIPAA + MCRAA authorization, the 30-day records-release SLA, and the per-resident notification tracker a Michigan practice runs alongside the federal HIPAA backbone. It is an administrative documentation aid; the practice and its counsel remain responsible for executing the controls.

Cross-references: see Ohio Data Protection Act for healthcare for the affirmative-defense regime a multi-state Great Lakes practice often runs alongside Michigan compliance, and Illinois BIPA/GIPA for the neighboring private-right-of-action regime.

Step 1 · Get the binder

Get the d3rx compliance binder for your practice

Pre-filled to address the gaps this guide coversMichigan Healthcare Compliance: Identity Theft Protection Act + Patient Records. We will email you the section preview and your binder intake link.

No PHI required. We use your email to send the binder preview and intake link only.

Frequently asked

Does Michigan's Identity Theft Protection Act apply to my HIPAA-covered practice?

Yes, but MCL § 445.72(10) is a meaningful safe harbor: a HIPAA-regulated person or agency that complies with HIPAA's breach-notification rule is deemed in compliance with MCL § 445.72. HIPAA compliance is the operative Michigan breach-notice posture for covered entities; the practice still must execute the federal notice obligations (HHS report, individual notice, and any required media notice) and document compliance. Michigan does not have a comprehensive consumer privacy law like CCPA or CTDPA — the ITPA is the primary state-level lever for identity-related personal information held by non-HIPAA businesses, and the safe harbor closes the gap for covered entities.

What's the Michigan breach notification window?

No fixed numeric outer deadline. MCL 445.72(1) requires notification 'without unreasonable delay,' subject to law-enforcement hold under MCL 445.72(8). Michigan AG enforcement has treated this as approximately 45 days absent investigative complexity. HIPAA's [45 CFR § 164.404(b)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404) imposes a fixed 60-day outer deadline — that's the practical ceiling for HIPAA-covered Michigan practices.

How fast must Michigan practices release patient records?

30 days under the Medical Records Access Act (MCRAA) at MCL 333.26265(2), or 60 days if the records are not maintained or accessible onsite. The provider must furnish a copy or summary within that window, and MCL 333.26265(3) allows one 30-day extension with written notice to the patient. Copy fees are capped under MCL 333.26269(1), with CPI adjustment under § 333.26269(6). HIPAA's [45 CFR § 164.524(b)(2)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524) also runs 30 days with a permitted 30-day extension — Michigan and HIPAA are aligned, with Michigan's 60-day-not-onsite path being the only meaningful divergence.

Does Michigan ITPA have a private right of action?

Limited. MCL 445.72(13) creates a per-violation civil penalty of $250 per affected Michigan resident for failure to notify, up to $750,000 total, recoverable by the AG. There is no general individual private right of action under the ITPA itself. Michigan common-law negligence and breach-of-contract claims provide the practical individual lever, and Consumer Protection Act claims at MCL 445.901 are available for unfair or deceptive practices that incorporate ITPA violations.

What's the difference between Michigan ITPA and Ohio's Data Protection Act?

Different posture. Michigan's ITPA is a breach-notification statute with civil penalties and a HIPAA-compliance safe harbor at MCL 445.72(10) but no cybersecurity-program safe harbor. Ohio's Data Protection Act at ORC § 1354.01 creates an affirmative defense to tort actions for businesses with a written cybersecurity program aligned to recognized frameworks. Michigan provides no comparable cyber-program safe harbor — having a strong cyber program in Michigan reduces breach likelihood and helps establish HIPAA compliance for the § 445.72(10) safe harbor, but does not independently insulate from ITPA penalty exposure for non-HIPAA data.

Does Michigan require any pre-disclosure notice to law enforcement?

No. Unlike New Jersey's mandatory pre-notice to the State Police, Michigan's ITPA at MCL 445.72(8) requires notice to nationwide consumer reporting agencies when the breach triggers individual notice to more than 1,000 Michigan residents. There is no affirmative requirement to notify the AG, State Police, or any other Michigan agency before notifying individuals; law-enforcement-driven delay of individual notice is permitted but not required.

Turn this into a review-ready binder

The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.

Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.

This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.

Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

Sources & Citations
  1. MCL 445.61 to MCL 445.77https://www.legislature.mi.gov/
  2. 45 CFR § 164.508(c)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.508
  3. 45 CFR Part 164, Subpart Chttps://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C
  4. 45 CFR § 164.402https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-A/section-164.402
  5. 45 CFR § 164.408https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.408
  6. 45 CFR § 164.404https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404
  7. 45 CFR § 160.404https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-D/section-160.404

Sources verified as of May 23, 2026

Research Aid Notice

This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.

Related Guides