Michigan Breach Notification Law for Healthcare: Requirements, Deadlines, and Reporting Steps

Michigan Data Breach Notification Law Overview

Who is covered and what triggers notice

Michigan’s Identity Theft Protection Act applies to any person or agency that owns or licenses a database containing computerized personal information on multiple individuals. A “security breach” occurs when there is unauthorized access and acquisition of data that compromises the security or confidentiality of that personal information.

Under Michigan law, “personal information” means a resident’s first name or first initial and last name linked to one or more of the following data elements: Social Security number; driver’s license or state ID number; or a financial account, credit, or debit card number in combination with a required security or access code that permits account access. If only protected health information (PHI) is involved, those details are governed by the HIPAA Breach Notification Rule, discussed below.

Notification timeliness and HIPAA coordination

Michigan requires notice “without unreasonable delay.” You may delay only as necessary to determine the scope of the breach and restore the reasonable integrity of your systems, or if law enforcement determines notice would impede an investigation or jeopardize security. If you are a HIPAA-covered entity or business associate and you comply with the HIPAA Breach Notification Rule, that compliance is deemed to satisfy Michigan’s breach notice requirements for the same incident.

Harm threshold

Notification is not required if, after an investigation conducted with the care an ordinarily prudent organization would use, you determine the breach has not and is not likely to cause substantial loss or injury to, or result in identity theft for, any Michigan resident. Document your analysis and the facts supporting a no-harm conclusion.

Notification Methods and Procedures

Permissible delivery methods

• Written notice mailed to the recipient’s last known postal address.
• Electronic notice if the individual has expressly consented, you have an existing email-based relationship and reasonably current address, or you conduct business primarily online.
• Telephone notice by a live representative (no recorded messages). If you lack prior consent for phone notice and a live conversation does not occur within three business days, you must also send written or electronic notice.

Required content in a Michigan notice

• A general description of the incident.
• The types of personal information involved.
• Steps you have taken to protect data from further breaches (if applicable).
• A telephone number recipients can use for assistance or more information.
• A reminder to remain vigilant for fraud and identity theft.

Healthcare-specific reporting steps

1. Secure and contain the incident; preserve evidence for forensics.
2. Identify the data affected: PHI, Michigan “personal information,” or both.
3. Perform risk assessments:
   • HIPAA: apply the four-factor analysis to determine whether there is a low probability that PHI has been compromised; if not low, it is a reportable HIPAA breach.
   • Michigan: determine whether the incident is likely to cause substantial loss, injury, or identity theft.
4. Track deadlines:
   • HIPAA: notify affected individuals (and, when applicable, HHS and the media) without unreasonable delay and no later than 60 calendar days after discovery.
   • Michigan: notify affected residents without unreasonable delay, subject to permissible delays noted above.
5. Prepare notices that meet both regimes’ content requirements and send by approved methods.
6. If more than 1,000 Michigan residents are notified, evaluate the consumer reporting agency duty described below.
7. Maintain records of investigation, determinations, notices sent, and timing.

Substitute Notice Criteria and Options

When you may use substitute notice

You may use substitute notice if either: (1) the cost of direct notice would exceed $250,000, or (2) more than 500,000 Michigan residents must be notified. These are the only statutory triggers.

How to provide substitute notice

• Send email notice to affected residents for whom you have email addresses.
• Conspicuously post the notice on your website.
• Notify major statewide media. Include a phone number or website address people can use for assistance and additional information.

Consumer Reporting Agency Notification Requirements

Who to notify and when

After you send individual notices, if you notify more than 1,000 Michigan residents, you must also notify the nationwide consumer reporting agencies without unreasonable delay. Your communication should state the number of Michigan notices sent and their timing. Entities subject to the Gramm-Leach-Bliley Act (GLBA) are exempt from this subsection.

Delay of Notification Conditions

Permissible reasons to delay

• Law enforcement determines that notice would impede a criminal or civil investigation or jeopardize national or homeland security. You must send notice once that risk ends.
• Operational needs to determine the breach’s scope and to restore the reasonable integrity of your systems. As soon as those steps finish, send notice without unreasonable delay.

Practical tips

• Get any law enforcement delay in writing (or documented) with an expected review date.
• Run breach response and notice drafting on parallel tracks so you can issue notices promptly when a delay lifts.

Risk of Harm Assessment

Michigan’s standard

Michigan uses a harm threshold: if you determine the breach has not and is not likely to cause substantial loss or injury or identity theft, notice to residents is not required. Base your decision on the care an ordinarily prudent organization would use in similar circumstances, considering the data elements exposed, whether data were actually acquired or viewed, the presence of encryption, the unauthorized party’s intent, and mitigation steps taken.

How this differs from HIPAA

HIPAA’s threshold asks whether there is a low probability that PHI has been compromised, based on four factors (nature/extent of PHI; who received it; whether the information was actually acquired or viewed; and mitigation). A HIPAA reportable breach triggers the 60-day outside deadline, even if Michigan’s harm threshold might otherwise be met.

Penalties and Legal Considerations

Civil penalties and enforcement

• A person that knowingly fails to provide required Michigan breach notices may be ordered to pay a civil fine of up to $250 for each failure, with an aggregate cap of $750,000 per breach event.
• The Michigan Attorney General or a prosecuting attorney may bring an action to recover civil fines. Issuing fraudulent breach notices is a misdemeanor with separate penalties.

Private right of action

Michigan’s breach notification statute does not create a private right of action for failure to notify. However, the law preserves other civil remedies that may be available under state or federal law (for example, claims under consumer protection or negligence theories depending on the facts).

Healthcare compliance interplay

• Covered entities and business associates that comply with the HIPAA Breach Notification Rule are deemed compliant with Michigan’s breach notice statute for the same incident.
• In mixed-data incidents (PHI plus Michigan “personal information”), align your notices so they satisfy HIPAA’s 60-day outside deadline and Michigan’s “without unreasonable delay” standard, and assess whether the consumer reporting agency notice applies.

Conclusion

For healthcare organizations, the safest path is to investigate quickly, apply both HIPAA and Michigan standards, and issue clear, timely notices using approved methods. When large resident counts are involved, prepare for substitute notice and consumer reporting agency communications. Thoughtful risk-of-harm analysis, disciplined documentation, and prompt, transparent notification significantly reduce regulatory and litigation exposure.

FAQs

What are the notification deadlines under Michigan breach notification law?

Michigan requires notice “without unreasonable delay,” allowing limited delay for law enforcement needs or to determine scope and restore system integrity. If HIPAA applies, you must also meet its outside deadline: notify affected individuals (and, when applicable, HHS and the media) without unreasonable delay and no later than 60 calendar days after discovery of a reportable breach.

How must healthcare providers notify affected individuals?

Acceptable Michigan methods are mailed written notice, electronic notice (with consent or qualifying relationships), or live telephone notice subject to specific conditions. The notice should describe the incident and data types involved, state steps taken to protect data, provide a contact number, and remind recipients to stay vigilant. If HIPAA applies, align your communication with HIPAA’s content and delivery requirements while satisfying Michigan’s elements.

When is substitute notice allowed?

Substitute notice is permitted only if direct notice would cost more than $250,000 or more than 500,000 Michigan residents must be notified. It consists of: (1) email notice where addresses are available, (2) a conspicuous website posting, and (3) notice to major statewide media that includes a phone number or website for assistance.

Does Michigan law require notifying consumer reporting agencies?

Yes. After sending individual notices, if you notify more than 1,000 Michigan residents, you must also notify the nationwide consumer reporting agencies without unreasonable delay, stating the number and timing of notices. Entities subject to GLBA are exempt from this particular requirement.