Arizona Healthcare Breach Notification Law: Provider Requirements and Deadlines

Arizona’s breach notification statute sets concrete duties and timelines for organizations handling patient-related data. This guide translates the rules into clear provider actions, highlights the breach notification deadline, and explains how state enforcement authority works alongside HIPAA.

Definition of Data Breach

Under Arizona law, a “breach” is the unauthorized acquisition and unauthorized access to unencrypted and unredacted computerized personal information that materially compromises its security or confidentiality. The term is distinct from a routine “security incident” and focuses on risks created by exposure of computerized personal information. ([azleg.gov](https://www.azleg.gov/ars/18/00551.htm))

When you become aware of a possible incident, you must investigate to decide if a breach occurred; notification is not required if you, law enforcement, or an independent forensic auditor determine the event has not resulted in and is not reasonably likely to result in substantial economic loss to affected individuals. ([azag.gov](https://www.azag.gov/consumer/data-breach/faq))

Covered Personal Information

Arizona protects “personal information” when paired with a name or when it consists of online credentials. For healthcare providers, the most relevant specified data elements include:

• Information about an individual’s medical or mental health treatment or diagnosis by a healthcare professional.
• Health insurance identification number.
• Financial account or payment card numbers with required access codes.
• Social Security number; driver’s license or state ID number; passport number; taxpayer ID; private cryptographic key.
• Biometric authentication data used to verify identity for an online account (for example, a fingerprint- or facial-recognition key stored for login). ([azleg.gov](https://www.azleg.gov/ars/18/00551.htm))

If you are a HIPAA-covered entity or business associate and you comply with HIPAA’s breach procedures, Arizona’s breach statute does not apply to that PHI event; the state law expressly recognizes this federal framework. ([azag.gov](https://www.azag.gov/consumer/data-breach/faq))

Notification Requirements

Act promptly once you determine a breach: you must notify affected individuals within 45 days after that determination—the Arizona breach notification deadline. The notice must include the approximate date of the breach, a brief description of the personal information involved, and contact information for the three largest consumer reporting agencies and for the FTC. You may notify by written letter, email (if you have addresses), or direct phone calls. Law enforcement may delay notice; once cleared, you must send notices within 45 days. ([azleg.gov](https://www.azleg.gov/ars/18/00552.htm))

HIPAA-covered providers should continue to follow HIPAA’s breach rules for unsecured PHI; complying with HIPAA satisfies Arizona’s statute for those entities. ([azag.gov](https://www.azag.gov/consumer/data-breach/faq))

Substitute Notification Methods

If individual notice is impracticable, Arizona allows substitute notice when one of these thresholds is met: the cost of notice exceeds $50,000; more than 100,000 individuals must be notified; or you lack sufficient contact information. Substitute notice consists of both a written letter to the Arizona Attorney General explaining the facts that justify substitute notice and a conspicuous posting on your website for at least 45 days (if you maintain one). ([azleg.gov](https://www.azleg.gov/ars/18/00552.htm))

Notification to Consumer Reporting Agencies

For breaches requiring notification of more than 1,000 Arizona residents, you must provide consumer reporting agency notification to the three largest nationwide consumer reporting agencies and also notify the Arizona Attorney General (and the Director of the Arizona Department of Homeland Security). ([azag.gov](https://www.azag.gov/consumer/data-breach/faq))

Civil Penalties

A knowing or willful violation is an unlawful practice under Arizona’s Consumer Fraud Act. The Attorney General may seek civil penalties up to the lesser of $10,000 per affected individual or the total economic loss sustained by affected individuals, capped at $500,000 per breach or series of related breaches, in addition to restitution. These are the core civil penalties for a breach under state law. ([azleg.gov](https://www.azleg.gov/ars/18/00552.htm))

Enforcement by Arizona Attorney General

Only the Arizona Attorney General has state enforcement authority for breach notification violations; there is no private right of action under the statute. For large breaches (over 1,000 individuals), the AG must also be notified as described above. ([azag.gov](https://www.azag.gov/consumer/data-breach/faq))

Conclusion

For Arizona healthcare organizations, the playbook is straightforward: investigate any suspected unauthorized acquisition of computerized personal information, determine if a breach occurred, meet the 45‑day breach notification deadline (or follow HIPAA, if applicable), use substitute methods only when thresholds are met, notify consumer reporting agencies and state authorities when required, and be mindful of the statute’s civil penalties and enforcement structure.

FAQs.

What is considered a data breach under Arizona healthcare law?

A breach is the unauthorized acquisition and access to unencrypted and unredacted computerized personal information that materially compromises its security or confidentiality. In healthcare, that can include medical or mental health information, health insurance IDs, and certain biometric authentication data when tied to an individual’s identity.

When must affected individuals be notified of a healthcare data breach?

Under Arizona’s statute, you must notify affected individuals within 45 days after determining a breach occurred, subject to any temporary delay requested by law enforcement. HIPAA-covered providers should follow HIPAA’s breach procedures; doing so satisfies state requirements for those entities.

What are the thresholds for substitute notification methods?

You may use substitute notice when one of these applies: the cost of individual notice exceeds $50,000; more than 100,000 individuals require notice; or you lack sufficient contact information. Substitute notice requires a written letter to the Arizona Attorney General explaining the justification and a conspicuous website posting for at least 45 days (if you have a site).

What penalties apply for violating breach notification requirements?

Violations can trigger enforcement by the Arizona Attorney General, including civil penalties up to the lesser of $10,000 per affected individual or total economic loss, with an overall cap of $500,000 per breach or series of related breaches, plus restitution to affected individuals.