Mississippi Healthcare Breach Notification Law: Reporting Requirements and Timelines

Definition of Personal Information

Under Mississippi law, “personal information” is a resident’s first name or first initial and last name combined with at least one data element: Social Security number; driver’s license, state ID, or tribal ID number; or a financial account, credit, or debit card number plus a required security or access code or password. Stand‑alone clinical or medical details are not included in this state definition, so a healthcare incident may trigger HIPAA without triggering Mississippi’s consumer breach statute unless these identifiers are involved. ([wyatthitechlaw.com](https://wyatthitechlaw.com/wp-content/uploads/2021/07/75-24-29-notice-of-breach-of-security-application-definitions-requirement-ground.pdf))

For healthcare entities, this means state notification typically hinges on whether patient records also contain these identifiers (for example, SSNs collected for billing), while federal HIPAA duties apply when unsecured protected health information is involved. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html))

Definition of Data Breach

Mississippi defines a “breach of security” as the unauthorized acquisition of electronic files, media, databases, or computerized data containing personal information when that information is not secured by encryption or a technology that renders it unreadable or unusable. Paper records are outside this statutory definition; the focus is on electronic data and whether it was effectively encrypted. ([law.justia.com](https://law.justia.com/codes/mississippi/title-75/chapter-24/general-provisions/section-75-24-29/))

Separately, HIPAA treats a breach as an impermissible use or disclosure of protected health information that compromises its privacy or security, with a presumption of breach unless you document a low probability of compromise via a four‑factor risk assessment. HIPAA notifications are required only for “unsecured protected health information,” meaning PHI not rendered unusable, unreadable, or indecipherable per HHS encryption and destruction guidance. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html))

Notification Obligation

Any person or business conducting operations in Mississippi must notify all affected residents when a qualifying breach of security occurs. If you maintain (but do not own) personal information for another organization, you must notify the data’s owner or licensee “as soon as practicable” after discovery if an unauthorized person acquired the information for fraudulent purposes. The statute also allows no-notice if, after an appropriate investigation, you reasonably determine the breach is not likely to result in harm. ([wyatthitechlaw.com](https://wyatthitechlaw.com/wp-content/uploads/2021/07/75-24-29-notice-of-breach-of-security-application-definitions-requirement-ground.pdf))

Healthcare entities should coordinate state duties with HIPAA obligations: when unsecured protected health information is involved, you must notify affected individuals and, when applicable, HHS and the media, regardless of whether Mississippi’s narrower personal‑information definition is met. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html))

Timing of Notification

Mississippi requires disclosure “without unreasonable delay,” allowing time to: determine the incident’s nature and scope, identify affected individuals, and restore the data system’s reasonable integrity. The statute does not specify a fixed day count, so you should document investigative steps and move promptly once facts are known. ([wyatthitechlaw.com](https://wyatthitechlaw.com/wp-content/uploads/2021/07/75-24-29-notice-of-breach-of-security-application-definitions-requirement-ground.pdf))

HIPAA sets a hard outer limit: notice must be provided without unreasonable delay and in no case later than 60 days after discovery. In addition, you must notify HHS (immediately for breaches affecting 500+ individuals; annually for fewer than 500) and, for breaches affecting 500+ residents of a state or jurisdiction, provide media notice—all within the same 60‑day cap. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html))

Delay of Notification

Both Mississippi law and HIPAA permit a law enforcement notification delay. In Mississippi, you must postpone notification for a reasonable time if a law enforcement agency requests delay because notice would impede a criminal investigation or national security. You may notify once the agency confirms that notice will no longer compromise the investigation or security. Keep written documentation of the request and the release to proceed. ([law.justia.com](https://law.justia.com/codes/mississippi/title-75/chapter-24/general-provisions/section-75-24-29/))

Substitute Notice

Mississippi authorizes substitute notice when any one of these criteria is met: the direct-notice cost would exceed $5,000; the affected class exceeds 5,000 people; or you lack sufficient contact information. Substitute notice must include email (when available), a conspicuous posting on your website, and notification to major statewide media (newspapers, radio, and television). ([wyatthitechlaw.com](https://wyatthitechlaw.com/wp-content/uploads/2021/07/75-24-29-notice-of-breach-of-security-application-definitions-requirement-ground.pdf))

HIPAA also recognizes substitute notice, but with different thresholds and mechanics: if you have insufficient or out‑of‑date contact information for 10 or more individuals, you must post on your site’s home page or use major print/broadcast media in the affected area for at least 90 days and provide a toll‑free number active for at least 90 days. Align your approach so both frameworks are satisfied. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html))

Method of Notification

Mississippi allows written notice, telephone notice, or electronic notice (if electronic communication is your primary channel with the individuals or the notice complies with the federal E‑SIGN Act). If using substitute notice, you must combine website posting, email (if available), and statewide media. Ensure your content is clear, accurate, and consistent across channels to meet notification methods compliance expectations. ([wyatthitechlaw.com](https://wyatthitechlaw.com/wp-content/uploads/2021/07/75-24-29-notice-of-breach-of-security-application-definitions-requirement-ground.pdf))

HIPAA requires first‑class mail or email (if the individual agreed), and it specifies content elements: a description of the breach, the types of information involved, steps individuals should take, what you are doing to investigate and mitigate, and how to contact you. Use the same core content in Mississippi notices so both federal and state standards are met. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html))

Conclusion

For healthcare organizations in Mississippi, breach response is a dual‑track exercise. Mississippi’s statute triggers notice when certain identifiers are exposed in electronic form; HIPAA triggers notice when unsecured protected health information is compromised. Move quickly, document your breach investigation standards, apply encryption requirements to reduce risk and obligations, honor any law enforcement notification delay, and choose the correct notice method so you remain compliant under both regimes.

FAQs.

What personal information triggers breach notification under Mississippi law?

State notice is triggered when a resident’s first name or first initial and last name is combined with one or more of the following: SSN; driver’s/state/tribal ID number; or a financial account, credit, or debit card number plus a required access or security code or password. Medical details alone do not trigger the Mississippi statute, though they often trigger HIPAA duties. ([wyatthitechlaw.com](https://wyatthitechlaw.com/wp-content/uploads/2021/07/75-24-29-notice-of-breach-of-security-application-definitions-requirement-ground.pdf))

When must healthcare entities notify affected individuals of a breach?

Under Mississippi law, you must notify without unreasonable delay, after completing a prompt, good‑faith investigation to scope the incident, identify affected individuals, and restore system integrity. Under HIPAA, you must notify without unreasonable delay and no later than 60 days after discovery, and also notify HHS and, for large breaches, the media within that same 60‑day window. ([wyatthitechlaw.com](https://wyatthitechlaw.com/wp-content/uploads/2021/07/75-24-29-notice-of-breach-of-security-application-definitions-requirement-ground.pdf))

Can notification be delayed for law enforcement reasons?

Yes. If law enforcement determines that notice would impede a criminal investigation or national security and requests a delay, Mississippi permits you to postpone notice for a reasonable time. You must send notices once the agency advises that doing so will no longer compromise the investigation or security. ([law.justia.com](https://law.justia.com/codes/mississippi/title-75/chapter-24/general-provisions/section-75-24-29/))

What penalties apply for non-compliance with breach notification rules?

Failure to comply with Mississippi’s breach notification statute constitutes an unfair trade practice enforced by the Mississippi Attorney General. The statute does not create a private right of action, but the AG may take enforcement action for violations. Separately, HIPAA violations can result in civil monetary penalties from HHS. ([wyatthitechlaw.com](https://wyatthitechlaw.com/wp-content/uploads/2021/07/75-24-29-notice-of-breach-of-security-application-definitions-requirement-ground.pdf))