Privacy and Security Matters Blog

Earlier this week, Mintz Levin’s Privacy & Security Matters blog posted an update that Alabama has become the 50th state to enact a data breach notification law.

Although HIPAA is often a key focus, healthcare organizations must not lose sight of the various state reporting requirements applicable to their business.  For those healthcare organizations that store data about Alabama residents, take a look here for some key provisions of the newly minted “Alabama Data Breach Notification Act of 2018,” such as scope, notice requirements, and potential penalties.


My colleagues in the Privacy and Security Group recently updated the Mintz Matrix, a summary of U.S. state data breach notification laws. While we often discuss HIPAA on Health Law and Policy Matters, health care organizations must be aware of separate state notification requirements and other privacy and security laws that may apply in the event of a data breach. We update the Mintz Matrix on a quarterly basis, or more frequently if necessary.

The updated Mintz Matrix is available here. The Privacy and Security Matters Blog recapped the main updates, including Tennessee’s amendments to its breach notification requirements, which impose a stricter time frame for notification and remove the safe harbor for encrypted data.

We hope this chart is helpful to you, but we must note that it is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.