Illinois Healthcare Breach Notification Law: HIPAA and PIPA Requirements Explained

HIPAA Breach Notification Rule

Under HIPAA’s Breach Notification Rule, you must notify affected individuals following a breach of unsecured protected health information. The rule applies to covered entities—healthcare providers, health plans, and clearinghouses—and to business associates that create, receive, maintain, or transmit PHI on their behalf.

Notifications must be provided without unreasonable delay and no later than 60 calendar days after discovery. You must notify: (1) each affected individual; (2) the U.S. Department of Health and Human Services (HHS) Office for Civil Rights; and, when a breach affects more than 500 residents of a state or jurisdiction, (3) prominent media outlets in that area.

• Individual notice content: a concise description of what happened, the types of PHI involved, steps individuals should take, what you are doing to investigate and mitigate harm, and your contact information.
• Business associate duty: notify the covered entity without unreasonable delay (no later than 60 days) and share the information needed for the covered entity’s notices.
• HHS reporting: for fewer than 500 individuals, submit the annual log within 60 days after the end of the calendar year; for 500 or more, report to HHS within 60 days of discovery.

Definition of Breach under HIPAA

HIPAA defines a breach as the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI. A breach is presumed unless you demonstrate a low probability of compromise after a documented risk assessment.

Required risk assessment factors

• Nature and extent of the PHI involved, including types of identifiers and the risk of re-identification.
• The unauthorized person who used the PHI or to whom the disclosure was made.
• Whether the PHI was actually acquired or viewed.
• The extent to which the risk to the PHI has been mitigated.

Key exceptions

• Unintentional, good-faith access or use by a workforce member within scope of authority, with no further impermissible disclosure.
• Inadvertent disclosure between two authorized persons at the same covered entity or business associate, with no further impermissible disclosure.
• Unauthorized recipient could not reasonably have retained the information.
• PHI that is properly secured (for example, by strong encryption or destruction) is not “unsecured protected health information,” so breach notification is not required.

Illinois Personal Information Protection Act (PIPA)

Illinois PIPA governs breach notification duties for data collectors—public and private entities that handle Illinois residents’ personal information. For healthcare organizations, PIPA complements HIPAA by covering personal information that may fall outside HIPAA’s PHI, such as certain account or identity data.

Personal information under PIPA generally includes a resident’s name with specified data elements, as well as medical information and health insurance information. Because healthcare entities often hold both PHI and non-PHI personal information, you must evaluate incidents under HIPAA and PIPA in parallel.

PIPA recognizes that covered entities and business associates subject to HIPAA may satisfy certain PIPA obligations by complying with HIPAA’s breach notification standards for PHI; however, additional state-specific duties—such as notification to Illinois Attorney General when large numbers of residents are affected—can still apply.

PIPA Notification Requirements

If a breach of security compromises Illinois residents’ personal information, you must notify affected residents in the most expedient time possible and without unreasonable delay, and in no event later than 45 days after discovery or determination of the breach. Notice should be clear, concise, and tailored to the incident.

• Recipients: Illinois residents whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
• Content: description of the incident and date range, types of personal information involved, protective steps individuals should take, measures your organization has taken, and how individuals can reach you.
• Attorney General: when the breach requires notifying more than a specified threshold of Illinois residents (commonly more than 500), you must also provide notification to the Illinois Attorney General, including key incident facts and the number of affected residents.

PIPA Exemptions and Substitute Notice

PIPA provides exemptions that can reduce or remove notification duties in particular circumstances. You should document applicability carefully to support your decision-making and breach notification timelines.

• Encrypted or redacted data: if personal information was rendered unusable (for example, via strong encryption) and the encryption keys were not compromised, notification is generally not required.
• Good-faith acquisition: access by an employee or agent for legitimate purposes within scope of work, without further unauthorized disclosure, may be exempt.
• HIPAA compliance: for incidents involving PHI, a covered entity or business associate that complies with HIPAA’s Breach Notification Rule is typically deemed compliant with overlapping PIPA requirements, but you may still owe notification to the Illinois Attorney General.

If direct individual notice is impracticable, PIPA permits substitute notice provisions. Substitute notice typically involves a combination of email notice (when available), conspicuous posting on your website, and notification to major statewide media when notification costs would be prohibitive, the affected class is very large, or you lack sufficient contact information.

Compliance Obligations for Healthcare Entities

Healthcare organizations operating in Illinois must build incident-response programs that simultaneously satisfy HIPAA and PIPA. Doing so ensures you meet both federal and state breach notification timelines and content requirements.

• Map data and vendors: inventory systems holding PHI and personal information; confirm which vendors are business associates or other data collectors; ensure contracts address breach reporting duties.
• Assess “unsecured” status: determine whether compromised PHI was encrypted or otherwise secured; this drives HIPAA applicability and scope.
• Run a documented risk assessment: apply HIPAA’s four factors; evaluate PIPA exposure for non-PHI elements (e.g., account, identity, medical or insurance data).
• Prepare notices and channels: draft HIPAA-compliant individual notices; plan for media, HHS OCR, and notification to Illinois Attorney General when thresholds are met; verify substitute notice options.
• Train and test: conduct workforce training and tabletop exercises so teams can execute within the required breach notification timelines.
• Maintain records: retain investigation files, notices, and timing evidence to demonstrate compliance.

Breach Notification Procedures and Timelines

Use a single, integrated playbook that honors the shortest applicable deadline. For most Illinois healthcare incidents, that means aligning actions to PIPA’s 45-day outside limit while also meeting HIPAA’s 60-day requirements and federal reporting nuances.

• Immediate containment (Day 0–1): secure systems, stop further data loss, preserve logs and evidence, and engage privacy, security, and legal teams.
• Investigation and risk assessment (Days 1–10): determine if PHI or personal information is involved, whether it was “unsecured,” who is affected, and whether an exception applies.
• Decision and drafting (Days 10–25): finalize breach determination; prepare clear, plain-language notices that meet HIPAA content requirements and PIPA specifics.
• Send individual notices (no later than Day 45): deliver to Illinois residents under PIPA and to all affected individuals under HIPAA; use substitute notice provisions if direct notice is impracticable.
• Regulatory notifications: report to HHS OCR—within 60 days of discovery for breaches affecting 500+ individuals, or on the annual log for fewer than 500—and provide notification to Illinois Attorney General when the state threshold is met.
• Media notification: if a breach affects more than 500 residents of a single state or jurisdiction, issue media notice contemporaneously with individual notices.
• Post-incident actions: offer remediation (e.g., credit monitoring when appropriate), close gaps, and update policies, training, and vendor controls.

Conclusion

To comply with Illinois law and HIPAA, evaluate every incident under both regimes, follow the shortest applicable deadline, and deliver complete, comprehensible notices. Build repeatable processes that cover individuals, regulators, media when required, and notification to Illinois Attorney General for larger Illinois impacts.

FAQs

What entities are subject to Illinois breach notification law?

PIPA applies to data collectors that handle Illinois residents’ personal information, including private organizations and public agencies. Healthcare providers, health plans, and their vendors are also subject to HIPAA when PHI is involved; many incidents require analyzing both laws together.

How does HIPAA define a breach?

A breach is any acquisition, access, use, or disclosure of PHI not permitted by the Privacy Rule that compromises the security or privacy of the PHI, unless you can show a low probability of compromise after considering HIPAA’s four risk assessment factors or an explicit exception applies.

When must PIPA notifications be made?

You must notify affected Illinois residents in the most expedient time possible and without unreasonable delay, and no later than 45 days after discovery or determination of the breach. When notice is required for a large number of Illinois residents, provide notification to the Illinois Attorney General as well.

What are the exemptions under PIPA for healthcare providers?

PIPA generally exempts encrypted or properly redacted data, good‑faith employee access without further disclosure, and certain incidents where a HIPAA-covered entity or business associate fully complies with HIPAA’s Breach Notification Rule for PHI. However, state-specific duties—such as notification to Illinois Attorney General for larger breaches—may still apply.