Hawaii Healthcare Data Breach Notification Law: Requirements, Deadlines, and HIPAA Overlap

Overview of Hawaii Data Breach Notification Law

Hawaii’s breach notification framework lives in Chapter 487N of the Hawaii Revised Statutes and applies to any business or government agency that owns, licenses, maintains, or otherwise handles Hawaii residents’ personal information. While it is not healthcare‑specific, healthcare organizations must comply whenever a breach involves “personal information,” in addition to any obligations tied to personal health information under HIPAA.

At a high level, the law requires prompt notice to affected individuals, prescribes the basic content and delivery of that notice, and—when large numbers of residents are affected—requires outreach to the Hawaii Office of Consumer Protection. It also defines safe harbors tied to encryption and recognizes data security measures as core to breach prevention and response.

Definition of Personal Health Information

HIPAA’s “protected health information” (PHI)

For healthcare entities, “personal health information” generally maps to HIPAA’s protected health information: individually identifiable health data relating to a person’s past, present, or future health status, care, or payment for care. PHI includes identifiers (for example, name, address, medical record number) combined with clinical details like diagnoses, treatment notes, claim data, or billing information.

Hawaii’s “personal information” under Chapter 487N

Separately, Hawaii’s breach law protects “personal information,” defined more narrowly as a resident’s first name or initial and last name in combination with at least one of the following unencrypted data elements: Social Security number; driver’s license or Hawaii ID number; or a financial account number (with any required access code or password). Purely medical details alone are not listed in this state definition.

Why this distinction matters

Because PHI is broader than Hawaii’s personal information, a healthcare incident can trigger HIPAA duties even when Chapter 487N is not technically implicated. Conversely, if a healthcare breach includes Social Security numbers or financial credentials, both HIPAA and the state breach law apply. Build your incident intake to classify data types up front so you can align the correct breach notification timeline and audience.

Notification Requirements and Deadlines

When to notify

Under Chapter 487N, you must notify affected individuals “without unreasonable delay” after discovering a security breach, allowing for brief postponement if law enforcement says notice would impede an investigation, or if you need short time to determine scope, restore systems, or confirm contact details. If you maintain personal information for another organization (for example, as a business associate or vendor), you must notify the data owner immediately following discovery so they can notify individuals.

What to say

State notices must, at minimum, describe: (1) the incident in general terms; (2) the type of personal information involved; (3) steps you are taking to protect information from further unauthorized access; (4) a phone number for assistance; and (5) advice to remain vigilant by reviewing account statements and monitoring free credit reports.

How to deliver notice

Permitted methods include written letters, compliant email, or direct phone calls. Substitute notice is allowed if individual notice is infeasible—because costs would exceed $100,000, the affected class exceeds 200,000 residents, contact data is insufficient for certain people, or specific individuals cannot be identified. Substitute notice must, for the applicable subset, include email (if on file), clear posting on your website, and statewide media publication.

HIPAA Breach Notification Rule timing

When PHI is involved, HIPAA requires you to notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery, unless your documented risk assessment shows a low probability of compromise or another HIPAA exception applies. Treat this 60‑day outside limit as a hard cap in your breach notification timeline planning.

Notification to State Authorities

If your consumer notice goes to more than 1,000 Hawaii residents, you must also, without unreasonable delay, notify the Hawaii Office of Consumer Protection of the timing, distribution, and content of that notice. In the same circumstance, you must notify the nationwide consumer reporting agencies.

For government agencies specifically, Chapter 487N requires a written report to the state legislature within 20 days after discovering a security breach, detailing the nature of the breach, the number of individuals affected, the consumer notice provided, any law‑enforcement delay, and the measures implemented to prevent recurrence.

Penalties for Non-Compliance

Violations of Chapter 487N can lead to civil penalties of up to $2,500 per violation, enforced by the Attorney General or the executive director of the Hawaii Office of Consumer Protection. Remedies are cumulative, meaning they can stack with other state law penalties.

Hawaii also provides a private right of action: injured individuals may sue for actual damages, and courts may award reasonable attorneys’ fees to the prevailing party. This amplifies litigation exposure when breach notices are late, incomplete, or never sent.

HIPAA Compliance and Safe Harbor

Deemed compliance for HIPAA‑regulated entities

Any health plan or healthcare provider that is subject to—and in compliance with—HIPAA’s privacy and security standards is deemed compliant with Hawaii’s individual notice requirement. In practice, if you follow HIPAA’s Breach Notification Rule for PHI, you typically satisfy the state’s consumer notice standard when the incident involves personal information as defined by state law.

Encryption and “unsecured” data

Both frameworks recognize encryption as a key data security measure. Hawaii’s definition of a security breach generally excludes properly encrypted data unless the decryption key was also compromised. Under HIPAA, notification is required only for “unsecured PHI,” so PHI that is encrypted in accordance with HHS guidance usually falls outside the notification duty.

Differences Between Federal and State Breach Notification Rules

• Scope of data: HIPAA covers PHI, which is broad health and payment data tied to an individual. Hawaii’s Chapter 487N focuses on a narrower set of “personal information” data elements (for example, SSN, driver’s license/ID, financial credentials).
• Trigger standard: HIPAA presumes a breach unless a risk assessment shows a low probability of compromise. Hawaii requires unauthorized access and acquisition plus a likelihood of illegal use creating a risk of harm.
• Deadlines: HIPAA imposes a firm maximum of 60 days after discovery; Hawaii requires notice “without unreasonable delay” and permits brief law‑enforcement delays.
• Who else to notify: HIPAA requires notice to HHS (and, for 500+ affected in a state or jurisdiction, to prominent media); Hawaii requires notice to the Hawaii Office of Consumer Protection and nationwide consumer reporting agencies when 1,000+ residents receive consumer notices.
• Enforcement: HIPAA is enforced by HHS OCR and does not provide a private right of action. Hawaii authorizes civil penalties, enforcement by state authorities, and a private right of action for actual damages.

Conclusion

For healthcare organizations in Hawaii, synchronize HIPAA and Chapter 487N: classify data early, run a timely risk assessment, and execute notices that meet both the state content rules and HIPAA’s 60‑day outer limit. Build strong data security measures—especially encryption—to reduce risk, and be ready to notify the Hawaii Office of Consumer Protection and consumer reporting agencies when your outreach exceeds 1,000 residents.

FAQs.

What personal information is protected under Hawaii's breach notification law?

Hawaii protects a resident’s first name or initial and last name when combined with an unencrypted Social Security number; driver’s license or Hawaii ID number; or a financial account number with any required access code or password. Medical details alone are not listed in this state definition, though they are PHI under HIPAA.

How soon must healthcare entities notify individuals after a breach?

Under Hawaii law, notify affected individuals without unreasonable delay after discovery, allowing short, documented delays for law enforcement or scoping/restoration. Under HIPAA’s Breach Notification Rule, you must notify without unreasonable delay and in no case later than 60 calendar days after discovery of a PHI breach.

How does HIPAA affect Hawaii's notification requirements?

Healthcare entities that are subject to and compliant with HIPAA’s privacy and security standards are deemed compliant with Hawaii’s individual notice requirement. Still, when 1,000+ Hawaii residents are notified, you must also notify the Hawaii Office of Consumer Protection and the nationwide consumer reporting agencies under state law.

What penalties exist for failing to comply with Hawaii's breach notification law?

Businesses face civil penalties of up to $2,500 per violation, and injured individuals may bring a private right of action to recover actual damages (with potential attorneys’ fees). These remedies are cumulative with other available state penalties or claims.