CON-Certificate of Need State Laws

12/1/2019

Contact

Health Program

Certificate of Need (CON) laws are state regulatory mechanisms for establishing or expanding health care facilities and services in a given area. In a state with a CON program, a state health planning agency must approve major capital expenditures for certain health care facilities. CON programs aim to control health care costs by restricting duplicative services and determining whether new capital expenditures meet a community need.

Interactive Map of State CON Laws

Currently, 35 states and Washington, D.C. operate a CON program with wide variation state-to-state. The following 50-state map lists the health care facilities and capital expenditures covered under the CON law for each state as of December 2019.

Certificate of Need State Laws

Legend

	CON program in place
	Variation on CON program* (click on map for details)
	No CON program
	No data

Click on a state to see detailed information about its certificate of need program.

Intent and Structure of CON

The basic assumption underlying CON regulation is that excess health care facility capacity results in health care price inflation. Price inflation can occur when a hospital cannot fill its beds and fixed costs must be met through higher charges for the beds that are used. Larger institutions generally have larger costs, so hospitals and other health facilities may raise prices in order to pay for new, underused medical services or empty beds. CON programs require a health care facility to seek a health planning agency’s approval based on a set of criteria and community need. Once a health facility has applied for state approval, the health planning agency may approve, deny or set certain limitations on a health care project.

While the effectiveness of CON programs continues to be a heavily debated topic, many states consider CON programs as one way to control health care costs and increase access to care. Below is a list of both arguments in favor and against CON laws.

Arguments In Favor and Against CON Laws
Proponents of CON Laws Argue:	Opponents of CON Laws Argue:
Health care cannot be considered as a “typical” economic product. Most health services (like lab tests) are ordered by physicians, not patients. Patients do not shop around as they do for other goods and services. CON programs limit health care spending. CON programs help distribute care to disadvantaged populations or geographic areas that new and existing medical centers may not serve. Removal of CON will favor for-profit hospitals which may be less willing to provide indigent care. Removal of CON will lead to a proliferation of “low-volume” facilities, which some view as providing lower quality care. CON requirements do not block change, they mainly provide for an evaluation, and often include public or stakeholder input.	By restricting new construction, CON programs may reduce price competition between facilities and keep prices high. Some changes in the Medicare payment system (such as paying hospitals according to Diagnostic Related Groups – “DRGs”) may make external regulatory controls unnecessary by sensitizing health care organizations to market pressures. CON programs vary state to state, with inconsistent metrics and management. CON programs allow for political influence in deciding whether facilities will be built, which can invite manipulation and abuse. Some evidence suggests that lack of competition encourages construction and additional spending. Identifying the “best interests” of a community isn’t always clear; decisions ostensibly made for the greater good could have unintended consequences in the long-term, particularly in an unsteady economy or, for example, in a rapidly-gentrifying community.

History

New York was the first state to enact a CON law in 1964; 26 states enacted CON laws throughout the following decade. Early CON programs typically regulated capital expenditures greater than $100,000, facilities expanding their bed capacity and facilities establishing or expanding health care services.

In 1972, several states adopted Section 1122 waivers, which provided federal funding to states regulating new health care services receiving Medicare and Medicaid dollars. Congress then passed the National Health Planning and Resources Development Act of 1974 bolstering federal funding for state and local health planning regulations. The federal law required states to adopt CON laws similar to the federal model resulting in all states, except Louisiana, maintaining some form of a CON program by 1982. This meant states had broad regulatory oversight of several facilities—including hospitals, nursing and intermediate care facilities and ambulatory surgery centers—as well as the expansion or development of a facility’s service capacity.

The federal mandate was repealed in 1987, along with the associated federal funding. Subsequently, several states repealed or modified their CON laws.

State Legislative Actions

In the past several years, many states have introduced or enacted legislation to change their CON program. Changes range from fully repealing an existing CON program to creating a new CON program. The following are state examples of legislative actions impacting CON programs:

35 states currently maintain some form of CON program. Puerto Rico, the US Virgin Islands and the District of Columbia also have CON programs. States retaining CON laws often regulate outpatient facilities and long-term care. This is largely due to an increase in free-standing, physician-owned facilities.
- Indiana enacted legislation in 2018 establishing a certificate of need program, which the state initially repealed in 1999.
At least 10 states—Florida, Georgia, Illinois, Maryland, Ohio, Rhode Island, Tennessee, Vermont, Virginia and Washington—enacted legislation in 2019 to modify CON oversight for certain health facilities and services.
Three states—Arizona, Minnesota and Wisconsin—do not officially operate a CON program, but they maintain several approval processes that function similarly to CON.
12 states fully repealed their CON laws. New Hampshire was the most recent repeal, effective 2016.

Moratoria

As part of a CON program, some states may place certain health care facilities and facility beds on moratorium. This means a state planning agency will grant no CONs for certain facility capital expenditures. Moratorium regulations most often affect nursing facilities and other long-term care facilities.

Several states—including Arkansas, Florida, Georgia, Hawaii, Illinois and Virginia—have restrictions on the development or expansion of certain health care facilities and beds through a needs and utilization assessment process. While not an outright moratorium, a state planning agency may determine there is no need for additional health care facility beds or services in a particular county or district.

Certificate of Need (CON) Moratoria
STATE	MORATORIA?	FACILITIES COVERED UNDER MORATORIA
Alabama	No
Alaska	No
Arizona	No
Arkansas	Yes	Psychiatric residential facilities, intermediate care facilities for the intellecually disabled and residential care facilities.
California	No
Colorado	No
Connecticut	Yes	Nursing home beds.
Delaware	No
Florida	No
Georgia	No
Hawaii	No
Idaho	No
Illinois	No
Indiana	No
Iowa	No
Kansas	No
Kentucky	No
Louisiana	Yes	Intermediate care facilities for the developmentally delayed, nursing facilities, long-term care facilities and long-term care beds.
Maine	No
Maryland	Yes	Acquisitions authorizing a general hospice to provide home-based hospice services on a statewide basis.
Massachusetts	Yes	Long-term care beds.
Michigan	No
Minnesota	Yes	Hospitals and hospital beds, nursing home beds, intermediate care facilities for persons with developmental disabilities and radiation therapy facilities in certain locations.
Mississippi	Yes	Skilled nursing facilities; intermediate care facilities; intermediate care facilities for the mentally retarded; home health agencies; the conversion of hospitals beds to intermediate nursing home care; and Medicaid-certified child/adolescent psychiatric or chemical dependency beds.
Missouri	No
Montana	No
Nebraska	Yes	Long-term care beds and rehabilitation beds.
Nevada	No
New Hampshire	No
New Jersey	No
New Mexico	No
New York	Yes	Licensed home care service agencies.
North Carolina	No
North Dakota	No
Ohio	Yes	Long-term care beds.
Oklahoma	No
Oregon	No
Pennsylvania	No
Rhode Island	Yes	Nursing-facility licensed beds and increases to licensed capacity for existing nursing-facility licenses.
South Carolina	No
South Dakota	No
Tennessee	No
Texas	No
Utah	No
Vermont	Yes	Home health agencies.
Virginia	No
Washington	No
West Virginia	Yes	Opioid treatment programs, skilled nursing facilities, intermediate care beds, skilled nursing beds, intermediate care facilitiey beds for individuals with an intellectual disability.
Wisconsin	Yes	Hospital beds, psychiatric/chemical dependency beds and nursing home beds.
Wyoming	No
District of Columbia	No
Puerto Rico	No data
US Virgin Islands	No data

Additional Resources

NCSL Resources

States Modernizing Certificate of Need Laws - December 2019
State Legislation Relating to Transparency and Disclosure of Health and Hospital Charges - updated 2020.

Federal Resources

The Federal Trade Commision (FTC) website
- FTC Statement to the Alaska Senate Committee on Health and Social Services on CON laws and SB 1 - March 2019
- FTC and Department of Justice's (DOJ) Antitrust Division joint statement on proposed Alaska CON-repeal legislation - April 2017
- FTC and DOJ's Antitrust Division joint statement on proposed South Carolina CON-repeal legislation - January 2016
- FTC report Certificarte of Need Laws: A Prescription for Higher Costs - December 2015
The Department of Health and Human Services' report Reforming America's Healthcare System Through Choice and Competition - November 2018

Other Resources

The American Health Planning Association (AHPA) website
State CON websites
CON articles and essays

Text/HTML

Alabama

Health Care Facility Licensing/Certification Agency	Alabama Health Planning and Development Agency
Certificate of Need Law	Ala. Code § 22-21-260
Facilities and Activities Overview
Facilities Regulated Under Certificate of Need Laws	General hospitals Specialized hospitals Tuberculsis Psychiatric Lng-term-care Related facilities assciated with a hospital Laboratories Outpatient clinics Central service facilities Skilled nursing facilities Intermediate care facilities Skilled or intermediate care units operated in veteran’s nursing homes and veteran’s homes Rehabilitation centers Public health centers Facilities for surgical treatment not requiring hospitalization Kidney disease treatment centers Freestanding hemdialysis units Community mental health centers Alcohol and drug abuse facilities Facilities for the developmentally disabled Hospice service providers Home health agencies Health Maintenance Organizations
Activities Regulated Under Certificate of Need Law	Constructing, developing, acquiring or establishing a new health care facility or HMO Selling, leasing or other another type of transfer or change in control if the transaction involves implementing one or more institution health service Capital expenditures greater than: $2,000,000 fr major medical equipment $800,000 fr new annual operating costs $4,000,000 fr any other capital expenditures Changing bed capacity Offering new health services Replacing or relocating an existing acute care hospital with a new digital hospital under certain circumstances.
Other Requirements
Moratoria	No
Additional Comments	N/A

Alaska

Health Care Facility Licensing/Certification Agency
Certificate of Need Law
Facilities and Activities Overview
Facilities Regulated Under Certificate of Need Laws
Activities Regulated Under Certificate of Need Law
Other Requirements
Moratoria
Additional Comments

Arizona

Ariz. Rev. Stat. § 39-126: Nothing in this chapter requires the disclosure of a risk assessment that is performed by or on behalf of a federal agency to evaluate critical energy, water or telecommunications infrastructure to determine its vulnerability to sabotage or attack.

Arkansas

The annotations of Ark. Code § 25-19-105 exempts CEII: (6) The federal government recognizes the importance of critical infrastructure information, and has created special policies to address its protection, including without limitation: (A) The Critical Infrastructure Information Act of 2002, 6 U.S.C. § 131 et seq., which prohibits federal agencies from disclosing certain information submitted to the United States Department of Homeland Security; and (B) Rules of the Federal Energy Regulatory Commission addressing critical energy infrastructure information, which limit access to certain information generated or collected by the commission and require the use of nondisclosure agreements when the information is provided; and (7) It is necessary to protect the security of the infrastructure of Arkansas's utility systems, including without limitation electric generation, transmission, and distribution. (8) Ensure the security of Arkansas's infrastructure by exempting utility infrastructure information from mandatory disclosure.

California

Cal. Gov't Code § 6254(ab): This chapter does not require the disclosure of any of the following records; Critical infrastructure information, as defined in Section 131(3) of Title 6 of the United States Code, that is voluntarily submitted to the Office of Emergency Services for use by that office, including the identity of the person who or entity that voluntarily submitted the information. As used in this subdivision, voluntarily submitted, means submitted in the absence of the office exercising any legal authority to compel access to or submission of critical infrastructure information. This subdivision shall not affect the status of information in the possession of any other state or local governmental agency.

Colorado

The Colorado General Assembly enacted S.B. 40 (enacted, 2017), amending Colo. Rev. Stat. §24-72-204 as follows: (2) (a) The custodian may deny the right of inspection of the following records, unless otherwise provided by law, on the ground that disclosure to the applicant would be contrary to the public interest: (VIII) (A) Specialized details of either security arrangements or investigations or the physical and cyber assets of critical infrastructure, including the specific engineering, vulnerability, detail design information, protective measures, emergency response plans, or system operational data of such assets that would be useful to a person in planning an attack on critical infrastructure but that does not simply provide the general location of such infrastructure. Nothing in this subparagraph (VIII) SUBSECTION (2)(a)(VIII) prohibits the custodian from transferring records containing specialized details of EITHER security arrangements or investigations or the physical and cyber assets of critical infrastructure to the division of homeland security and emergency management in the department of public safety, the governing body of any city, county, city and county, or other political subdivision of the state, or any federal, state, or local law enforcement agency; except that the custodian shall not transfer any record received from a nongovernmental entity without the prior written consent of the entity unless such information is already publicly available.

Georgia

Ga. Code §50-18-72(a)(16): Public disclosure shall not be required for records that are … Agricultural or food system records, data, or information that are considered by the Department of Agriculture to be a part of the critical infrastructure, provided that nothing in this paragraph shall prevent the release of such records, data, or information to another state or federal agency if the release of such records, data, or information is necessary to prevent or control disease or to protect public health, safety, or welfare. As used in this paragraph, the term “critical infrastructure” shall have the same meaning as in 42 U.S.C. Section 5195c(e). Such records, data, or information shall be subject to disclosure only upon the order of a court of competent jurisdiction.

Hawaii

Haw. Rev. Stat. §92F-11- 92F-19 does not explicitly contain the CEII exemption but it exists in an opinion letter, Haw. OIP Opinion Letter No. 07-05 (April 13, 2007), 2007 WL 1267787: To the extent that public disclosure of information about the physical security of critical energy infrastructure would compromise the security of that infrastructure and expose it to hazards such as vandalism, copper or equipment theft, or other criminal activity, the Department of Business, Economic Development & Tourism may withhold the information under the Uniform Information Practices Act's exception for information whose disclosure would frustrate a legitimate government function.

Indiana

Ind. Code §5-14-3-4 (b)(19)(J): Except as otherwise provided by subsection (a), the following public records shall be excepted from section 3 of this chapter at the discretion of a public agency... A record or a part of a record, the public disclosure of which would have a reasonable likelihood of threatening public safety by exposing a vulnerability to terrorist attack. A record described under this subdivision includes the following... Infrastructure records that disclose the configuration of critical systems such as communication, electrical, ventilation, water, and wastewater systems.

Iowa

Iowa added an exemption for CEII in the 2017 legislative session. Iowa Code §22.7 (70): The following public records shall be kept confidential, unless otherwise ordered by a court, by the lawful custodian of the records, or by another person duly authorized to release such information... Information and records related to cyber security information or critical infrastructure, the disclosure of which may expose or create vulnerability to critical infrastructure systems, held by the utilities board of the department of commerce or the department of homeland security and emergency management for purposes relating to the safeguarding of telecommunications, electric, water, sanitary sewage, storm water drainage, energy, hazardous liquid, natural gas, or other critical infrastructure systems. For purposes of this subsection, “cyber security information” includes but is not limited to information relating to cyber security defenses, threats, attacks, or general attempts to attack cyber system operations

Kansas

Kan. Stat. §45-221 (a) (45) & (54): (45) Records, other than criminal investigation records, the disclosure of which would pose a substantial likelihood of revealing security measures that protect: (A) Systems, facilities or equipment used in the production, transmission or distribution of energy, water or communications services... For purposes of this paragraph, security means measures that protect against criminal acts intended to intimidate or coerce the civilian population, influence government policy by intimidation or coercion or to affect the operation of government by disruption of public services, mass destruction, assassination or kidnapping. Security measures include, but are not limited to, intelligence information, tactical plans, resource deployment and vulnerability assessments... (54) Records of a utility concerning information about cyber security threats, attacks or general attempts to attack utility operations provided to law enforcement agencies, the state corporation commission, the federal energy regulatory commission, the department of energy, the southwest power pool, the North American electric reliability corporation, the federal communications commission or any other federal, state or regional organization that has a responsibility for the safeguarding of telecommunications, electric, potable water, waste water disposal or treatment, motor fuel or natural gas energy supply systems.

Kentucky

Ky. Rev. Stat. §61.878(1)(m)(1)(f): The following public records are excluded from the application of KRS 61.870 to 61.884 and shall be subject to inspection only upon order of a court of competent jurisdiction, except that no court shall authorize the inspection by any party of any materials pertaining to civil litigation beyond that which is provided by the Rules of Civil Procedure governing pretrial discovery… Public records the disclosure of which would have a reasonable likelihood of threatening the public safety by exposing a vulnerability in preventing, protecting against, mitigating, or responding to a terrorist act and limited to… Infrastructure records that expose a vulnerability referred to in this subparagraph through the disclosure of the location, configuration, or security of critical systems, including public utility critical systems. These critical systems shall include but not be limited to information technology, communication, electrical, fire suppression, ventilation, water, wastewater, sewage, and gas systems.

Maine

Me. Rev. Stat. tit. 1, §402(3)(L) [Exempts] [r]ecords describing security plans, security procedures or risk assessments prepared specifically for the purpose of preventing or preparing for acts of terrorism, but only to the extent that release of information contained in the record could reasonably be expected to jeopardize the physical safety of government personnel or the public. Information contained in records covered by this paragraph may be disclosed to the Legislature or, in the case of a political or administrative subdivision, to municipal officials or board members under conditions that protect the information from further disclosure. For purposes of this paragraph, “terrorism” means conduct that is designed to cause serious bodily injury or substantial risk of bodily injury to multiple persons, substantial damage to multiple structures whether occupied or unoccupied or substantial physical damage sufficient to disrupt the normal functioning of a critical infrastructure.

Michigan

Mich. Comp. Laws. Ann. § 15.243: Records or information of measures designed to protect the security or safety of persons or property, whether public or private, including, but not limited to, building, public works, and public water supply designs to the extent that those designs relate to the ongoing security measures of a public body, capabilities and plans for responding to a violation of the Michigan anti-terrorism act, chapter LXXXIII-A of the Michigan penal code, 1931 PA 328, MCL 750.543a to 750.543z, emergency response plans, risk planning documents, threat assessments, and domestic preparedness strategies, unless disclosure would not impair a public body's ability to protect the security or safety of persons or property or unless the public interest in disclosure outweighs the public interest in nondisclosure in the particular instance.

Minnesota

Minnesota keeps energy data private but it does not specifically exempt information about critical energy infrastructure. Minn. Stat. §13.68 Subdivision 1. Nonpublic data. Energy and financial data, statistics, and information furnished to the commissioner of commerce by a coal supplier or petroleum supplier, or information on individual business customers of a public utility pursuant to section 216C.16 or 216C.17, either directly or through a federal department or agency are classified as nonpublic data as defined by section 13.02, subdivision 9.

Missouri

Mo. Rev. Stat. §610.021 (19) [Exempts] [e]xisting or proposed security systems and structural plans of real property owned or leased by a public governmental body, and information that is voluntarily submitted by a nonpublic entity owning or operating an infrastructure to any public governmental body for use by that body to devise plans for protection of that infrastructure, the public disclosure of which would threaten public safety: (a) Records related to the procurement of or expenditures relating to security systems purchased with public funds shall be open; (b) When seeking to close information pursuant to this exception, the public governmental body shall affirmatively state in writing that disclosure would impair the public governmental body's ability to protect the security or safety of persons or real property, and shall in the same writing state that the public interest in nondisclosure outweighs the public interest in disclosure of the records.

Nebraska

Neb. Rev. Stat. §84-712.05 (8) [Exempts] [i]nformation solely pertaining to protection of the security of public property and persons on or within public property, such as specific, unique vulnerability assessments or specific, unique response plans, either of which is intended to prevent or mitigate criminal acts the public disclosure of which would create a substantial likelihood of endangering public safety or property; computer or communications network schema, passwords, and user identification names; guard schedules; lock combinations; or public utility infrastructure specifications or design drawings the public disclosure of which would create a substantial likelihood of endangering public safety or property, unless otherwise provided by state or federal law.

Nevada

Nev. Rev. Stat. §239C.210 1. [Exempts] a document, record or other item of information described in subsection 2 that is prepared and maintained for the purpose of preventing or responding to an act of terrorism is confidential, not subject to subpoena or discovery, not subject to inspection by the general public and may only be inspected by or released to [certain parties]... 2. The types of documents, records or other items of information subject to executive order pursuant to subsection 1 are as follows... (b) Drawings, maps, plans or records that reveal the critical infrastructure of primary buildings, facilities and other structures used for storing, transporting or transmitting water or electricity, natural gas or other forms of energy, fiber optic cables, microwave towers or other vertical assets used for the transmission or receipt of data or communications used by response agencies and public safety and public health personnel.

New York

N.Y. Pub. Off. Law §89 5. (a) (1) (1-a) A person or entity who submits or otherwise makes available any records to any agency, may, at any time, identify those records or portions thereof that may contain critical infrastructure information, and request that the agency that maintains such records except such information from disclosure under subdivision two of section eighty-seven of this article. Where the request itself contains information which if disclosed would defeat the purpose for which the exception is sought, such information shall also be excepted from disclosure.

North Carolina

N.C. Gen. Stat. §132-1.7(a) Public records, as defined in G.S. 132-1, shall not include information containing specific details of public security plans and arrangements or the detailed plans and drawings of public buildings and infrastructure facilities or plans, schedules, or other documents that include information regarding patterns or practices associated with executive protection and security… (b) Public records as defined in G.S. 132-1 do not include plans to prevent or respond to terrorist activity, to the extent such records set forth vulnerability and risk assessments, potential targets, specific tactics, or specific security or emergency procedures, the disclosure of which would jeopardize the safety of governmental personnel or the general public or the security of any governmental facility, building, structure, or information storage system… (c) Information relating to the general adoption of public security plans and arrangements, and budgetary information concerning the authorization or expenditure of public funds to implement public security plans and arrangements, or for the construction, renovation, or repair of public buildings and infrastructure facilities shall be public records.

North Dakota

NDCC §44-04-24. Security system plan--Exemption: 1. A security system plan kept by a public entity is exempt from the provisions of section 44-04-18 and section 6 of article XI of the Constitution of North Dakota. 2. As used in this section: a. “Critical infrastructure” means public buildings, systems, including telecommunications centers and computers, power generation plants, dams, bridges, and similar key resources, whether physical or virtual, so vital to the state that the incapacity or destruction of these systems would have a debilitating impact on security, state economic security, state public health or safety, or any combination of those matters. b. “Security system plan” includes all records, information, photographs, audio and visual presentations, schematic diagrams, surveys, recommendations, communications, or consultations or portions of any such plan relating directly to the physical or electronic security of a public facility, or any critical infrastructure, whether owned by or leased to the state or any of its political subdivisions, or any privately owned or leased critical infrastructure if the plan or a portion of the plan is in the possession of a public entity; threat assessments; vulnerability and capability assessments conducted by a public entity, or any private entity; threat response plans; and emergency evacuation plans. 3. This exemption applies to security system plans received by a public entity before, on, or after March 20, 2003. 4. Nothing in this section may be construed to limit disclosure required for necessary construction, renovation, or remodeling work on a public building. Disclosure under this subsection does not constitute public disclosure.

Ohio

Ohio Rev. Code §149.433 (A) As used in this section... “Infrastructure record” means any record that discloses the configuration of critical systems including, but not limited to, communication, computer, electrical, mechanical, ventilation, water, and plumbing systems, security codes, or the infrastructure or structural configuration of a building. “Infrastructure record” includes a risk assessment of infrastructure performed by a state or local law enforcement agency at the request of a property owner or manager. “Infrastructure record” does not mean a simple floor plan that discloses only the spatial relationship of components of the building... (B)(1) A record kept by a public office that is a security record is not a public record under section 149.43 of the Revised Code and is not subject to mandatory release or disclosure under that section... (3) A record kept by a public office that is an infrastructure record of a private entity may be exempted from release or disclosure under division (C) of this section. (C) A record prepared by, submitted to, or kept by a public office that is an infrastructure record of a private entity, which is submitted to the public office for use by the public office, when accompanied by an express statement, is exempt from release or disclosure under section 149.43 of the Revised Code for a period of twenty-five years after its creation if it is retained by the public office for that length of time. (D) Notwithstanding any other section of the Revised Code, disclosure by a public office, public employee, chartered nonpublic school, or chartered nonpublic school employee of a security record or infrastructure record that is necessary for construction, renovation, or remodeling work on any public building or project or chartered nonpublic school does not constitute public disclosure for purposes of waiving division (B) of this section and does not result in that record becoming a public record for purposes of section 149.43 of the Revised Code.

Oklahoma

Okla. Stat. tit. 51, §24A.27: A. Any state environmental agency or public utility shall keep confidential vulnerability assessments of critical assets in both water and wastewater systems. State environmental agencies or public utilities may use the information for internal purposes or allow the information to be used for survey purposes only. The state environmental agencies or public utilities shall allow any public body to have access to the information for purposes specifically related to the public bodies function. B. For purposes of this section: 1. “State environmental agencies” includes the: a. Oklahoma Water Resources Board, b. Oklahoma Corporation Commission, c. State Department of Agriculture, d. Oklahoma Conservation Commission, e. Department of Wildlife Conservation, f. Department of Mines, and g. Department of Environmental Quality; 2. “Public Utility” means any individual, firm, association, partnership, corporation or any combination thereof, municipal corporations or their lessees, trustees and receivers, owning or operating for compensation in this state equipment or facilities for: a. producing, generating, transmitting, distributing, selling or furnishing electricity, b. the conveyance, transmission, reception or communications over a telephone system, c. transmitting directly or indirectly or distributing combustible hydrocarbon natural or synthetic natural gas for sale to the public, or d. the transportation, delivery or furnishing of water for domestic purposes or for power.

Oregon

Oregon enacted HB2906 in the 2017 legislative session. HB2906(2)(b) A public body that shares geospatial framework data in accordance with subsection (1) of this section may: ... (D) Withhold from public disclosure geospatial framework data that the council designates by rule as critical infrastructure information.

Or. Rev. Stat. §192.690 (2) Because of the grave risk to public health and safety that would be posed by misappropriation or misapplication of information considered during such review and approval, ORS 192.610 to 192.690 shall not apply to review and approval of security programs by the Energy Facility Siting Council pursuant to ORS 469.530.

Pennsylvania

65 Pa. Stat. §67.708 (b) Exceptions… the following are exempt from access by a requester under this act… (3) A record, the disclosure of which creates a reasonable likelihood of endangering the safety or the physical security of a building, public utility, resource, infrastructure, facility or information storage system, which may include: (i) documents or data relating to computer hardware, source files, software and system networks that could jeopardize computer security by exposing a vulnerability in preventing, protecting against, mitigating or responding to a terrorist act; (ii) lists of infrastructure, resources and significant special events, including those defined by the Federal Government in the National Infrastructure Protections, which are deemed critical due to their nature and which result from risk analysis; threat assessments; consequences assessments; antiterrorism protective measures and plans; counterterrorism measures and plans; and security and response needs assessments; and (iii) building plans or infrastructure records that expose or create vulnerability through disclosure of the location, configuration or security of critical systems, including public utility systems, structural elements, technology, communication, electrical, fire suppression, ventilation, water, wastewater, sewage and gas systems.

Texas

Texas exempts meetings about critical infrastructure from its Open Meetings law. However, CEII is not specifically exempted from information requests under the state's Open Records law.

Tex. Gov't Code § 551.089: This chapter does not require a governmental body to conduct an open meeting to deliberate: (1) security assessments or deployments relating to information resources technology; (2) network security information as described by Section 2059.055(b); or (3) the deployment, or specific occasions for implementation, of security personnel, critical infrastructure, or security devices.

Vermont

Vt. Stat. tit. 1, § 317 (32) With respect to publicly owned, managed, or leased structures, and only to the extent that release of information contained in the record would present a substantial likelihood of jeopardizing the safety of persons or the security of public property, final building plans, and as-built plans, including drafts of security systems within a facility, that depict the internal layout and structural elements of buildings, facilities, infrastructures, systems, or other structures owned, operated, or leased by an agency before, on, or after the effective date of this provision; emergency evacuation, escape, or other emergency response plans that have not been published for public use; and vulnerability assessments, operation and security manuals, plans, and security codes. For purposes of this subdivision, “system” shall include electrical, heating, ventilation, air conditioning, telecommunication, elevator, and security systems. Information made exempt by this subdivision may be disclosed to another governmental entity if disclosure is necessary for the receiving entity to perform its duties and responsibilities; to a licensed architect, engineer, or contractor who is bidding on or performing work on or related to buildings, facilities, infrastructures, systems, or other structures owned, operated, or leased by the State. The entities or persons receiving such information shall maintain the exempt status of the information. Such information may also be disclosed by order of a court of competent jurisdiction, which may impose protective conditions on the release of such information as it deems appropriate. Nothing in this subdivision shall preclude or limit the right of the General Assembly or its committees to examine such information in carrying out its responsibilities or to subpoena such information. In exercising the exemption set forth in this subdivision and denying access to information requested, the custodian of the information shall articulate the grounds for the denial.

Virginia

Va. Code § 2.2-3705.2 (14) Information contained in (i) engineering, architectural, or construction drawings; (ii) operational, procedural, tactical planning, or training manuals; (iii) staff meeting minutes; or (iv) other records that reveal any of the following, the disclosure of which would jeopardize the safety or security of any person; governmental facility, building, or structure or persons using such facility, building, or structure; or public or private commercial office, multifamily residential, or retail building or its occupants: a. Critical infrastructure information or the location or operation of security equipment and systems of any public building, structure, or information storage facility, including ventilation systems, fire protection equipment, mandatory building emergency equipment or systems, elevators, electrical systems, telecommunications equipment and systems, or utility equipment and systems; b. Vulnerability assessments, information not lawfully available to the public regarding specific cybersecurity threats or vulnerabilities, or security plans and measures of an entity, facility, building structure, information technology system, or software program… The same categories of records of any person or entity submitted to a public body for the purpose of antiterrorism response planning or cybersecurity planning or protection may be withheld from disclosure if such person or entity in writing (a) invokes the protections of this subdivision, (b) identifies with specificity the records or portions thereof for which protection is sought, and (c) states with reasonable particularity why the protection of such records from public disclosure is necessary to meet the objective of antiterrorism, cybersecurity planning or protection, or critical infrastructure information security and resilience. Such statement shall be a public record and shall be disclosed upon request. Any public body receiving a request for records excluded under clauses (a) and (b) of this subdivision 14 shall notify the Secretary of Public Safety and Homeland Security or his designee of such request and the response made by the public body in accordance with § 2.2-3704.

Washington

Washington’s Court of Appeals interpreted a statute to exempt critical infrastructure information from its Public Records Act, although the phrase is not used in the statute. The court granted an injunction for an information request seeking a detailed map and attribute-level pipeline data under the terrorist security exemption of the Public Records Act. Washington Utilities and Transportation Commission (WUTC) was not required to disclose the data, although the data was not initially compiled to combat terrorism. More than 20 industry representatives asserted that gas pipeline system was part of critical energy infrastructure of state and region and that incapacity or destruction of the system would have potentially catastrophic consequences. Northwest Gas Ass'n v. Washington Utilities and Transp. Com'n (2007) 141 Wash. App. 98, 168 P.3d 443, review denied 163 Wash.2d 1049, 187 P.3d 750.

Wash. Rev. Code § 42.56.420 The following information relating to security is exempt from disclosure under this chapter: (1) Those portions of records assembled, prepared, or maintained to prevent, mitigate, or respond to criminal terrorist acts, which are acts that significantly disrupt the conduct of government or of the general civilian population of the state or the United States and that manifest an extreme indifference to human life, the public disclosure of which would have a substantial likelihood of threatening public safety, consisting of: (a) Specific and unique vulnerability assessments or specific and unique response or deployment plans, including compiled underlying data collected in preparation of or essential to the assessments, or to the response or deployment plans; and (b) Records not subject to public disclosure under federal law that are shared by federal or international agencies, and information prepared from national security briefings provided to state or local government officials related to domestic preparedness for acts of terrorism... (4) Information regarding the public and private infrastructure and security of computer and telecommunications networks, consisting of security passwords, security access codes and programs, access codes for secure software applications, security and service recovery plans, security risk assessments, and security test results to the extent that they identify specific system vulnerabilities, and other such information the release of which may increase risk to the confidentiality, integrity, or availability of security, information technology infrastructure, or assets.

West Virginia

W. Va. Code § 29B-1-4 (a) There is a presumption of public accessibility to all public records, subject only to the following categories of information which are specifically exempt from disclosure under the provisions of this article… (15) Architectural or infrastructure designs, maps or other records that show the location or layout of the facilities where computing, telecommunications or network infrastructure used to plan against or respond to terrorism are located or planned to be located; (16) Codes for facility security systems; or codes for secure applications for facilities referred to in subdivision (15) of this subsection; (17) Specific engineering plans and descriptions of existing public utility plants and equipment.