Arkansas Breach Notification Law for Healthcare: Requirements, Deadlines, and Compliance Guide

Arkansas Data Breach Notification Requirements

Arkansas’s Personal Information Protection Act (PIPA) sets the baseline duties for any person, business, or state agency—healthcare providers included—that handles Arkansas residents’ data. “Personal information” means a first name or initial plus last name combined with specific elements, including Social Security number, driver’s license/ID number, certain financial data, medical information, or biometric data used for authentication. Encrypted or redacted data generally falls outside this definition. The Act was amended effective July 24, 2019, to expressly include biometric data. ([law.justia.com](https://law.justia.com/codes/arkansas/title-4/subtitle-7/chapter-110/section-4-110-103/))

A “breach of the security of the system” is the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information. Good-faith acquisition by an employee or agent for legitimate purposes is not a breach if the information is not otherwise used or disclosed. ([law.justia.com](https://law.justia.com/codes/arkansas/title-4/subtitle-7/chapter-110/section-4-110-103/))

Breach notification timelines require you to notify affected Arkansas residents “in the most expedient time and manner possible and without unreasonable delay,” allowing for law-enforcement delay and time to determine scope and restore system integrity. If you maintain data for another entity (for example, a business associate), you must notify the owner or licensee “immediately following discovery.” ([law.justia.com](https://law.justia.com/codes/arkansas/title-4/subtitle-7/chapter-110/section-4-110-105/))

Arkansas uses a harm-based trigger: if, after a reasonable investigation, you determine there is no reasonable likelihood of harm to customers, notification is not required; document that determination. ([law.justia.com](https://law.justia.com/codes/arkansas/title-4/subtitle-7/chapter-110/section-4-110-105/))

Notification to Affected Individuals

Under Arkansas law, you must notify each resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Do so without unreasonable delay, consistent with law-enforcement needs and remedial measures. This is the core of Arkansas breach notification timelines for healthcare and other sectors. ([law.justia.com](https://law.justia.com/codes/arkansas/title-4/subtitle-7/chapter-110/section-4-110-105/))

• Timing: Most expedient time possible and without unreasonable delay; notification may be delayed if law enforcement determines it would impede an investigation. ([law.justia.com](https://law.justia.com/codes/arkansas/title-4/subtitle-7/chapter-110/section-4-110-105/))
• Content: Arkansas does not prescribe specific content elements. If HIPAA applies, include the elements required by 45 C.F.R. § 164.404(c) (brief description of the incident, the types of PHI involved, steps individuals should take, what you are doing, and contact information). ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.404?utm_source=openai))
• Third-party maintainers: If you maintain data for another entity, notify the owner or licensee immediately following discovery so they can notify affected individuals. ([law.justia.com](https://law.justia.com/codes/arkansas/title-4/subtitle-7/chapter-110/section-4-110-105/))

Notification to Arkansas Attorney General

Arkansas Attorney General notification is required when a breach affects the personal information of more than 1,000 individuals. You must notify the Attorney General at the same time you notify affected individuals or within 45 days after determining there is a reasonable likelihood of harm to consumers, whichever occurs first. ([law.justia.com](https://law.justia.com/codes/arkansas/title-4/subtitle-7/chapter-110/section-4-110-105/))

The Attorney General provides a breach reporting form to streamline submissions; healthcare entities may use this breach reporting form to satisfy the Arkansas Attorney General notification requirement. ([content.govdelivery.com](https://content.govdelivery.com/attachments/ARAG/2019/11/14/file_attachments/1324417/Enforcement%20Advisory%20Medical%20Data%20Breach%20Reporting.pdf))

Methods of Notification

• Written notice. ([law.justia.com](https://law.justia.com/codes/arkansas/title-4/subtitle-7/chapter-110/section-4-110-105/))
• Email notice, if consistent with the federal E-SIGN Act (15 U.S.C. § 7001). ([law.justia.com](https://law.justia.com/codes/arkansas/title-4/subtitle-7/chapter-110/section-4-110-105/))
• Substitute notice, permitted if any substitute notice criteria are met:
  • Notice cost would exceed $250,000; or
  • Affected class exceeds 500,000 persons; or
  • Insufficient contact information.
  Substitute notice must include all of the following: email to those with addresses, conspicuous posting on your website, and statewide media notification. ([law.justia.com](https://law.justia.com/codes/arkansas/title-4/subtitle-7/chapter-110/section-4-110-105/))
• If you maintain your own information security policy with notification procedures that meet PIPA’s timing requirements, following that policy satisfies Arkansas’s notification method requirements. ([law.justia.com](https://law.justia.com/codes/arkansas/title-4/subtitle-7/chapter-110/section-4-110-105/))

Breach Documentation Retention

Keep the written breach determination and supporting documentation for five years from the date you determine a breach occurred. If the Attorney General requests these materials, you must provide them within 30 days; they are confidential and not subject to public disclosure. ([law.justia.com](https://law.justia.com/codes/arkansas/title-4/subtitle-7/chapter-110/section-4-110-105/))

• What to retain to demonstrate breach investigation standards: your reasonable investigation findings (including the reasonable likelihood of harm analysis), scope and containment steps, notification decisions and timelines, and copies of notices sent. ([law.justia.com](https://law.justia.com/codes/arkansas/title-4/subtitle-7/chapter-110/section-4-110-105/))

Exemptions from Notification

• Reasonable likelihood of harm: After a reasonable investigation, if you determine there is no reasonable likelihood of harm to customers, notification is not required. Document your analysis. ([law.justia.com](https://law.justia.com/codes/arkansas/title-4/subtitle-7/chapter-110/section-4-110-105/))
• Good-faith acquisition: Good-faith acquisition of personal information by an employee or agent for legitimate purposes is not a breach if there is no further unauthorized use or disclosure. ([law.justia.com](https://law.justia.com/codes/arkansas/title-4/subtitle-7/chapter-110/section-4-110-103/))
• Encryption/redaction: Because “personal information” excludes encrypted or redacted data, incidents involving only encrypted or redacted data typically do not trigger notice. ([law.justia.com](https://law.justia.com/codes/arkansas/title-4/subtitle-7/chapter-110/section-4-110-103/))
• Law-enforcement delay: You may delay notice if a law-enforcement agency determines it would impede a criminal investigation. ([law.justia.com](https://law.justia.com/codes/arkansas/title-4/subtitle-7/chapter-110/section-4-110-105/))

Compliance with HIPAA

Most healthcare entities are HIPAA-covered entities or business associates. HIPAA’s Breach Notification Rule requires notice to affected individuals without unreasonable delay and no later than 60 calendar days after discovery. For breaches involving 500 or more individuals in a state or jurisdiction, you must also notify prominent media outlets; all reportable breaches must be reported to HHS (immediately for 500+, and in aggregate within 60 days after year-end for fewer than 500). ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.404?utm_source=openai))

Investigation standards differ: Arkansas uses a “reasonable likelihood of harm” test, while HIPAA presumes a breach unless a documented risk assessment shows a low probability of compromise (considering at least four factors in 45 C.F.R. § 164.402). In practice, you should perform and retain both analyses and meet whichever deadline is earlier, while also satisfying the Arkansas Attorney General notification if the 1,000-individual threshold is met. ([hhs.gov](https://www.hhs.gov/guidance/sites/default/files/hhs-guidance-documents//RansomwareFactSheet.pdf?utm_source=openai))

Bottom line for healthcare: align your personal information protection program to satisfy both regimes—move quickly to investigate, document your findings, notify individuals promptly, and file parallel reports with HHS and, when applicable, the Arkansas Attorney General. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html?utm_source=openai))

FAQs

What is the deadline for notifying affected individuals under Arkansas law?

Arkansas requires notice “in the most expedient time and manner possible and without unreasonable delay,” allowing for law-enforcement delay and time to determine scope and restore system integrity. There is no fixed day-count for individual notice under state law. ([law.justia.com](https://law.justia.com/codes/arkansas/title-4/subtitle-7/chapter-110/section-4-110-105/))

How does Arkansas law handle notification exemptions in healthcare breaches?

If, after a reasonable investigation, there is no reasonable likelihood of harm to customers, notification is not required; good-faith employee acquisition and encrypted/redacted data also fall outside the notification trigger. Document your determination. (HIPAA may still require notice unless you conclude a low probability of compromise under its risk assessment standard.) ([law.justia.com](https://law.justia.com/codes/arkansas/title-4/subtitle-7/chapter-110/section-4-110-105/))

When must a healthcare entity notify the Arkansas Attorney General?

When a breach affects the personal information of more than 1,000 individuals, you must notify the Attorney General at the same time you notify affected individuals or within 45 days after determining there is a reasonable likelihood of harm to consumers, whichever comes first. ([law.justia.com](https://law.justia.com/codes/arkansas/title-4/subtitle-7/chapter-110/section-4-110-105/))

What are the acceptable methods of breach notification in Arkansas?

Written notice, email notice consistent with the federal E-SIGN Act, or substitute notice. Substitute notice applies if costs exceed $250,000, more than 500,000 people are affected, or contact information is insufficient, and it must include email (where available), conspicuous website posting, and statewide media notice. ([law.justia.com](https://law.justia.com/codes/arkansas/title-4/subtitle-7/chapter-110/section-4-110-105/))