Puerto Rico Healthcare Data Breach Notification Law: Requirements, Deadlines, and Reporting Steps

Overview of Puerto Rico Data Breach Law

Puerto Rico’s primary breach statute—the Citizen Information on Data Banks Security Act—applies to any entity that owns or is a data custodian of databases containing personal information of Puerto Rico residents, including hospitals, clinics, health plans, and their vendors. For healthcare organizations, “personal information” explicitly includes medical data protected by HIPAA, making the law directly relevant to your privacy program. ([law.justia.com](https://law.justia.com/codes/puerto-rico/2023/title-ten/subtitle-3/chapter-310/4051/))

The law imposes two concurrent obligations when a qualifying “violation of the security system” is detected: (1) notify affected individuals and (2) submit a Department of Consumer Affairs Notification to the Department (DACO) within a non-extendable 10 days; DACO then issues a public announcement within 24 hours of receiving your report. Individual notice must be provided “as expeditiously as possible,” considering law-enforcement needs and system restoration. ([law.justia.com](https://law.justia.com/codes/puerto-rico/title-ten/subtitle-3/chapter-310/4052/))

Defining a Data Breach

What “violation of the security system” means

A reportable event is any detected situation that permits unauthorized access to data files, compromises confidentiality or integrity, or involves authorized users who violate professional confidentiality or obtained access under false pretenses for illegal use. This covers both network/system intrusions and physical access or removal of storage media. ([law.justia.com](https://law.justia.com/codes/puerto-rico/2023/title-ten/subtitle-3/chapter-310/4051/))

What counts as “personal information” in healthcare

Personal information consists of a person’s name (or initial plus surname) linked with specified data elements. For healthcare, “medical information protected by HIPAA” is expressly included, along with Social Security numbers, account numbers, and authentication credentials. ([law.justia.com](https://law.justia.com/codes/puerto-rico/2023/title-ten/subtitle-3/chapter-310/4051/))

Encryption and scope

The individual-notice duty is triggered when the breached database contains personal information files that are not protected by an encrypted code and are only password-protected. If the affected files are properly encrypted, the statute’s individual-notice obligation does not apply. ([law.justia.com](https://law.justia.com/codes/puerto-rico/title-ten/subtitle-3/chapter-310/4052/))

Notification Requirements to Individuals

Timing and trigger

Once you confirm a qualifying event, you must notify affected Puerto Rico residents as expeditiously as possible. The statute allows consideration of law-enforcement needs (e.g., preserving evidence) and measures needed to restore system security, but it does not set a fixed day-count for individual notice. ([law.justia.com](https://law.justia.com/codes/puerto-rico/title-ten/subtitle-3/chapter-310/4052/))

Content of the notice

• Clear, conspicuous explanation describing the incident in general terms and the type of sensitive information compromised.
• A toll-free number and an internet site individuals can use for information or assistance.

These elements are mandatory for every individual notice under Puerto Rico law. ([law.justia.com](https://law.justia.com/codes/puerto-rico/2023/title-ten/subtitle-3/chapter-310/4053/))

Format and Digital Signatures Act Compliance

You may notify individuals by written letter or by authenticated electronic means consistent with Puerto Rico’s Digital Signatures Act. For healthcare senders, align e-delivery with your identity-proofing and recordkeeping controls so you can demonstrate authenticity, delivery, and content integrity. ([law.justia.com](https://law.justia.com/codes/puerto-rico/2023/title-ten/subtitle-3/chapter-310/4053/))

Reporting Obligations to the Department of Consumer Affairs

Who must report and when

• Data Custodian Breach Reporting: Owners or custodians of affected databases must notify DACO within a non-extendable 10 days after detecting the violation.
• Public announcement: DACO publishes a notice within 24 hours of receiving your report.

These Department of Consumer Affairs Notification timelines apply irrespective of your method of notifying individuals. ([law.justia.com](https://law.justia.com/codes/puerto-rico/title-ten/subtitle-3/chapter-310/4052/))

Special note for government entities

If the breach occurs in a government agency or public corporation, it must be reported to the Citizen’s Advocate Office (Ombudsman), which designates a Specialized Advocate to handle the case. ([law.justia.com](https://law.justia.com/codes/puerto-rico/2023/title-ten/subtitle-3/chapter-310/4054a/))

Reporting steps you can follow

1. Confirm scope: Determine whether personal information files were involved and whether they were encrypted.
2. Start the DACO clock: Record the detection date and prepare your Department submission within 10 days.
3. Assemble facts: Summarize what happened, the data elements implicated, number of affected residents, timeline, and a compliance contact.
4. Coordinate parallel notices: Launch individual notifications “as expeditiously as possible,” while preserving evidence and stabilizing systems.
5. Document decisions: Keep investigations, notification content, and delivery proofs for audit and regulatory review.

Methods of Notification

Primary methods

• Written direct notice by mail.
• Authenticated electronic notice under the Digital Signatures Act (Digital Signatures Act Compliance).

All notices must be clear and conspicuous, describe the breach in general terms, identify the type of compromised data, and include a toll-free number and website for assistance. ([law.justia.com](https://law.justia.com/codes/puerto-rico/2023/title-ten/subtitle-3/chapter-310/4053/))

Substitute Notice Requirements

If direct notice is impracticable because the identification or contact process is excessively onerous, or if notification costs exceed $100,000, or the affected population exceeds 100,000 persons, you may use substitute notice consisting of two steps: (1) a prominent announcement at your premises, on your website (if any), and in any informational flyers circulated via postal and electronic mailing lists; and (2) a media communication providing incident details and how to contact your organization. Sector-specific outlets may be used when appropriate. ([law.justia.com](https://law.justia.com/codes/puerto-rico/2023/title-ten/subtitle-3/chapter-310/4053/))

Penalties for Non-Compliance

The Secretary of Consumer Affairs may impose administrative fines ranging from $500 to $5,000 for each violation. These fines do not limit affected consumers’ rights to bring civil actions for damages in court. ([law.justia.com](https://law.justia.com/codes/puerto-rico/2023/title-ten/subtitle-3/chapter-310/4055/))

Exemptions and Security Measures

Key exemptions

• Encryption safe harbor for individual notice: If personal information files were encrypted (and not merely password-protected), the individual-notice obligation does not apply.
• Authorized access without misuse: A “violation of the security system” focuses on unauthorized access or misuse; routine access by authorized personnel that does not involve confidentiality violations falls outside that definition. ([law.justia.com](https://law.justia.com/codes/puerto-rico/title-ten/subtitle-3/chapter-310/4052/))

Security practices to reduce risk

• Use strong encryption for data at rest and in transit to preserve Personal Information Confidentiality.
• Harden identity and access controls (MFA, role-based access, privileged access governance) and maintain audit logs.
• Practice data minimization and timely deletion; monitor for anomalies; test incident response and notification playbooks regularly.
• When using electronic notices, maintain evidence of authentication to satisfy Digital Signatures Act Compliance requirements.

In practice, the fastest path to compliance is to confirm encryption status, launch individual notice “as expeditiously as possible,” and file the DACO report within 10 days—then document every decision and action taken. ([law.justia.com](https://law.justia.com/codes/puerto-rico/title-ten/subtitle-3/chapter-310/4052/))

FAQs

What constitutes a reportable breach under Puerto Rico law?

A reportable breach is a “violation of the security system” that permits unauthorized access or involves misuse by normally authorized users, compromising confidentiality or integrity of data files. For individual notice duties, the affected database must include personal information files that are not encrypted (only password-protected). ([law.justia.com](https://law.justia.com/codes/puerto-rico/2023/title-ten/subtitle-3/chapter-310/4051/))

How quickly must affected individuals be notified?

You must notify individuals as expeditiously as possible, accounting for law-enforcement needs and restoration of system security. There is no fixed day-count for individual notices, but you must notify DACO within 10 days of detecting the violation. ([law.justia.com](https://law.justia.com/codes/puerto-rico/title-ten/subtitle-3/chapter-310/4052/))

What are the penalties for failing to comply?

DACO may assess administrative fines from $500 up to $5,000 for each violation, and these penalties do not limit consumers’ rights to sue for damages. ([law.justia.com](https://law.justia.com/codes/puerto-rico/2023/title-ten/subtitle-3/chapter-310/4055/))

Does encryption exempt a data breach from notification?

Encryption can exempt you from notifying individuals because the statute triggers individual notice when files are not encrypted and only password-protected. However, the 10-day report to the Department of Consumer Affairs is tied to detection of a violation of the security system and is not expressly limited by an encryption exception. ([law.justia.com](https://law.justia.com/codes/puerto-rico/title-ten/subtitle-3/chapter-310/4052/))