District of Columbia Healthcare Breach Notification Law: Requirements, Deadlines, and Reporting Obligations

The District of Columbia Healthcare Breach Notification Law sets concrete expectations for how you detect, assess, and report an Unauthorized Disclosure of Personal Health Information. Because most providers and their vendors are also subject to HIPAA, you must coordinate D.C. requirements with federal rules to avoid missed deadlines and incomplete notices.

This guide explains applicability, the definition of a breach in D.C., notification timelines, D.C. Attorney General Reporting, what to include in notices, Business Associate requirements, and the key Exceptions and Safe Harbor Provisions—plus clear, practical takeaways you can use in your response plan.

Applicability of Healthcare Breach Notification Law

Who is covered

The law applies to any person or entity that maintains or processes data about D.C. residents, including hospitals, physician groups, clinics, health plans, pharmacies, telehealth providers, and health technology firms that handle medical or payment data. Out‑of‑district organizations must comply when the incident involves D.C. residents.

HIPAA-covered entities and business associates

Healthcare providers, health plans, and clearinghouses are HIPAA covered entities. Vendors and subcontractors that create, receive, maintain, or transmit PHI are business associates and must meet both HIPAA and D.C. obligations. Your Business Associate Agreements should specify escalation paths, notice content, and timeframes.

How federal and D.C. rules interact

When HIPAA and D.C. law both apply, follow the stricter rule for timing and content. In practice, that means meeting the shortest notification deadline and including all required elements from both frameworks in a single, consistent communication set.

Definition of Breach in D.C.

HIPAA breach (unsecured PHI)

Under HIPAA, a breach is the acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted by the Privacy Rule. You must perform a Risk of Harm Assessment (the “low probability of compromise” analysis) considering the data’s sensitivity, who received it, whether it was actually viewed or acquired, and the effectiveness of any mitigation.

D.C. breach of security (personal information)

D.C. law focuses on a “breach of security” involving personal information—including medical information and health insurance information—when an unauthorized person acquires or is reasonably believed to have acquired data that compromises its security, confidentiality, or integrity. Paper and electronic incidents are in scope.

Personal Health Information vs. personal information

Personal Health Information in plain language corresponds to “protected health information” (PHI) under HIPAA. D.C. “personal information” is broader and may reach beyond clinical records to include identifiers coupled with health or insurance data. Map both definitions during triage to avoid under-scoping an incident.

Notification Deadlines for Breaches

Notice to individuals

• HIPAA: Without unreasonable delay and no later than 60 calendar days after discovery.
• D.C.: Without unreasonable delay and no later than 45 calendar days after discovery for affected D.C. residents.
• Apply the shorter deadline. Build your playbooks to the 45‑day standard when both laws apply.

D.C. Attorney General

When a breach affects 50 or more D.C. residents, provide notice to the Office of the Attorney General within the same 45‑day period, contemporaneously with or before individual notifications. Include the details outlined in the reporting section below.

HHS/OCR and media (HIPAA)

• 500+ individuals in a single state or jurisdiction: Notify HHS and prominent media without unreasonable delay and within 60 days of discovery.
• Fewer than 500 individuals: Log and report to HHS no later than 60 days after the end of the calendar year in which the breaches occurred.

Consumer reporting agencies

If 1,000 or more individuals are notified, also notify the nationwide consumer reporting agencies without unreasonable delay to support fraud alerts and credit monitoring.

Reporting Obligations to Authorities

D.C. Attorney General Reporting

Your submission should clearly state: the nature of the incident; dates of breach and discovery; the categories of personal information involved (e.g., medical information, health insurance information); the number of affected D.C. residents; your Breach Mitigation Procedures; and contact information. Provide a sample copy of the individual notice you will send.

U.S. Department of Health and Human Services (OCR)

Submit required HIPAA breach reports through the OCR breach system with incident description, the volume of affected individuals, types of PHI involved, mitigation steps, and your designated contact. Align facts and dates with your D.C. Attorney General Reporting to ensure consistency.

Law enforcement delay

Both frameworks permit a reasonable delay if a law enforcement agency states that notice would impede an investigation. Document the request, the official’s contact information, and the duration of the delay you apply.

Content Requirements for Individual Notifications

Your notice must be clear, actionable, and consistent across channels (mail, email, or substitute notice). Include at minimum:

• A concise description of what happened, including the breach and discovery dates.
• The types of Personal Health Information and personal information involved (e.g., diagnoses, treatment data, health insurance numbers, claim data).
• What you are doing: containment, investigation, and Breach Mitigation Procedures (for example, resetting credentials, enhancing access controls, workforce retraining).
• What individuals should do now, including steps to protect themselves and how to place fraud alerts or security freezes.
• Whether the data was protected consistent with strong Encryption Standards and, if not, why notice is being provided.
• How to reach you: a toll‑free number, email, and postal address; include hours of operation.
• Under HIPAA, information on how to file a complaint and a statement of non‑retaliation.

Business Associate Notification Requirements

Business associates must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovering a breach. Notice should identify each affected individual (if known) and supply the information the covered entity needs to meet its obligations to individuals, HHS, and the D.C. Attorney General.

Business Associate Agreements should set stricter internal timelines (for example, same‑day verbal escalation and written notice within a few days), cooperation duties for forensics, allocation of notification costs, and responsibilities for credit monitoring or identity protection where appropriate.

Exceptions and Safe Harbor Provisions

HIPAA-specific exceptions

• Unintentional, good‑faith access or use by a workforce member within scope of authority with no further Unauthorized Disclosure.
• Inadvertent disclosure between two authorized persons within the same organization, with no further improper use or disclosure.
• Information that the unauthorized recipient could not reasonably retain.
• No breach where a Risk of Harm Assessment shows a low probability that PHI was compromised.

Encryption and secure destruction safe harbor

Notification is not required when compromised data was rendered unusable, unreadable, or indecipherable consistent with recognized Encryption Standards (for example, strong encryption with keys kept separate) or was securely destroyed. Document your controls and any key‑management safeguards.

Practical takeaways and conclusion

• Triaging to the 45‑day D.C. standard helps you satisfy both D.C. and HIPAA timelines.
• Keep a unified factsheet and chronology so all notices (individuals, HHS, D.C. Attorney General Reporting) match.
• Pre‑approve templates covering required content, Breach Mitigation Procedures, and clear next steps for patients.
• Harden encryption and key management now to maximize safe harbor protection.
• Tighten Business Associate Agreements with near‑term internal escalation and full cooperation requirements.

FAQs

What entities are covered by the D.C. healthcare breach notification law?

Hospitals, clinics, health plans, pharmacies, telehealth providers, and related vendors handling data on D.C. residents are in scope. If you are a HIPAA covered entity or business associate, you must comply with HIPAA and D.C. law whenever a breach affects D.C. residents—even if your organization is located outside the District.

What are the deadlines for notifying individuals about a breach?

Under HIPAA, notify individuals without unreasonable delay and no later than 60 calendar days after discovery. D.C. law sets a maximum of 45 calendar days. When both apply, use the shorter deadline and plan operations to hit the 45‑day mark or sooner.

How must breaches be reported to the D.C. Attorney General?

If 50 or more D.C. residents are affected, notify the Office of the Attorney General within 45 days, contemporaneously with or before consumer notices. Include what happened, dates, categories of data involved (such as medical or health insurance information), number of affected residents, your mitigation steps, and a sample copy of the individual notice.

When is notification not required under the law?

Notification is generally not required if the compromised data was protected consistent with strong Encryption Standards and the keys were not accessed, if secure destruction prevents use, or if a HIPAA Risk of Harm Assessment shows a low probability of compromise. Limited HIPAA exceptions also apply to certain good‑faith or inadvertent internal disclosures with no further Unauthorized Disclosure.