Oregon Healthcare Breach Notification Law: Requirements, Timelines, and Compliance Guide
Breach Definition and Discovery
Under Oregon’s Consumer Information Protection Act (OCIPA), a “breach of security” is the unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information, which expressly includes medical information and health insurance identifiers. In healthcare contexts, this often overlaps with protected health information (PHI). ([codes.findlaw.com](https://codes.findlaw.com/or/title-50-trade-regulations-and-practices/or-rev-st-sect-646a-602/?utm_source=openai))
Discovery starts the clock for covered entity notification. HIPAA defines discovery as the first day the breach is known—or should have been known through reasonable diligence—to any workforce member or agent other than the person committing the breach, per 45 CFR 164.404(a)(2). Oregon’s statute similarly pegs obligations to discovering or receiving notice of a breach. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.404))
Vendors that maintain personal information for you must notify your organization “as soon as practicable” and no later than 10 days after discovering or suspecting a breach, ensuring you can meet state and federal breach notification timelines. ([oregon.public.law](https://oregon.public.law/statutes/ors_646a.604))
Notification to Regulatory Authorities
State. If a breach affects more than 250 Oregon residents, you must send a report and a sample copy of the consumer notice to the Oregon Attorney General within the same 45-day window as individual notices. Separately, if more than 1,000 residents are affected, you must notify nationwide consumer reporting agencies of the timing, distribution, and content of your notices. ([doj.state.or.us](https://www.doj.state.or.us/consumer-protection/id-theft-data-breaches/data-breaches/))
Federal. HIPAA requires notice to the Secretary of Health and Human Services (HHS/OCR) under 45 CFR 164.408: for 500 or more individuals, submit to HHS contemporaneously with individual notices; for fewer than 500, log the breach and submit to HHS no later than 60 days after the end of the calendar year in which it was discovered. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.408?utm_source=openai))
Business associates. Under 45 CFR 164.410(2), a business associate must provide the covered entity with the information the covered entity needs to complete individual notifications, without unreasonable delay and no later than 60 days after discovery. Your business associate agreements often require even faster internal reporting. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.410?utm_source=openai))
Public sector note. Oregon Health Authority contractors have additional duties in OAR 943-014-0440, including prompt notice to the Authority and coordination for media and HHS notifications. ([law.cornell.edu](https://www.law.cornell.edu/regulations/oregon/Or-Admin-Code-SS-943-014-0440))
Individual Breach Notification Process
How to notify individuals
- Written notice by first-class mail, or by email if you customarily communicate electronically or the individual agreed to electronic notice.
- Telephone notice may supplement other methods.
- Use substitute notice when direct contact is not feasible (see “Substitute Notice Conditions”). ([oregon.public.law](https://oregon.public.law/statutes/ors_646a.604))
Breach notification content
Oregon law requires, at minimum, a general description of the incident, approximate breach date, types of personal information involved, your contact information, national consumer reporting agency contacts, and advice to report suspected identity theft to law enforcement, including the Oregon Attorney General and the FTC. This defines core breach notification content under state law. ([oregon.public.law](https://oregon.public.law/statutes/ors_646a.604))
HIPAA adds specific elements in 45 CFR 164.404(c): what happened (including breach and discovery dates), the categories of PHI involved, steps individuals should take, what you are doing to investigate/mitigate/prevent recurrence, and contact methods (toll-free number, email, website, or postal address). Use plain language. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.404))
Media Notification Requirements
HIPAA requires media notification when a breach involves more than 500 residents of a single state or jurisdiction. You must notify prominent media outlets serving that area without unreasonable delay and no later than 60 days after discovery, and include the same information as in individual notices. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.406?utm_source=openai))
Oregon’s law requires media involvement when you use substitute notice due to cost, scale, or insufficient contact data: you must post notice on your website and notify major statewide television and newspaper media. This is distinct from HIPAA’s 500-resident media rule. ([oregon.public.law](https://oregon.public.law/statutes/ors_646a.604))
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.
Notification Timeliness and Delays
Oregon’s breach notification timelines require you to notify affected Oregon residents “in the most expeditious manner possible, without unreasonable delay,” and no later than 45 days after discovery or receipt of notice from a vendor. HIPAA’s deadline is “without unreasonable delay” and no later than 60 days from discovery; in practice, you must meet the shortest applicable deadline—45 days for Oregon residents. ([oregon.public.law](https://oregon.public.law/statutes/ors_646a.604))
Law enforcement delay request. Oregon permits delay only if a law enforcement agency determines that notice would impede a criminal investigation and requests a written delay. HIPAA authorizes delays at law enforcement’s request as well (written for a specified time, or oral with a brief temporary delay while written confirmation is obtained) under 45 CFR 164.412. Document any delay and resume notices once the restriction lifts. ([oregon.public.law](https://oregon.public.law/statutes/ors_646a.604))
Substitute Notice Conditions
Under Oregon’s substitute notice criteria, you may use substitute notice if: (1) the cost of direct notice would exceed $250,000; or (2) the affected class exceeds 350,000 people; or (3) you lack sufficient contact information. Substitute notice requires both a conspicuous website posting and notice to major statewide TV and newspaper media. ([oregon.public.law](https://oregon.public.law/statutes/ors_646a.604))
HIPAA has a different substitute-notice standard tied to insufficient or out-of-date contact information: for fewer than 10 individuals, use an alternative method; for 10 or more, post conspicuously on your homepage for 90 days or use major print/broadcast media where affected individuals likely reside, plus a 90-day toll-free number. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.404))
Exemptions and Legal Considerations
When Oregon notice may not be required
- Risk-of-harm exception: If, after appropriate investigation or consultation with law enforcement, you reasonably determine affected consumers are unlikely to suffer harm, you need not notify—but you must document that determination and retain it for at least five years. ([oregon.public.law](https://oregon.public.law/statutes/ors_646a.604))
- Sectoral exemptions: Compliance with Gramm-Leach-Bliley or HIPAA/HITECH can satisfy Oregon’s requirements for overlapping data—but you must still provide a copy of the notice to the Oregon Attorney General if more than 250 residents are affected. ([oregon.public.law](https://oregon.public.law/statutes/ors_646a.604))
- Security safe harbor: Oregon recognizes encryption/redaction in defining protected “personal information,” which can remove an event from breach status if keys were not compromised. ([dwt.com](https://www.dwt.com/files/Uploads/Documents/Publications/Oregon%20Security%20Breach.pdf?utm_source=openai))
A note on “covered entity” terminology
OCIPA uses “covered entity” broadly (any person or organization that owns, licenses, maintains, or otherwise handles personal information), which differs from HIPAA’s healthcare-specific definition. Clarify which framework applies to your incident and follow both where they overlap. ([olis.oregonlegislature.gov](https://olis.oregonlegislature.gov/liz/2019R1/Downloads/MeasureDocument/SB684/A-Engrossed?utm_source=openai))
Conclusion
To comply with Oregon healthcare breach rules, align your breach notification content with both OCIPA and HIPAA, trigger your internal response the moment of discovery (45 CFR 164.404(a)(2)), meet Oregon’s 45-day deadline, report to the AG at 250+ residents and to HHS under 45 CFR 164.408, and use media or substitute notice only when required. When in doubt, document your analysis, act within the strictest applicable timeline, and coordinate with business associates early so your breach notification timelines stay on track. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.404))
FAQs
What constitutes a breach under Oregon healthcare law?
Under OCIPA, a breach of security is the unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information, which includes medical information and certain health insurance identifiers. Good-faith acquisition by your employee that does not harm the data may be excluded. HIPAA separately treats an impermissible use or disclosure of unsecured PHI as a presumed breach unless a low-probability-of-compromise assessment rebuts it. ([codes.findlaw.com](https://codes.findlaw.com/or/title-50-trade-regulations-and-practices/or-rev-st-sect-646a-602/?utm_source=openai))
When must a breach be reported to the Secretary of Health and Human Services?
For 500 or more individuals, submit to HHS/OCR contemporaneously with individual notices and within 60 days of discovery; for fewer than 500 individuals, maintain a log and file it no later than 60 days after the end of the calendar year in which the breach was discovered, per 45 CFR 164.408. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.408?utm_source=openai))
How does notification timing affect compliance?
The clock starts at discovery under 45 CFR 164.404(a)(2). Oregon requires notice to residents no later than 45 days after discovery (or receipt of a vendor’s notice), while HIPAA requires notice without unreasonable delay and no later than 60 days. Apply the strictest rule that fits your incident—practically, Oregon’s 45-day deadline for Oregon residents. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.404))
Can notification be delayed for law enforcement purposes?
Yes. Oregon allows a delay only if a law enforcement agency determines notice would impede a criminal investigation and makes a written law enforcement delay request. HIPAA also permits a temporary delay at law enforcement’s request under 45 CFR 164.412 (written for a set period, or a short oral delay pending written confirmation). Resume notifications as soon as the restriction lifts. ([oregon.public.law](https://oregon.public.law/statutes/ors_646a.604))
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.