data breach notification laws

Earlier this week, Mintz Levin’s Privacy & Security Matters blog posted an update that Alabama has become the 50th state to enact a data breach notification law.

Although HIPAA is often a key focus, healthcare organizations must not lose sight of the various state reporting requirements applicable to their business.  For those healthcare organizations that store data about Alabama residents, take a look here for some key provisions of the newly minted “Alabama Data Breach Notification Act of 2018,” such as scope, notice requirements, and potential penalties.


A draft bill recently introduced in the U.S. Senate serves as a good reminder that compliance with data breach reporting requirements is critical. This bill follows significant, high-profile data breaches by Uber and Equifax, both of which involved millions of individuals (87 million and 145 million, respectively) and both of which went unreported for a significant period of time following discovery by the companies. Equifax took more than a month to notify the public, while Uber took more than a year. Continue Reading Proposed Law Would Criminalize Failures to Report Data Breaches

As reported on the Privacy and Security Matters blog last week, the Mintz Levin privacy team recently updated the “Mintz Matrix,” a summary of the U.S. state data breach notification laws that we update on a quarterly basis, or more frequently as needed.  In addition to HIPAA, health care organizations must remain aware of the separate state notification obligations and other privacy and security laws when responding to data breaches. The Mintz Matrix is available here.

Continue Reading Mintz Matrix Updated with Amended State Data Breach Notification Laws in Five States

As reported in a recent Privacy and Security Matters post, we have updated the “Mintz Matrix,” a summary of the U.S. state data breach notification laws. The Mintz Matrix is an invaluable tool for reviewing state breach notification requirements, which may apply in addition to HIPAA in the event of a data breach. We update the Mintz Matrix on a quarterly basis, or more frequently if necessary. Continue Reading New Year, New Breach Notification Laws

Written by Dianne Bourque and Daria Niewenhous

It’s time for mandatory data breach reporting to the Office of Civil Rights (“OCR”) under The Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the interim/final breach notification rules.  Yes, it’s February – time for Valentines, cold and snow (in the Northeast anyway), but most importantly, HITECH requires regulated entities (“covered entities”) to report smaller-scale data breaches (those affecting fewer than 500 individuals) to OCR.  These breach reports are due within 60 days following the end of the calendar year in which the breach occurred.   So, covered entities that experienced a breach or breaches involving fewer than 500 individuals in 2011 should make any required reports to OCR by the end of February.  If you are a covered entity with HITECH reporting obligations, the following resources may be helpful: 

*Instructions for notifying OCR of breaches affecting fewer than 500 individuals; and

*Form for submitting notice to OCR.

Even if you did not experience a reportable breach, it is helpful to review the notification form and to become familiar with the type of information that must be gathered and reported in the event of a data breach.  If you have questions about your reporting obligations, the reporting process or HIPAA compliance in general, contact Dianne Bourque, Daria Niewenhous, or the Mintz Levin attorney who generally assists you.

Written by Dianne Bourque

In the event of a data breach, covered entities must consider state law notification requirements, as well as those imposed by HIPAA.  Toward that end, Mintz Levin has developed a survey of state data breach notification laws, which is a useful tool for understanding the types of protections states require, breach notification triggers, timing, and other specifics. The Mintz Levin Data Breach Matrix is accessible here.  As observed by Cynthia Larose in a recent Privacy & Security Matters post, all the usual disclaimers apply:  the matrix is not a substitute for legal advice from practitioners with experience responding to data breaches.