South Dakota Breach Notification Law for Healthcare: Requirements & Deadlines

Information Holder Definition

Under South Dakota’s breach notification law, an information holder is any person or business that conducts business in the state and owns or licenses computerized personal or protected information about South Dakota residents. For healthcare organizations, this plainly covers hospitals, clinics, health plans, and their business associates that handle electronic records and other systems containing computerized personal information. ([sdlegislature.gov](https://sdlegislature.gov/Statutes/22-40-19?utm_source=openai))

Healthcare entities regulated by federal personal health information regulation (for example, HIPAA) are deemed in compliance with the South Dakota statute if they follow their federal regulator’s breach procedures and notify affected South Dakota residents accordingly. This state-law safe harbor does not remove South Dakota-specific obligations that still apply (such as Attorney General thresholds discussed below). ([sdlegislature.gov](https://sdlegislature.gov/api/Statutes/22-40-26.html?all=true&utm_source=openai))

Breach Notification Requirements

A notification duty arises when you discover or are notified of a “breach of system security,” meaning the unauthorized acquisition of unencrypted computerized data—or encrypted data along with the key—that materially compromises the security, confidentiality, or integrity of personal or protected information. Good‑faith acquisition by your employee or agent is excluded if the information is not misused or further disclosed. ([sdlegislature.gov](https://sdlegislature.gov/Statutes/22-40-19?utm_source=openai))

When this threshold is met, you must provide notice to any South Dakota resident whose personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person. For healthcare, this state duty operates in addition to HIPAA’s breach rule; you should be prepared to satisfy both. ([legiscan.com](https://legiscan.com/SD/text/SB62/id/1755542/South_Dakota-2018-SB62-Enrolled.pdf))

Personal Information Criteria

Personal information (triggers when combined with name)

• Social Security number.
• Driver license number or other unique government‑issued ID number.
• Account, credit card, or debit card number with any required security code, access code, password, routing number, PIN, or other data permitting account access.
• Health information as defined in 45 C.F.R. § 160.103 (aligning with HIPAA’s PHI).
• Employer‑assigned identification number with any required security or access code, password, or biometric authentication data.

Protected information (credentials and access data)

• Username or email address, in combination with a password, security question answer, or other data that permits access to an online account.
• Account or payment card number with any required security code, access code, or password permitting access to a financial account.

Publicly available government records and data that has been redacted or rendered unusable are excluded. The statute focuses on computerized personal information. ([sdlegislature.gov](https://sdlegislature.gov/Statutes/22-40-19?utm_source=openai))

Notification Deadlines and Procedures

• Deadline to notify individuals: Provide notice no later than 60 days after discovery or notification of the breach. ([sdlegislature.gov](https://sdlegislature.gov/api/Statutes/22-40-20.html))
• Law enforcement delay: If a law enforcement agency determines notice would impede an investigation, you may delay. Once the agency says notification will not compromise the investigation, send notices no later than 30 days thereafter. ([legiscan.com](https://legiscan.com/SD/text/SB62/id/1755542/South_Dakota-2018-SB62-Enrolled.pdf))
• Permissible notice methods: Written notice; electronic notice (consistent with the federal E‑SIGN Act) or if you typically communicate electronically; or substitute notice if the cost would exceed $250,000, the affected class exceeds 500,000 persons, or you lack sufficient contact information. Substitute notice must include (a) email notice if available, (b) conspicuous posting on your website, and (c) statewide media notification. ([legiscan.com](https://legiscan.com/SD/text/SB62/id/1755542/South_Dakota-2018-SB62-Enrolled.pdf))
• Consumer reporting agencies: If notification to residents is required, also notify all nationwide consumer reporting agencies of the timing, distribution, and content of the notice without unreasonable delay. ([mylrc.sdlegislature.gov](https://mylrc.sdlegislature.gov/api/Documents/49583.pdf))

Attorney General Notification Obligations

South Dakota Attorney General notification is required in two situations: (1) if you determine under the state’s risk of harm standard that individual notice is not required, you must first notify the Attorney General; and (2) if a breach affects more than 250 South Dakota residents, you must notify the Attorney General by mail or electronic mail. ([sdlegislature.gov](https://sdlegislature.gov/api/Statutes/22-40-20.html))

Healthcare entities that are subject to HIPAA should still evaluate these state‑specific Attorney General triggers alongside their federal timeline and content duties to ensure complete South Dakota Attorney General notification where applicable. ([sdlegislature.gov](https://sdlegislature.gov/api/Statutes/22-40-26.html?all=true&utm_source=openai))

Risk of Harm Assessment

South Dakota allows you to forego individual notification only if—after an appropriate investigation and notice to the Attorney General—you reasonably determine the breach is not likely to result in harm to the affected person. You must document this determination in writing and keep it for at least three years. This is the statute’s risk of harm standard. ([sdlegislature.gov](https://sdlegislature.gov/api/Statutes/22-40-20.html))

For healthcare, a defensible assessment typically considers what data elements were involved (for example, diagnoses or account access data), whether data were actually acquired or viewed, encryption status, signs of misuse, and the likelihood of identity theft or medical or financial fraud. Preserve your analysis, timelines, and evidence to support compliance. ([sdlegislature.gov](https://sdlegislature.gov/Statutes/22-40-19?utm_source=openai))

Penalties for Noncompliance

Failure to disclose as required may be prosecuted by the Attorney General as a deceptive act or practice under South Dakota’s deceptive acts consumer protection law. In addition to consumer‑protection remedies (including injunctive relief), the Attorney General may seek breach notification fines—civil penalties of up to $10,000 per day per violation—and recover attorneys’ fees and costs. ([legiscan.com](https://legiscan.com/SD/text/SB62/id/1755542/South_Dakota-2018-SB62-Enrolled.pdf))

Conclusion

For healthcare organizations in South Dakota, pair HIPAA with state law: act within 60 days, apply the risk of harm standard carefully (and notify the Attorney General where required), use approved notice methods, document decisions for three years, and be mindful of significant state penalties for delay or noncompliance. ([sdlegislature.gov](https://sdlegislature.gov/api/Statutes/22-40-20.html))

FAQs

What triggers the notification requirement under South Dakota law?

A duty to notify is triggered by a breach of system security—unauthorized acquisition of unencrypted computerized data, or encrypted data with the key, that materially compromises personal or protected information. Good‑faith access by your employee or agent is excluded if not misused or further disclosed. ([sdlegislature.gov](https://sdlegislature.gov/Statutes/22-40-19?utm_source=openai))

How soon must affected individuals be notified after a breach?

You must notify affected South Dakota residents no later than 60 days after discovery or notification of the breach. If law enforcement determines that immediate notice would impede an investigation, you may delay; once cleared, you must send notices no later than 30 days thereafter. ([sdlegislature.gov](https://sdlegislature.gov/api/Statutes/22-40-20.html))

When is notification to the Attorney General required?

Notify the South Dakota Attorney General (by mail or email) if the breach affects more than 250 residents, and also when you invoke the risk of harm standard to decide not to notify individuals; in that case, you must first notify the Attorney General and document your determination. ([sdlegislature.gov](https://sdlegislature.gov/api/Statutes/22-40-20.html))

What penalties exist for failing to comply with breach notification?

Noncompliance may be treated as a deceptive act or practice, with civil penalties up to $10,000 per day per violation, plus potential injunctive relief and recovery of attorneys’ fees and costs by the Attorney General. ([legiscan.com](https://legiscan.com/SD/text/SB62/id/1755542/South_Dakota-2018-SB62-Enrolled.pdf))