| Time After Discovery of Breach |
Action Required |
| 10 Calendar Days |
- Puerto Rico Department of Consumer Affairs
|
| 14 Business Days |
- Vermont AG preliminary notification
|
| 15 Business Days |
- California residents, California AG, and California Department of Public Health must be notified of the disclosure of PHI by a clinic, health facility, home health agency, or hospice licensed by the California Department of Public Health (“CDPH”)
|
| 30 Calendar Days |
- Florida residents, AG (500+ residents) (Can request 15 day extension) (60 Days for PHI/HIPAA incidents).
- Indiana AG will open an investigation if not notified within 30 days
|
| 45 Calendar Days |
- Ohio residents
- Tennessee residents (60 Days for PHI/HIPAA incidents)
- Vermont residents, AG
- Washington residents, AG (500+ residents) (60 Days for PHI/HIPAA incidents)
- Wisconsin residents (60 Days for PHI/HIPAA incidents
- New Mexico residents, AG (500+ residents)
- Maryland residents (60 Days for PHI/HIPAA incidents)
|
| 60 Calendar Days |
- Individuals and HHS OCR for PHI disclosure.
- Delaware (effective 4/14/18), AG (500+ residents)
|
| 90 Calendar Days |
- Connecticut residents (60 days for PHI/HIPAA incidents)
|
| Most expedient time and without unreasonable delay |
- AK, AZ, AR, CA (other than as noted above), CO, DE (until 4/14/18), DC, GA, HI, ID, IL, IA, KS, KY, ME, MA, MI, MN, MS, MO, MT, NV, NJ, NY, NC, ND, OK, OR, PA, PR, SC, UT, VA, WV, WY
|
| As soon as possible |
|
| Days After Confirmation of Breach |
Action Required |
| 45 Calendar Days |
- Rhode Island residents, AG (500+ residents) (60 Days for PHI/HIPAA incidents).
|