Delaware HIPAA Compliance: State‑Specific Requirements You Need to Know
Overview of Delaware Personal Data Privacy Act
Delaware’s Personal Data Privacy Act (DPDPA) took effect on January 1, 2025, creating state-level privacy duties that operate alongside HIPAA. For HIPAA-regulated organizations, protected health information (PHI) is exempt from the DPDPA, but the Act can still apply to non-PHI data such as marketing, website analytics, or patient portal usage data. The law generally applies to businesses that processed data of at least 35,000 consumers in the prior year (excluding data processed solely for payment transactions) or 10,000 consumers if more than 20% of gross revenue came from selling personal data. ([news.delaware.gov](https://news.delaware.gov/2025/01/28/ag-jennings-issues-data-privacy-tips-to-protect-delawareans/?utm_source=openai))
Key consumer rights under Delaware law include access, correction, deletion, portability, a list of third-party categories receiving data, and the right to opt out of targeted advertising, sale of personal data, and certain automated profiling. If you’re a HIPAA covered entity or business associate, ensure your HIPAA program coexists with these state-level Consumer Data Access Rights for any non-PHI your organization handles. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012d/index.html))
Data Security Measures in Delaware
Delaware’s DPDPA requires “reasonable administrative, technical, and physical” Data Security Safeguards appropriate to the volume and nature of personal data. This dovetails with HIPAA’s Security Rule and pushes organizations to align state and federal controls across access management, encryption, logging, and incident response. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012d/index.html))
Separately, Delaware’s data breach law mandates notification to affected residents without unreasonable delay and no later than 60 days after determining a breach. If more than 500 Delaware residents are affected, you must also notify the Attorney General; where Social Security numbers are involved, provide at least one year of credit monitoring. HIPAA-regulated entities that follow their federal breach procedures are deemed compliant with Delaware’s breach notice timing. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012b/index.html))
Consumer Rights Under Delaware Law
Consumers can request to confirm processing, access their data, correct inaccuracies, delete information, and receive their data in a portable format. Controllers must respond within 45 days (with a possible 45-day extension) and provide an appeal mechanism, including a way to contact the Delaware Department of Justice if an appeal is denied. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012d/index.html))
Consumers may also opt out of targeted advertising, sale of personal data, and solely automated decisions that produce legal or similarly significant effects. Authorized agents, including universal opt-out mechanisms, can exercise these opt-outs on a consumer’s behalf. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012d/index.html))
Consent and Sensitive Data Handling
Delaware defines “sensitive data” to include information about racial or ethnic origin, religious beliefs, health conditions (including pregnancy), sexual orientation or status, citizenship or immigration status, genetic or biometric data, precise geolocation, and personal data of a known child. Processing sensitive data requires Sensitive Data Consent, and parental consent is required for known children under COPPA. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012d/index.html))
For teens ages 13 to 17, Delaware uniquely requires opt-in consent before selling their personal data or using it for targeted advertising. Controllers must also provide an easy way to revoke consent and stop processing within 15 days of the revocation. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012d/index.html))
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.
Disclosure and Transparency Requirements
Controllers must publish a clear privacy notice that lists categories of personal data processed, purposes for processing, how to exercise rights (and appeal), categories of personal data shared, categories of third parties, and a working email address or online contact method. These Privacy Notice Requirements must also explain any sale of personal data or targeted advertising and how to opt out. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012d/index.html))
Delaware also requires an opt-out link on your website and, by January 1, 2026, recognition of universal opt-out preference signals for targeted advertising and sales—an important design and engineering requirement for consent management tools. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012d/index.html))
Enforcement and Compliance Procedures
Delaware Department of Justice Enforcement is exclusive—there is no private right of action. The DOJ enforced a mandatory 60-day cure period for violations during calendar year 2025; beginning January 1, 2026, cure is discretionary, based on factors like the number of violations and risk of public harm. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012d/index.html))
Violations of the DPDPA are deemed unlawful practices under Delaware’s Consumer Fraud Act. For willful violations, courts may impose civil penalties of up to $10,000 per violation in actions brought by the Attorney General. Aligning your HIPAA program with Delaware’s requirements helps reduce exposure to these penalties. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012d/index.html))
Best Practices for Delaware Businesses
Map your data to distinguish HIPAA PHI from other personal data subject to Delaware’s DPDPA. Apply Data Minimization by limiting collection to what’s adequate, relevant, and reasonably necessary for disclosed purposes, and avoid incompatible processing without consent. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012d/index.html))
Strengthen Data Security Safeguards with risk-based controls spanning access governance, encryption, patching, vendor oversight, and incident response. Update breach playbooks to meet Delaware’s 60-day outside limit, AG notification threshold (500+ residents), and credit monitoring obligations for SSN exposures. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012b/index.html))
Operationalize consumer requests by establishing authenticated workflows for access, correction, deletion, and portability; train teams on response deadlines and appeals. Build consent and opt-out experiences, including a visible website link and support for universal opt-out signals by January 1, 2026. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012d/index.html))
If you engage in high-risk processing and control or process data of 100,000+ consumers, conduct and document Data Protection Assessments; the assessment requirement applies to processing created on or after July 1, 2025. Keep records to demonstrate compliance if the DOJ requests them. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012d/index.html))
Bottom line: treat HIPAA as your baseline for PHI and layer Delaware’s privacy duties on top for any non-PHI you handle—especially transparency, consent for sensitive data and teens, consumer rights response, and breach readiness specific to Delaware. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012d/index.html))
FAQs.
What are the key data security requirements under Delaware law?
Controllers must implement reasonable administrative, technical, and physical safeguards appropriate to the volume and nature of the personal data. Separately, Delaware’s breach law requires resident notice without unreasonable delay and no later than 60 days after determining a breach, AG notice if 500+ residents are affected, and one year of credit monitoring if SSNs are involved. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012d/index.html))
How does Delaware law define sensitive data?
“Sensitive data” includes data revealing racial or ethnic origin, religious beliefs, health conditions (including pregnancy), sexual orientation or status, citizenship or immigration status, genetic or biometric data, precise geolocation, and personal data of a known child. Processing sensitive data requires prior consent (or parental consent for a known child). ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012d/index.html))
What are consumers' rights to opt out of data sales in Delaware?
Consumers can opt out of the sale of personal data, targeted advertising, and certain automated profiling. Controllers must provide an easy opt-out (including a website link) and, by January 1, 2026, honor universal opt-out preference signals sent through supported technologies. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012d/index.html))
How must businesses disclose their data collection practices in Delaware?
Publish a clear privacy notice detailing categories of personal data processed, purposes, how to exercise rights and appeal, categories of data shared, categories of third parties, and a contact method. If you sell data or use it for targeted advertising, clearly disclose that and explain how consumers can opt out. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012d/index.html))
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.
