ABSTRACT

Many jurisdictions have breach notification laws that require notifications to be sent to the individuals affected, regulators, attorneys general, and/ or the media when a data breach occurs. Table 5.1 is a summary of the types of personal information that require notification in the state laws in the United States. As can be seen, only five states and one terriroty actually require breach notification if health information is involved (Arkansas,* California,† Missouri,‡ New Hampshire,§ Texas,¶ and Puerto Rico**). This does not totally absolve health information custodians from the notification requirement, as many medical records also contain other types of information, such as financial information, which is covered by other state laws. More recently the Health Information Technology for Economic and Clinical Health (HITECH) Act†† added national breach notification requirements for health information, making it necessary for the DHHS to report the number of notified breaches to Congress on an annual basis.