Indiana Healthcare Breach Notification Law: Requirements, Deadlines, and Who You Must Notify
Breach Notification Timelines
Indiana requires security breach notification “without unreasonable delay” and no later than 45 days after discovery of a breach. Discovery occurs when you discover—or are notified of—a breach. This 45-day breach discovery deadline applies to all required notices under the statute, and limited delays are allowed only as described below. ([law.justia.com](https://law.justia.com/codes/indiana/title-24/article-4-9/chapter-3/section-24-4-9-3-3/))
For healthcare entities subject to HIPAA, you also must meet HIPAA’s timeline: notify affected individuals without unreasonable delay and in no case later than 60 days after discovery, and report to HHS as required. In practice, meet the shortest applicable deadline (often Indiana’s 45-day clock). ([govregs.com](https://www.govregs.com/regulations/title45_chapterA-i1_part164_subpartD_section164.404?utm_source=openai))
Definition of Personal Information
Under Indiana law, “personal information” means either a Social Security number (if not encrypted or redacted) or a name (first and last, or first initial and last) plus one or more of these unencrypted/unredacted data elements: driver’s license number, state ID card number, credit card number, or a financial/debit account number with a security code, password, or access code permitting account access. The law also includes certain data collected by adult‑oriented website operators under IC 24‑4‑23. Information lawfully available from public records is excluded. ([law.justia.com](https://law.justia.com/codes/indiana/title-24/article-4-9/chapter-2/section-24-4-9-2-10/))
Notice obligations are triggered if unencrypted data are acquired by an unauthorized person—or if encrypted data are acquired by an unauthorized person together with access to the encryption key (i.e., an encryption key compromise). Indiana also uses a harm threshold: you must notify if the unauthorized acquisition has resulted in or could result in identity deception, identity theft, or fraud. ([law.justia.com](https://law.justia.com/codes/indiana/title-24/article-4-9/chapter-3/section-24-4-9-3-1/))
Notification Procedures
How to notify affected individuals
- Any one of these methods: mail, telephone, fax, or email (if you have the person’s email address). ([statecodesfiles.justia.com](https://statecodesfiles.justia.com/indiana/2013/title-24/article-4.9/chapter-3/chapter-3.pdf))
- Substitute notice is allowed if notifying more than 500,000 Indiana residents or if direct notice would cost over $250,000. In that case, you must conspicuously post the notice on your website (if you maintain one) and notify major news media in the geographic areas where affected residents live. ([statecodesfiles.justia.com](https://statecodesfiles.justia.com/indiana/2013/title-24/article-4.9/chapter-3/chapter-3.pdf))
Recommended content (practical, not statutory)
To make your security breach notification clear and useful, describe what happened, what personal information may have been involved, what you’re doing to mitigate harm, and how individuals can protect themselves (e.g., credit monitoring, fraud alerts). Align any HIPAA-required content with state notices to avoid conflicting messages. ([govregs.com](https://www.govregs.com/regulations/title45_chapterA-i1_part164_subpartD_section164.404?utm_source=openai))
Exceptions and Delays
- Law enforcement delay requests: You may delay if the Attorney General or a law enforcement agency requests delay because notice would impede a criminal or civil investigation or jeopardize national security. Once the reason for delay ends, notify as soon as possible and within the remaining time. ([law.justia.com](https://law.justia.com/codes/indiana/title-24/article-4-9/chapter-3/section-24-4-9-3-3/))
- Encryption safe harbor: If compromised data are encrypted or redacted and the encryption key was not compromised, notice is generally not required. If the key was accessed, treat it as a notifiable event. ([law.justia.com](https://law.justia.com/codes/indiana/title-24/article-4-9/chapter-2/section-24-4-9-2-10/))
- Risk‑of‑harm threshold: Indiana’s duty to notify applies only if the breach has resulted in or could result in identity deception, identity theft, or fraud affecting the resident. Document your risk analysis. ([law.justia.com](https://law.justia.com/codes/indiana/title-24/article-4-9/chapter-3/section-24-4-9-3-1/))
HIPAA overlay for healthcare entities
HIPAA’s breach rule still applies to breaches of unsecured protected health information (PHI): individual notice within 60 days of discovery, media notice for 500+ residents in a state or jurisdiction, and HHS reporting (immediately for 500+; annually within 60 days after year‑end for fewer than 500). Coordinate HIPAA and Indiana notices and meet the earlier deadline. ([govregs.com](https://www.govregs.com/regulations/title45_chapterA-i1_part164_subpartD_section164.404?utm_source=openai))
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.
Reporting to Attorney General
If you notify one or more Indiana residents, you must also notify the Indiana Attorney General. The same 45‑day timeline applies. The AG provides a Data Breach Notification Form (online or printable) that requests incident dates, notification method, law‑enforcement involvement, and other breach details. ([law.justia.com](https://law.justia.com/codes/indiana/title-24/article-4-9/chapter-3/section-24-4-9-3-1/))
Penalties for Non-Compliance
Failure to comply with Indiana’s breach notification requirements is a deceptive act actionable only by the Attorney General. Remedies include injunctions, recovery of investigative and litigation costs, and civil penalties—up to $150,000 per deceptive act. These are civil penalties under Indiana law and can add up quickly for persistent non‑compliance. ([law.justia.com](https://law.justia.com/codes/indiana/title-24/article-4-9/chapter-4/section-24-4-9-4-1/))
Consumer Reporting Agency Notifications
If you must notify more than 1,000 Indiana residents, you must also provide information necessary to assist each nationwide consumer reporting agency in preventing fraud. Provide this CRA notice within the same 45‑day window tied to breach discovery. ([law.justia.com](https://law.justia.com/codes/indiana/title-24/article-4-9/chapter-3/section-24-4-9-3-1/))
Summary and next steps
- Start your clock at discovery; plan to notify within 45 days (Indiana) and within 60 days for HIPAA—whichever is sooner.
- Confirm whether personal information was unencrypted or if there was an encryption key compromise.
- Prepare individual, Attorney General, and consumer reporting agency notifications as required; document any law enforcement delay requests.
FAQs
What qualifies as personal information under Indiana law?
Personal information includes either an unencrypted/unredacted Social Security number or a name plus one or more unencrypted/unredacted elements: driver’s license number, state ID number, credit card number, or a financial/debit account number with a code or password granting access. Indiana also includes certain data collected by adult‑oriented website operators under IC 24‑4‑23; public‑record data are excluded. ([law.justia.com](https://law.justia.com/codes/indiana/title-24/article-4-9/chapter-2/section-24-4-9-2-10/))
When must healthcare entities notify affected individuals?
Indiana requires notice without unreasonable delay and no later than 45 days after discovering the breach. HIPAA requires notice without unreasonable delay and in no case later than 60 days after discovery. Healthcare entities should align their processes to meet the earlier 45‑day Indiana deadline while also satisfying HIPAA content and reporting requirements. ([law.justia.com](https://law.justia.com/codes/indiana/title-24/article-4-9/chapter-3/section-24-4-9-3-3/))
How is the 45-day deadline calculated?
The 45 days run from the date you discover—or are notified of—the breach. Limited, documented law enforcement delay requests or time needed to restore system integrity or determine breach scope can justify brief postponement; once those reasons end, you must notify as soon as possible within the statutory limit. ([law.justia.com](https://law.justia.com/codes/indiana/title-24/article-4-9/chapter-3/section-24-4-9-3-3/))
What are the penalties for failing to notify?
Non‑compliance is a deceptive act enforceable by the Indiana Attorney General, who may seek injunctions, investigative and litigation costs, and civil penalties up to $150,000 per deceptive act. ([law.justia.com](https://law.justia.com/codes/indiana/title-24/article-4-9/chapter-4/section-24-4-9-4-1/))
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.
