Healthcare Information Security


Which States Have a Data Breach Notification Law?

By Elizabeth Snell

- Data breach notification is essential for organizations of all sizes, and those in the healthcare industry are no exception. In fact, the HIPAA  breach notification rule requires that covered entities and their business associates notify necessary parties after unsecured protected health information (PHI) is compromised.

State data breach notification laws are critical, along with HIPAA requirement

The push for a national data breach notification rule has faced scrutiny, as many lawmakers believe that the individual state laws are more comprehensive. One recently proposed law would allow states to keep their own notification laws if they have more strict policies already in place.

However, what type of state law protections are already there when it comes to individuals’ personally identifiable information? Nearly every state has its own data breach notification law, and it is becoming increasingly popular for lawmakers to include medical information or health insurance data in their definition of “personal information.” Essentially, should medical data be compromised in a data breach, then the company would be required to properly notify individuals and the proper authorities.

Previously, we’ve discussed the intricacies of the HIPAA breach notification rule, and what covered entities can expect from those requirements. It is also essential that organizations understand state rules. We’ll break down the basics across the nation, such as which states include medical data under personal information and which ones have yet to put any type of security breach notification law in place.

Three states are holding out

READ MORE: US Appeals Court Affirms FCA Healthcare Data Breach Case

Forty-seven states have data breach notification laws, although Alabama could soon become the 48th. The Alabama Information Protection Act of 2015 was introduced on March 3, 2015, and as of April 14, 2015, it is listed as being under “further consideration” in the Alabama legislature. Health data and medical information is included in the bill’s definition of personal information, meaning that should that data be exposed, consumers will need to be notified.

New Mexico is another state that is yet to implement its own data breach notification bill. However, the state’s House unanimously passed such legislation earlier this year, only to have the New Mexico Senate shoot the proposed bill down.

According to a Fiscal Impact Report on HB 217, there was potential confusion in the bill’s definition of a “person,” so it is unclear if HB 217 applies to state agencies and other public organizations. Moreover, New Mexico’s current security rules have standards or guidelines in place to protect PII, but that it “could promulgate additional rules to address certain provisions” of HB 217, commented New Mexico’s Department of Information Technology.

Sen. Joseph Cervantes explained that the strength of the notification requirements for companies in the legislation was concerning. For example, he said that the part of the bill that gives a $150,000 cap on the amount of damages the state attorney general could collect from a company for notification violations was concerning.

South Dakota also does not yet have a data breach notification law, and at the time of publication there was no proposed legislation in place.

READ MORE: Senator Urges Prompt Data Breach Disclosure in Recent Bill

How many account for medical information?

Twelve states, as well as Puerto Rico, have data breach notification bills in place that account for medical information or health data being compromised:

  • Alabama*
  • Arkansas
  • California
  • Florida
  • Illinois*
  • Missouri
  • Montana
  • New Hampshire
  • North Dakota
  • Utah
  • Virginia
  • Wyoming
  • Puerto Rico

*As previously mentioned, Alabama has not yet finalized its legislation, but if The Alabama Information Protection Act of 2015 passes, medical information is included in the bill’s definition of personal information. The Illinois Senate passed a data breach law that now includes medical and health insurance data in its definition of personal information, but the bill is yet to be passed by the House.

Is data encryption included in state laws?

Data encryption is often discussed in data breach cases, but it is not required under HIPAA. Instead, this safeguard is considered an “addressable” issue, which allows organizations to review their needs and determine if data encryption would be necessary to keep information secure. If a facility determines it to be unnecessary, then they need to explain why and provide an appropriate alternative.

READ MORE: 91K Patients’ Data Compromised in WA Healthcare Data Breach

Nearly every state - essentially every one with a data breach notification law in place - accounts for encryption with safe harbor. Essentially, this is a method for de-identifying data, and removes certain identifiers from the information. For example, identifiers could be names, telephone numbers, email addresses, or Social Security numbers.  

In the established state laws, the data breach notification process will only need to take place if the accessed information  was unencrypted. In some cases, the legislation adds that the encryption key needs to have been taken as well.

Data breach timelines

Another important aspect to many data breach notification laws is the length of time it takes to notify individuals or authorities, such as the state’s Attorney General. Most notification regulations state that notice must be given “without unreasonable delay” or in an “expedient time and manner.” However, several states have a more specific time frame.

For example, California requires licensees to notify both affected patients and the California Department of Health Services no later than 15 business days after the discovery of a breach. Connecticut states that residents must be notified as soon as the incident is identified, but no later than five calendar days afterward.

Maine also has a somewhat stringent policy, requiring notification within seven business days, while Florida law requires no later than 30 days. Ohio, Vermont, and Wisconsin laws require notification no later than 45 days after the discovery of a breach.

Maintaining HIPAA compliance still critical

The key aspect to the HIPAA data breach notification rule is that it only applies to unsecured PHI, meaning PHI “that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance.”

State data breach notification laws try to account for a wider array of data, and often ensure that numerous industries will fall under the legislation. Regardless of state policies, healthcare organizations need to have written policies and procedures in place that cover the HIPAA breach notification process. Even as more states begin to adopt their own notification laws, and account for medical information, maintaining HIPAA compliance must still be a top priority.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks