HIPAA Pennsylvania

“HIPAA Pennsylvania” – the Pennsylvania law that is the equivalent of the HIPAA Data Breach Notification regulations – is called the Pennsylvania Breach of Personal Information Notification Act. This “HIPAA Pennsylvania” law describes what entities are subject to its terms; what “protected data” is; the persons to whom notice of a breach must be given; and when the notice must be provided. 

HIPAA Pennsylvania: What is the Pennsylvania Breach of Personal Information Notification Act?

The Pennsylvania Breach of Personal Information Notification Act (BPINA), “HIPAA Pennsylvania,” regulates entities that maintain, store, or manage computerized data that contains personal information.

Is your organization secure? Download the free cybersecurity eBook to get tips on how to protect your patient information.


An entity can be:

  • A business doing business in Pennsylvania; or
  • A Pennsylvania state agency or political subdivision; or
  • An individual doing business in Pennsylvania.

“Personal information” is defined as an individual’s first name or initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted:

  • A Social Security number; or
  • A driver’s license number (or a State identification card number that is issued in lieu of a driver’s license); or
  • A financial account number, a credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account

What Must an Entity Do in the Event of a Data Breach?

Under BPINA, an entity must give notice of a breach of the security of the system. A breach of the security of the system is:

  • The unauthorized access and acquisition of computerized data, that
  • Materially compromises the security or confidentiality of personal information, that is
  • Maintained by the entity as part of a database of personal information regarding multiple individuals, and that causes or the entity reasonably believes has caused or will cause,
  • Loss or injury to any Pennsylvania resident.

Under BPINA, access to and use of the data by entity employees in the scope of employment and for a proper business purpose, is not considered a breach.

What Notice Must be Given?

Every Pennsylvania resident whose unencrypted or un-redacted personal information is, or is reasonably believed to have been, accessed by an unauthorized person ,should be given notice of the breach.

Except for delays to meet the needs of law enforcement, or in order to take necessary measures to determine the scope of the breach and to restore the reasonable integrity of the data system, the notice shall be made without unreasonable delay to Pennsylvania residents.

Residency is determined by the individual’s principal mailing address, as reflected in the entity’s computerized data

Notice may be provided by any of the following methods:

  • Written notice, to the individual’s last known home address
  • Notice by telephone. Notice by telephone may be given if:
    • The customer can be reasonably expected to receive the notice;
    • The notice is given in a clear and conspicuous manner;
    • The notice describes the incident in general terms;
    • The notice verifies personal information but does not require the customer to provide personal information; and
    • The customer is provided with a telephone number to call or Internet website to visit for further information or assistance.
  • Email notice. Email notice may be given if:
    • A prior business relationship exists between the entity and the customer; and
    • The entity has a valid email address for the individual. 

What is Substitute Notice?

In certain instances, substitute notice may be given. Substitute notice must consist of all of the following: 

  • Email notice when the entity has an email address for the affected people.
  • Conspicuous posting of the notice on the entity’s website, if the entity maintains one.
  • Notification to major statewide media.

A substitute form of notice may be used if the entity demonstrates one of the following:

  • The cost of providing “regular” notice would exceed $100,000;
  • The affected class of subject persons to be notified exceeds 175,000; or
  • The entity does not have sufficient contact information for affected individuals.