BUSINESS LITIGATION Missouri State Guide

Privacy Law Compliance for Missouri Businesses (HIPAA, Gramm-Leach-Bliley, etc.)

ARTICLE
Read time
14 min read
Updated
June 9, 2026
QUICK ANSWER

Unlike the European Union — or, increasingly, states such as California — the United States has no single, comprehensive privacy law governing every business. Instead, the country uses a sectoral approach: privacy obligations attach to the type of data you handle and the industry you operate in, layered on general consumer-protection enforcement. A Missouri medical clinic answers to HIPAA, a community bank to the Gramm-Leach-Bliley Act, an e-commerce store to the FTC Act and the CAN-SPAM and TCPA marketing rules, and nearly every Missouri business that holds customer records answers to the state's own data-breach notification statute (RSMo § 407.1500). Missouri has not, as of this writing, enacted a broad consumer-privacy law like California's CCPA/CPRA, so Missouri businesses live mostly under this patchwork of federal sector laws plus the state breach-notice rule.

This guide maps that patchwork. It explains which federal privacy laws are most likely to apply to you, what Missouri's breach statute requires when personal information is exposed, and the practical compliance steps — data mapping, vendor contracts, a written information security program, and an incident-response plan — that protect you under all of these regimes at once. Because privacy law is fact-specific and changes frequently, treat what follows as a framework for asking the right questions, not a substitute for advice tailored to your data.

Why the U.S. "sectoral" approach matters for your business

The key point is that there is no one statute to "comply with." Your obligations depend on the kind of data you collect and the activity you undertake, not your size — a two-person clinic is a HIPAA covered entity and a sole-proprietor lender can be a GLBA financial institution. You may be covered by more than one law at once — a pharmacy handles PHI (HIPAA), runs an email list (CAN-SPAM), and makes privacy-policy promises the FTC can enforce. And silence is not safety: the FTC can treat a broken privacy promise as deceptive, but it can also challenge a genuinely unfair data practice even without one. Because Missouri has no comprehensive state privacy statute, your analysis is largely: which federal sector laws reach my data, and what does the breach-notice statute require if it is exposed?

HIPAA: protected health information

The Health Insurance Portability and Accountability Act (HIPAA), with its Privacy, Security, and Breach Notification Rules, governs protected health information (PHI) — individually identifiable health information held or transmitted by a regulated entity. HIPAA does not cover all health information; it covers PHI in the hands of two regulated parties:

  • Covered entities. Health plans, health-care clearinghouses, and providers who transmit health information electronically in connection with certain standard transactions (such as billing insurance). A Missouri physician's office, dental practice, or hospital is the classic covered entity.
  • Business associates. Vendors that create, receive, maintain, or transmit PHI on behalf of a covered entity — a billing company, cloud host, shredding service, or IT consultant with record access. Business associates are directly liable under HIPAA for much of the Security Rule and parts of the Privacy Rule.

HIPAA's obligations break down into three rules. The Privacy Rule limits how PHI may be used and disclosed and gives patients rights to access and amend their records. The Security Rule requires administrative, physical, and technical safeguards for electronic PHI — risk analysis, access controls, encryption where reasonable, logging, and training. The Breach Notification Rule requires notifying affected individuals and the U.S. Department of Health and Human Services (and sometimes the media) when unsecured PHI is breached.

A foundational HIPAA requirement is the business associate agreement (BAA) — a written contract a covered entity must put in place before sharing PHI with a vendor, and that a business associate must in turn put in place with its subcontractors. For a Missouri provider using an outside billing service or cloud vendor, a missing or stale BAA is among the most common and avoidable compliance gaps.

If your business is not a covered entity or business associate, HIPAA generally does not apply even if you hold some health-related data — though the FTC Act and Missouri's breach statute may still reach it. HIPAA is industry-specific, not health-data-specific.

Gramm-Leach-Bliley Act: financial institutions

The Gramm-Leach-Bliley Act (GLBA) governs how financial institutions handle consumers' nonpublic personal information. "Financial institution" is broader than it sounds: it reaches banks and credit unions, but also lenders, mortgage brokers, certain finance companies, tax preparers, debt collectors, and others "significantly engaged" in financial activities. A Missouri auto dealer that arranges financing, or an independent mortgage broker, can fall within GLBA without being a "bank" in the everyday sense.

GLBA imposes two principal sets of duties:

  • The Privacy Rule. Covered institutions must give consumers clear privacy notices describing what information they collect, how they use and share it, and — where applicable — the consumer's right to opt out of certain sharing with nonaffiliated third parties, typically at the start of the relationship and periodically thereafter.
  • The Safeguards Rule. Covered institutions must develop and maintain a written information security program with safeguards appropriate to their size and complexity. The rule has been modernized to require specific measures — a qualified individual to oversee the program, a written risk assessment, access controls and encryption, service-provider oversight, and reporting to leadership.

A Missouri business that even might qualify as a GLBA financial institution should pin down its status early and confirm current obligations against the operative regulations, because the written-program requirement is detailed and guessing wrong is costly.

The FTC Act §5: the privacy backstop

Even where no industry-specific statute applies, Section 5 of the FTC Act prohibits "unfair or deceptive acts or practices in or affecting commerce" — and the FTC has used that authority as the general enforcer of privacy in the United States. Two theories matter most:

  • Deception. If your business makes a privacy or security promise it does not keep, the FTC can treat the broken promise as deceptive. Promising "we never sell your data" or "we use bank-level security" and then failing to live up to it is the textbook case.
  • Unfairness. The FTC can also challenge practices that cause or are likely to cause substantial consumer injury that consumers cannot reasonably avoid and that is not outweighed by countervailing benefits — such as storing sensitive data with grossly inadequate security.

The practical lesson is twofold. First, your privacy policy is an enforceable representation, not marketing copy — say only what you do, and do what you say. Second, reasonable data security is expected even without a sector statute; "we never promised anything" is not a defense to an unfairness claim. Missouri's Merchandising Practices Act (RSMo § 407.020) is a parallel state tool.

The other federal pieces: FCRA, COPPA, CAN-SPAM, and the TCPA

Beyond HIPAA, GLBA, and the FTC Act, several narrower federal laws reach specific data or activities common to Missouri businesses. Each is described here at a high level; confirm the precise triggers before relying on any of them.

  • Fair Credit Reporting Act (FCRA). Governs consumer reports — information assembled by credit bureaus and used for credit, employment, insurance, and tenant-screening decisions. If your business uses consumer reports (to screen applicants or tenants), FCRA imposes notice, consent, and "adverse action" obligations; if you furnish information to the bureaus, additional duties apply.
  • Children's Online Privacy Protection Act (COPPA). Regulates online collection of personal information from children under 13. If your site, app, or service is directed to children — or you knowingly collect their data — it requires verifiable parental consent and other protections.
  • CAN-SPAM Act. Sets rules for commercial email: accurate header and subject lines, a clear way to opt out, prompt honoring of opt-outs, and advertisement identification.
  • Telephone Consumer Protection Act (TCPA). Restricts certain telemarketing calls, autodialed and prerecorded calls, and texts, and supports the national Do-Not-Call framework. Consent rules are strict and the TCPA is heavily litigated, so confirm your consent practices before any SMS or calling campaign.

None of these is a comprehensive privacy law; each targets a specific data type or channel. The point is to identify which ones your activities trigger.

Missouri's data-breach notification statute (RSMo § 407.1500)

This is the Missouri-specific law nearly every business should know. RSMo § 407.1500 requires a business that owns or licenses personal information about Missouri residents to notify affected individuals when that information is, or is reasonably believed to have been, accessed or acquired by an unauthorized person in a way that creates a risk of harm.

While you should always confirm the operative text and any amendments, the statute's framework generally includes the following:

  • What data triggers it. "Personal information" is typically a resident's name combined with a sensitive data element — a Social Security number, driver's license or state-ID number, financial-account or card number with any required access code, or certain medical or health-insurance information. Encrypted or redacted data generally does not trigger the duty if the protective measure was not compromised.
  • The notification duty. On discovering a breach, a covered business must notify affected residents without unreasonable delay, consistent with law-enforcement needs and measures to determine scope and restore system integrity.
  • Method, substitute notice, and the Attorney General. The statute describes acceptable methods of notice (written, sometimes electronic), may allow substitute notice when the cost or number affected is very large, and may require notifying the Missouri Attorney General above a statutory threshold.
  • Vendors who hold data for others. A business that maintains personal information for the data owner generally must notify the owner so it can carry out its duties.

Because the exact data elements, timing, thresholds, and exceptions are set by the statute and can be amended, verify the current requirements rather than relying on a general description. This breach law is the common denominator — even a business that escapes HIPAA and GLBA almost certainly holds personal information that brings it within RSMo § 407.1500.

Missouri has not enacted a comprehensive consumer-privacy law

As of this writing, Missouri has not adopted a broad consumer-privacy statute comparable to California's CCPA/CPRA or the comprehensive laws passed in a growing number of other states, so Missouri businesses generally do not face across-the-board state-law obligations to honor consumer "rights to access, delete, or opt out" of data processing. One important caveat: other states' laws can still reach you — if your business collects personal data from residents of states that have comprehensive privacy laws, those laws may apply regardless of where your company sits.

A worked example: a Missouri specialty clinic

Consider a mid-sized dermatology clinic in St. Louis that books appointments online, bills insurance electronically, runs an email newsletter, and screens new hires with background checks. Walk the patchwork:

  • HIPAA. Billing insurers electronically makes it a covered entity — needing HIPAA policies, a current risk analysis, training, and business associate agreements with its EHR vendor, billing company, and any IT contractor reaching PHI.
  • FTC Act §5. Its privacy policy promises "industry-standard security" — an enforceable representation the FTC could treat as deceptive if security is lax.
  • FCRA. Background checks mean it uses consumer reports and must follow FCRA's disclosure, consent, and adverse-action steps when declining an applicant.
  • CAN-SPAM. The newsletter needs accurate headers and a working, promptly honored unsubscribe link.
  • Missouri breach statute (RSMo § 407.1500). A stolen laptop with unencrypted patient names and Social Security numbers likely triggers both HIPAA breach duties and the RSMo § 407.1500 duty to notify affected residents — and, depending on scale, the Attorney General. Encryption could have changed that under the statute's safe harbor.

One clinic, five regimes — a single security failure can trigger several at once. That is why the steps below protect all your data, not any single statute.

Practical compliance steps for a Missouri business

The building blocks of privacy compliance are largely the same across HIPAA, GLBA, the FTC Act, and the breach statute — build them once and you are protected under all of them:

  1. Map your data. Document what personal information you collect, where it lives, who has access, why you hold it, and how long you keep it. This map underpins every other step, is a GLBA Safeguards Rule requirement, and is a prerequisite for a HIPAA risk analysis.
  2. Classify and minimize. Flag the high-risk data — Social Security numbers, financial-account and card data, PHI, children's data — then collect and retain less of it, since data you do not hold cannot be breached.
  3. Write a Written Information Security Program (WISP). Document safeguards proportionate to your size and risk: access controls, encryption at rest and in transit, multi-factor authentication, patching, logging, secure disposal, and training. A WISP is required by the GLBA Safeguards Rule, covers much of the HIPAA Security Rule's documentation expectation, and is strong evidence of "reasonable security" under FTC unfairness scrutiny.
  4. Get your vendor contracts right. For every third party that touches your data: a business associate agreement for HIPAA vendors, Safeguards oversight language for GLBA vendors, and commitments to safeguard data, use it only as instructed, and report breaches promptly. A vendor breach is still your notification problem under RSMo § 407.1500.
  5. Align your privacy policy with reality. Review every public privacy promise; say only what you do, and make operations match the policy — the single best defense against an FTC deception claim.
  6. Build an incident-response plan. Decide in advance who is on the response team, how an incident is escalated and investigated, when outside counsel and forensics are engaged, and how you will assess notification duties under HIPAA and RSMo § 407.1500. Missouri requires notice "without unreasonable delay," so a plan built during the breach is too late.
  7. Train your workforce and revisit periodically. Most breaches start with human error — a phishing click, a lost device, a misdirected email. Train staff to handle sensitive data and report incidents, and re-run the risk assessment and update the WISP as things change.

A quick compliance checklist

Use this as a starting self-audit; each "no" is a gap worth closing:

  • A current data map of all personal information we hold and where it lives.
  • Confirmed HIPAA and GLBA status, with BAAs, privacy notices, and a Safeguards-compliant program where applicable.
  • A privacy policy that matches our actual practices (FTC §5), plus current FCRA, CAN-SPAM, and TCPA practices.
  • A written information security program, vendor contracts requiring breach notice, and an incident-response plan addressing RSMo § 407.1500.

When should you talk to a Missouri attorney?

Privacy compliance is an area where early advice is far cheaper than late cleanup. Consider guidance when:

  • You are not sure which laws apply — for example, whether you are a GLBA "financial institution" or a HIPAA "business associate."
  • You are launching a product, app, or website that collects personal or children's data, or drafting or revising a privacy policy, vendor agreements, or business-associate agreements.
  • You have discovered or suspect a breach — assessing notification duties under RSMo § 407.1500, HIPAA, and other states' laws is time-sensitive.
  • You collect data from residents of states with comprehensive privacy laws and need to understand obligations beyond Missouri.

A Missouri attorney can confirm which regimes reach your business, review your contracts and policies, and help you meet the "without unreasonable delay" standard while preserving privilege.

Frequently Asked Questions

Does Missouri have a comprehensive consumer-privacy law like California's?

No. As of this writing, Missouri has not enacted a broad consumer-privacy statute comparable to California's CCPA/CPRA. Missouri businesses generally rely on federal sectoral laws (such as HIPAA and Gramm-Leach-Bliley), the FTC Act, and RSMo § 407.1500. Because privacy legislation moves quickly, confirm the current status before assuming this remains true.

What does Missouri's data-breach notification law require?

RSMo § 407.1500 generally requires a business that owns or licenses personal information about Missouri residents to notify affected individuals without unreasonable delay when that information is breached in a way that poses a risk of harm. Depending on the number affected, notice to the Missouri Attorney General may also be required, and encrypted or redacted data generally does not trigger the duty.

My business is small. Am I really subject to these privacy laws?

Often, yes. Most federal privacy laws apply based on the type of data or activity, not company size. A two-person clinic can be a HIPAA covered entity, a sole-proprietor lender a GLBA financial institution, and almost any business holding customer Social Security or financial-account numbers is within RSMo § 407.1500.

Do I have to comply with HIPAA just because I have health information?

Not necessarily. HIPAA applies to covered entities (health plans, clearinghouses, and certain providers) and their business associates — not to every business that holds health-related data. If you are neither, HIPAA generally does not apply, though the FTC Act and Missouri's breach statute may still reach that information. It turns on your role, not merely the data type.

What is a business associate agreement, and do I need one?

A business associate agreement (BAA) is a written contract HIPAA requires before a covered entity shares protected health information with a vendor that handles it on the entity's behalf — a billing company, cloud host, or IT contractor. A HIPAA-covered Missouri provider generally needs a BAA with each such vendor, and business associates need BAAs with their subcontractors.

Can the FTC come after my business if I never made any privacy promises?

Potentially. Beyond enforcing broken privacy promises as "deceptive," the FTC can challenge data practices it considers unfair — those causing substantial, unavoidable consumer injury not outweighed by benefits — even without a broken promise. Reasonable data security is expected regardless of what your policy says, and Missouri's Merchandising Practices Act (RSMo § 407.020) provides a parallel state tool.

A vendor we use was breached, not us. Do we still have to notify anyone?

Quite possibly. Under RSMo § 407.1500, the business that owns or licenses the personal information generally retains the notification duty even when a vendor holding the data on its behalf suffers the breach; the vendor is typically required to alert the owner so it can notify affected residents. This is why vendor contracts should require prompt breach notice — treat a vendor's breach as your compliance problem until you confirm otherwise.

This guide provides general legal information about Missouri and federal privacy law and is not legal advice. It does not create an attorney-client relationship. Privacy obligations depend heavily on your specific data, industry, and the current text of the applicable statutes and regulations; consult a qualified Missouri attorney about your situation, and act promptly if you suspect a data breach.

Need a Missouri Business Litigation Attorney?

Get matched with a Missouri attorney who handles contract disputes, business torts, shareholder conflicts, and commercial litigation.

Find a Missouri Business Lawyer →

Legal GPS features attorneys and law firms who meet our editorial standards. Featured firms may compensate Legal GPS for placement. This does not constitute a legal referral. Legal GPS is not a law firm and does not provide legal advice. Submitting any form on this site does not create an attorney-client relationship; that relationship begins only after you and the attorney enter into a separate written engagement.