As reported on the Privacy and Security Matters blog last week, the Mintz Levin privacy team recently updated the “Mintz Matrix,” a summary of the U.S. state data breach notification laws that we update on a quarterly basis, or more frequently as needed. In addition to HIPAA, health care organizations must remain aware of the separate state notification obligations and other privacy and security laws when responding to data breaches. The Mintz Matrix is available here.
This update includes amendments to five state laws that went into effect in 2016: California, Nebraska, Oregon, Rhode Island, and Tennessee. In addition, it details an amendment to Illinois’s Personal Information Protection Act that went into effect on January 1, 2017, and significantly broadened the protections for personal information and the requirements for organizations that handle such information. Currently, 47 states plus the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands have state-specific data breach notification laws on the books.
We have to include the disclaimer that this chart is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents.