My colleagues in the Privacy and Security Group recently updated the Mintz Matrix, a summary of U.S. state data breach notification laws. While we often discuss HIPAA on Health Law and Policy Matters, health care organizations must be aware of separate state notification requirements and other privacy and security laws that may apply in the event of a data breach. We update the Mintz Matrix on a quarterly basis, or more frequently if necessary.
The updated Mintz Matrix is available here. The Privacy and Security Matters Blog recapped the main updates, including Tennessee’s amendments to its breach notification requirements, which impose a stricter time frame for notification and remove the safe harbor for encrypted data.
We hope this chart is helpful to you, but we must note that it is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.