Pennsylvania Healthcare Breach Notification Law: Requirements, Timelines, and How It Aligns with HIPAA

Breach of Personal Information Notification Act Overview

Pennsylvania’s Breach of Personal Information Notification Act (BPINA) is the statewide framework that governs when and how you must notify residents after a data breach. It applies to private organizations and public bodies and requires notification “without unreasonable delay” once you determine a security breach has occurred, subject to limited law-enforcement delays. Recent amendments strengthened requirements and added specific duties such as Attorney General notice and credit monitoring in defined scenarios. ([legis.state.pa.us](https://www.legis.state.pa.us/WU01/LI/LI/US/PDF/2005/0/0094..PDF))

For purposes of BPINA, a breach is an unauthorized access and acquisition of computerized data that materially compromises personal information and causes, or is reasonably believed to cause, loss or injury to a Pennsylvania resident. That standard helps you filter incidents that truly warrant notification. ([attorneygeneral.gov](https://www.attorneygeneral.gov/bpina/))

BPINA covers an “entity,” defined broadly to include state agencies, political subdivisions, and individuals or businesses doing business in Pennsylvania. If you store or manage computerized personal information on Pennsylvania residents, you’re within scope. ([legis.state.pa.us](https://www.legis.state.pa.us/WU01/LI/LI/US/PDF/2005/0/0094..PDF))

Definition of Personal Information

Under BPINA’s Personal Information Definition, notice obligations are triggered when a Pennsylvania resident’s first name/initial and last name are linked with any of the following unencrypted or unredacted data elements: Social Security number; driver’s license or state ID number; financial account number with any required code or password; health insurance information; and user name or email address with a password or security question/answer that permits access to an online account. Publicly available information is excluded. ([legis.state.pa.us](https://www.legis.state.pa.us/WU01/LI/LI/US/PDF/2024/0/0033..PDF))

Healthcare nuance: “Medical information” is included only when it is in the possession of a state agency or state agency contractor. Private-sector healthcare entities should still evaluate exposures of health insurance information, account credentials, and classic identifiers (e.g., SSNs), which are expressly covered by BPINA and drive Healthcare Data Breach Compliance obligations under state law. ([legis.state.pa.us](https://www.legis.state.pa.us/WU01/LI/LI/US/PDF/2005/0/0094..PDF))

Notification and Reporting Requirements

Core duties for private entities

• Notify affected Pennsylvania residents without unreasonable delay after you determine a breach occurred; you may take time to scope the incident and restore system integrity, and you may delay at law enforcement’s written request. ([legis.state.pa.us](https://www.legis.state.pa.us/WU01/LI/LI/US/PDF/2005/0/0094..PDF))
• Use any permitted method: written notice, telephonic notice in a clear and conspicuous manner, or email. For breaches of online credentials, electronic notice directing affected persons to promptly change passwords and security answers is expressly allowed. ([legis.state.pa.us](https://www.legis.state.pa.us/WU01/LI/LI/US/PDF/2005/0/0094..PDF))
• Vendors that maintain, store, or manage data on behalf of another must notify the data owner; the owner remains responsible for remaining BPINA duties. ([legis.state.pa.us](https://www.legis.state.pa.us/WU01/LI/LI/US/PDF/2005/0/0094..PDF))

Concurrent Attorney General Notification

• If notice must be given to more than 500 Pennsylvania residents, send Concurrent Attorney General Notification at the same time as individual notices, including the organization’s name and location, breach date, a summary, and the total number of affected individuals (and Pennsylvania residents). ([legis.state.pa.us](https://www.legis.state.pa.us/WU01/LI/LI/US/PDF/2024/0/0033..PDF))

Other required reporting and assistance

• Notify all nationwide consumer reporting agencies without unreasonable delay if you are notifying more than 500 persons at one time. ([legis.state.pa.us](https://www.legis.state.pa.us/WU01/LI/LI/US/PDF/2024/0/0033..PDF))
• Provide at least 12 months of credit monitoring and access to an independent credit report when the exposed data includes a Social Security number, bank account number, or driver’s license/state ID number. ([legis.state.pa.us](https://www.legis.state.pa.us/WU01/LI/LI/US/PDF/2024/0/0033..PDF))

Substitute Notice Procedures

Substitute Notice Requirements apply only in limited, demonstrable situations. You may use substitute notice if one of the following is true: (1) the cost of regular notice exceeds $100,000; (2) the affected class exceeds 175,000 people; or (3) you lack sufficient contact information. When used, substitute notice must include all of the following: email notice (if you have email addresses), conspicuous website posting, and notification to major statewide media. Pennsylvania expects you to be able to demonstrate that one of the qualifying conditions exists if you opt for substitute notice. ([legis.state.pa.us](https://www.legis.state.pa.us/WU01/LI/LI/US/PDF/2005/0/0094..PDF))

Timeline for Notifications

Private-sector organizations

You must notify affected residents without unreasonable delay after you determine a breach occurred. BPINA expressly permits short delays to determine scope, restore system integrity, or comply with a written law-enforcement delay. There is no fixed day-count for private entities in state law. ([legis.state.pa.us](https://www.legis.state.pa.us/WU01/LI/LI/US/PDF/2005/0/0094..PDF))

State agencies and state agency contractors

• Notify affected individuals within seven business days of determination; for state agencies, notify the Attorney General concurrently, and agencies under the Governor’s jurisdiction must also notify the Governor’s Office of Administration within three business days. ([legis.state.pa.us](https://www.legis.state.pa.us/WU01/LI/LI/US/PDF/2005/0/0094..PDF))

Counties, public schools, and municipalities

• Notify affected individuals within seven business days of determination, and notify the county District Attorney within three business days. If more than 500 Pennsylvania residents require notice, the Attorney General must also be notified concurrently. ([legis.state.pa.us](https://www.legis.state.pa.us/WU01/LI/LI/US/PDF/2005/0/0094..PDF))

Exemptions Under HIPAA

HIPAA Exemptions: A covered entity or business associate that is subject to and in compliance with HIPAA’s privacy and security standards, including the Breach Notification Rule, is deemed compliant with BPINA. In practice, if you meet HIPAA’s breach-notification requirements for the incident, Pennsylvania does not add duplicative state notice obligations for that incident. ([legis.state.pa.us](https://www.legis.state.pa.us/WU01/LI/LI/US/PDF/2005/0/0094..PDF))

Note that Pennsylvania’s 2024 amendments also exempt entities subject to the state Insurance Data Security law (40 Pa.C.S. Ch. 45) from the new Attorney General notification subsection. Regardless of any exemption, evaluate incidents involving non-PHI (for example, employee SSNs or account credentials) because those data types can still trigger BPINA duties. ([legis.state.pa.us](https://www.legis.state.pa.us/WU01/LI/LI/US/PDF/2024/0/0033..PDF))

Comparison with Federal Regulations

Pennsylvania vs. HIPAA at a glance

• Timing: BPINA uses “Notification without Unreasonable Delay”; HIPAA requires notice without unreasonable delay and no later than 60 calendar days from discovery. ([legis.state.pa.us](https://www.legis.state.pa.us/WU01/LI/LI/US/PDF/2005/0/0094..PDF))
• Regulator notice: Pennsylvania requires Attorney General notice when more than 500 Pennsylvania residents are affected; HIPAA requires reporting to HHS (Secretary) and uses different timing rules for ≥500 vs. <500 individuals. ([legis.state.pa.us](https://www.legis.state.pa.us/WU01/LI/LI/US/PDF/2024/0/0033..PDF))
• Public/media notice: Pennsylvania mandates substitute notice steps only in defined circumstances; HIPAA separately requires media notice when a breach involves more than 500 residents of a state or jurisdiction. ([legis.state.pa.us](https://www.legis.state.pa.us/WU01/LI/LI/US/PDF/2005/0/0094..PDF))
• Consumer support: Pennsylvania now requires 12 months of credit monitoring and access to a credit report for certain data exposures; HIPAA imposes no comparable credit-monitoring mandate. ([legis.state.pa.us](https://www.legis.state.pa.us/WU01/LI/LI/US/PDF/2024/0/0033..PDF))

Key takeaways

• If you are a HIPAA-covered healthcare organization and you follow HIPAA’s breach-notification rules, Pennsylvania generally deems you compliant under BPINA; still assess whether non-PHI identifiers also trigger state notice. ([legis.state.pa.us](https://www.legis.state.pa.us/WU01/LI/LI/US/PDF/2005/0/0094..PDF))
• For non-HIPAA incidents, build to BPINA: determine quickly, notify residents without unreasonable delay, and be ready to execute Concurrent Attorney General Notification and consumer reporting agency notifications when thresholds are met. ([legis.state.pa.us](https://www.legis.state.pa.us/WU01/LI/LI/US/PDF/2024/0/0033..PDF))
• Plan for Substitute Notice Requirements only when you can substantiate the statutory thresholds, and document your basis. ([legis.state.pa.us](https://www.legis.state.pa.us/WU01/LI/LI/US/PDF/2005/0/0094..PDF))

FAQs.

What entities are covered by Pennsylvania’s breach notification law?

BPINA covers a broad “entity” class: state agencies, political subdivisions, and any individual or business doing business in the Commonwealth that maintains, stores, or manages computerized personal information on Pennsylvania residents. Vendors must notify the data owner, who remains responsible for the remaining duties. ([legis.state.pa.us](https://www.legis.state.pa.us/WU01/LI/LI/US/PDF/2005/0/0094..PDF))

How soon must affected individuals be notified of a breach?

Private organizations must notify without unreasonable delay after determining a breach occurred, subject to limited delays to scope the incident, restore integrity, or honor a law-enforcement hold. Public entities face fixed timelines: seven business days to notify individuals (with additional concurrent notices for certain agencies). ([legis.state.pa.us](https://www.legis.state.pa.us/WU01/LI/LI/US/PDF/2005/0/0094..PDF))

When is the Attorney General required to be notified?

When a breach requires notification to more than 500 Pennsylvania residents, you must notify the Attorney General at the same time you notify individuals. That duty applies in addition to any other required notices (for example, a county District Attorney for local government breaches). ([legis.state.pa.us](https://www.legis.state.pa.us/WU01/LI/LI/US/PDF/2024/0/0033..PDF))

How does Pennsylvania's law interact with HIPAA requirements?

If you are a HIPAA covered entity or business associate and you are in compliance with HIPAA’s privacy and security standards (including the breach-notification rules), Pennsylvania deems you compliant with BPINA for that incident. You still need to evaluate non-PHI data exposures that may independently trigger BPINA. ([legis.state.pa.us](https://www.legis.state.pa.us/WU01/LI/LI/US/PDF/2005/0/0094..PDF))