Minnesota Healthcare Breach Notification Law: What Providers Must Do After a Data Breach
Definition of Personal Information
Under Minnesota’s Personal Information Definition, “personal information” means a resident’s first name or first initial and last name combined with any one of the following data elements, if the element is unencrypted (or the encryption key/password was also acquired). Publicly available government-record data is excluded. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325E.61))
- Social Security number.
- Driver’s license number or Minnesota identification card number.
- Account, credit, or debit card number when paired with the security code, access code, or password needed to access the account.
Medical details alone (for example, diagnoses or treatment notes) are not “personal information” under this state statute, though they may be protected health information (PHI) under HIPAA, which carries its own breach rules providers must follow. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325E.61))
Notification Requirement for Breaches
Breach Notification Timeline
If you own or license data that includes personal information, you must notify any affected Minnesota resident “in the most expedient time possible and without unreasonable delay.” You may take time needed to determine the breach’s scope, identify affected individuals, and restore system integrity. If you only maintain (but do not own) the data, you must notify the owner “immediately following discovery.” ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325E.61))
For healthcare providers handling PHI, HIPAA’s Breach Notification Rule also applies: notify affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery. Coordinate notices so you meet both the state timeline and HIPAA’s outside limit. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))
Approved Notification Methods
You may use the following methods to reach affected individuals:
- Written notice sent to the most recent address on file.
- Electronic notice if it is the individual’s primary communication method or if you comply with the federal E‑SIGN Act.
Substitute Notice Criteria
When direct notice is impracticable—because providing notice would cost over $250,000, the affected group exceeds 500,000 people, or contact information is insufficient—you may use substitute notice. It must include all of the following: (1) email notice where addresses exist, (2) a conspicuous website posting, and (3) notification to major statewide media. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325E.61))
Conditions for Delayed Notification
Law Enforcement Delay
You may delay notice to a date certain if a law enforcement agency affirmatively determines that notice would impede a criminal investigation. Outside of a documented law enforcement delay, the only permissible delay is the time reasonably needed to scope the incident, identify affected individuals, and restore system integrity. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325E.61))
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.
Consumer Reporting Agency Notification
Consumer Reporting Agency Alert
If a single event requires notifying more than 500 people at one time, you must also notify all nationwide consumer reporting agencies within 48 hours. Your alert must describe the timing, distribution, and content of your individual notices. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325E.61))
Exemptions Under Federal Laws
Financial institutions subject to the Gramm‑Leach‑Bliley Act (as defined in 15 U.S.C. § 6809(3)) are expressly exempt from Minnesota’s breach notification statute. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325E.61))
HIPAA Exemptions: Minnesota’s statute does not expressly exempt HIPAA‑regulated entities. If PHI is involved, you must follow HIPAA’s breach notification requirements; if the same incident also exposes state‑defined personal information (for example, SSNs within a medical billing file), you must satisfy both regimes. You may rely on your internal breach‑notification policy to meet Minnesota’s method requirements if it is consistent with the state statute’s timing standard. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))
Penalties for Non-Compliance
Civil Penalties for Breach
The Minnesota Attorney General enforces the statute and may seek injunctive relief and civil penalties of up to $25,000 per violation under the state’s consumer‑protection enforcement law. Any contractual waiver of these obligations is void and unenforceable. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325E.61))
FAQs.
What constitutes personal information under Minnesota law?
It’s a resident’s first name or initial and last name combined with one of three elements: SSN; driver’s license or Minnesota ID number; or a financial account/credit/debit card number plus the security or access code needed to access the account. Encrypted data is excluded unless the key/password was also taken. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325E.61))
When must providers notify patients after a data breach?
Minnesota requires notice in the most expedient time possible and without unreasonable delay; entities that only maintain (not own) the data must notify the owner immediately after discovery. If PHI is involved, HIPAA adds an outside limit of 60 days after discovery to notify individuals. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325E.61))
What notification methods are permissible?
Written mail or compliant electronic notice are allowed. If direct notice is impracticable due to cost over $250,000, more than 500,000 affected people, or insufficient contact data, you may use substitute notice consisting of email (when available), a conspicuous website posting, and statewide media. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325E.61))
Are there delays allowed for breach notifications?
Yes. You may delay to a date certain if law enforcement affirmatively determines that notice would impede a criminal investigation. You may also take the time reasonably necessary to scope the incident, identify affected individuals, and restore system integrity—but not longer. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325E.61))
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.
