WHEN do you have to notify by? State laws vary.

MintzLevin has updated its state data breach law matrix, as I noted previously on the page where I link to such resources.

Here’s an excerpt from their matrix:

Breach Notification Timeline

Time After Discovery of Breach     Action Required
10 Calendar Days
  • Puerto Rico Department of Consumer Affairs
14 Business Days
  • Vermont AG preliminary notification
15 Business Days
  • California residents, California AG, and California Department of Public Health must be notified of the disclosure of PHI by a clinic, health facility, home health agency, or hospice licensed by the California Department of Public Health (“CDPH”)
30 Calendar Days
  • Florida residents, AG (500+ residents) (Can request 15 day extension) (60 Days for PHI/HIPAA incidents).
  • Indiana AG will open an investigation if not notified within 30 days
45 Calendar Days
  • Ohio residents
  • Tennessee residents (60 Days for PHI/HIPAA incidents)
  • Vermont residents, AG
  • Washington residents, AG (500+ residents) (60 Days for PHI/HIPAA incidents)
  • Wisconsin residents (60 Days for PHI/HIPAA incidents
  • New Mexico residents, AG (500+ residents)
  • Maryland residents (60 Days for PHI/HIPAA incidents)
60 Calendar Days
  • Individuals and HHS OCR for PHI disclosure.
  • Delaware (effective 4/14/18), AG (500+ residents)
90 Calendar Days
  • Connecticut residents (60 days for PHI/HIPAA incidents)
Most expedient time and without unreasonable delay
  • AK, AZ, AR, CA (other than as noted above), CO, DE (until 4/14/18), DC, GA, HI, ID, IL, IA, KS, KY, ME, MA, MI, MN, MS, MO, MT, NV, NJ, NY, NC, ND, OK, OR, PA, PR, SC, UT, VA, WV, WY
As soon as possible
  • NE, NH, TX
Days After Confirmation of Breach   Action Required
45 Calendar Days
  • Rhode Island residents, AG (500+ residents) (60  Days for PHI/HIPAA incidents).

About the author: Dissent

Comments are closed.