Rhode Island Healthcare Breach Notification Law: Requirements, Timelines, and Compliance Guide

Covered Entities

Rhode Island’s Identity Theft Protection Act applies broadly. If you are a healthcare provider, hospital or health system, clinic, laboratory, pharmacy, health insurer or plan, health IT vendor, billing service, or other business associate that stores, processes, or maintains personal information about Rhode Island residents, you are a covered entity under state law.

HIPAA compliance does not remove you from the state regime. Rather, covered entities and business associates that follow the HIPAA Breach Notification Rule are generally deemed in compliance with the Rhode Island statute, but you still need to track Rhode Island–specific requirements such as breach notification timelines and Attorney General notification thresholds.

Definition of Personal Information

Under Rhode Island law, “personal information” means an individual’s first name or initial and last name in combination with any one of the following data elements when the data are not encrypted or are in hard copy:

• Social Security number.
• Driver’s license, Rhode Island identification card, or tribal identification number.
• Financial account, credit, or debit card number with any required code, password, or PIN permitting account access.
• Medical information (any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis) or health insurance information (such as a policy or subscriber number).
• Email address with a password, access code, or other credential that would permit access to a personal, medical, insurance, or financial account.

Encrypted data exemptions: a “breach of the security of the system” is defined as unauthorized access to unencrypted computerized data. Strong encryption (128-bit or higher) can place data outside the definition of a reportable “breach,” but the exemption does not apply if decryption keys, passwords, or other credentials are also compromised.

Notification Requirement

Trigger: you must notify Rhode Island residents following (1) any disclosure of personal information or (2) any breach of the security of the system that poses a significant risk of identity theft. The harm threshold (“significant risk of identity theft”) requires a reasonable, documented assessment.

Timelines: notice must be provided in the most expedient time possible and no later than 45 calendar days after you confirm the breach and can ascertain the information required for the notice. State and municipal agencies have a 30‑day outside limit. Law enforcement may request a delay if notice would impede an investigation; once lifted, you must notify as soon as practicable.

Methods: written or electronic notice is allowed. Substitute notice is permitted if direct notice costs would exceed $25,000, the affected class exceeds 50,000 individuals, or you lack sufficient contact information; substitute notice requires email (if available), prominent website posting, and notice to major statewide media.

HIPAA coordination: healthcare entities must also meet HIPAA’s 60‑day outer limit. Because Rhode Island’s 45‑day deadline is shorter, you should plan your breach response to satisfy the state timeline while also meeting HIPAA content and federal reporting duties.

Content of Notification

Your consumer notice must clearly and concisely include:

• A general, brief description of the incident, including how it occurred and the number of affected individuals.
• The types of information involved.
• The date, estimated date, or date range of the incident, and the date of discovery.
• A description of any remediation services offered (for example, credit monitoring or identity theft protection), and toll‑free numbers and websites for:
  • the major credit reporting agencies,
  • any remediation service provider, and
  • the Rhode Island Attorney General.
• How to file or obtain a police report, how to place a security freeze, and a statement that consumer reporting agencies may require certain information (and may charge fees, if applicable) to place a freeze.

Credit monitoring requirements and remediation services coverage: state and municipal agencies must provide remediation services for at least five years for adults; for minors, coverage must extend until age 18 and for no less than two additional years beyond age 18. Private-sector healthcare entities are not given a fixed duration in statute, but offering no‑cost credit monitoring or comparable identity remediation is a widely adopted best practice that supports consumer protection and regulatory expectations.

Notification to Authorities

Attorney General notification: if more than 500 Rhode Island residents are to be notified, you must also notify the Rhode Island Attorney General and the major credit reporting agencies regarding timing, content, distribution, and the approximate number of affected individuals. This notice must not delay consumer notifications and should be sent within the same 45‑day (or 30‑day for public agencies) window.

Sector regulator notice: licensees regulated by the Rhode Island Department of Business Regulation (including many health insurers) must provide a breach notice to the Department when consumer notification is required under state law.

Federal duties for healthcare: under HIPAA, you must notify the U.S. Department of Health and Human Services (HHS). For breaches affecting 500 or more individuals in a state or jurisdiction, you must also notify prominent media outlets serving that area. For fewer than 500 individuals, you may report to HHS annually within 60 days after year‑end.

Exemptions

• Encrypted data exemptions: incidents involving properly encrypted data are generally not reportable unless the encryption key or credential was also compromised.
• Good‑faith acquisition by your workforce or agents is not a breach if the information is not used or further disclosed without authorization.
• Law enforcement delay: notification may be delayed if an authorized agency determines it would impede a criminal investigation.
• Existing procedures and HIPAA compliance: entities with their own breach procedures that meet state timing requirements, or entities governed by HIPAA’s privacy and security rules, are deemed compliant with Rhode Island’s breach notification chapter; however, Rhode Island–specific steps (such as Attorney General notification and inclusion of AG contact details in consumer letters) must still be addressed.

Penalties for Non-Compliance

Civil penalties apply per record: up to $100 per record for each reckless violation and up to $200 per record for each knowing and willful violation. The Rhode Island Attorney General may bring enforcement actions, seek injunctive relief, and pursue remedies in the public interest.

Separately, the Rhode Island Deceptive Trade Practices Act may be used by the Attorney General to challenge unfair or deceptive practices relating to data security representations or breach handling. Misleading statements about your security program, credit monitoring, or remediation services can invite scrutiny in addition to breach-specific penalties.

Conclusion

For healthcare organizations, Rhode Island’s law layers state-specific obligations onto HIPAA. Build your incident response playbook to (1) evaluate the significant-risk threshold quickly, (2) meet the 45‑day consumer notice deadline (30 days for public agencies), (3) include all mandatory notice elements, (4) deliver Attorney General notification when more than 500 residents are affected, and (5) implement appropriate remediation services coverage. Doing so reduces regulatory exposure and demonstrates a patient‑first posture.

FAQs

What are the notification deadlines under Rhode Island healthcare breach laws?

You must notify Rhode Island residents as soon as practicable and no later than 45 calendar days after confirming a breach and determining the information required for the notice; state and municipal agencies have 30 days. HIPAA also imposes a 60‑day outer limit, so healthcare entities should plan to meet the shorter Rhode Island timeline while satisfying federal content and reporting rules.

How is personal information defined under this law?

Personal information is a Rhode Island resident’s first name or initial and last name plus at least one sensitive element—Social Security number; driver’s license/RI ID/tribal ID; financial account, credit, or debit card number with a code or password; medical information or health insurance information; or an email address with a password or code enabling access to a personal, medical, insurance, or financial account—when the data are unencrypted or in paper form.

When must the Attorney General be notified of a breach?

When more than 500 Rhode Island residents are to receive breach notices, you must also notify the Rhode Island Attorney General and the major credit reporting agencies. This authority notification should occur within the same 45‑day (or 30‑day for public agencies) window and must not delay consumer notifications. Regulated insurers and certain licensees must also notify the Department of Business Regulation.

What penalties apply for non-compliance?

Violations can result in civil penalties of up to $100 per record for reckless violations and up to $200 per record for knowing and willful violations, with enforcement by the Attorney General. In addition, conduct surrounding a breach may be pursued under the Rhode Island Deceptive Trade Practices Act if it constitutes an unfair or deceptive practice, increasing litigation and enforcement risk.