25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Oklahoma Updates Security Breach Notification Act

Posted By on Jun 6, 2025

The Oklahoma legislature has updated the Security Breach Notification Act, expanding the definition of personal information that warrants breach notifications, specifying reasonable safeguards that provide an affirmative defense against civil actions, and requiring the state Attorney General to be notified about certain data breaches.

The definition of personal data has been expanded to include unique biometric data such as retina/iris scans and fingerprints, and unique electronic identifiers or routing codes in combination with any required security code. A definition has been added for reasonable safeguards that provide an affirmative defense against any civil action under the law. These mean “policies and practices that ensure personal information is secure, taking into consideration an entity’s size and the type and amount of personal information.”  Reasonable safeguards include “conducting risk assessments, implementing technical and physical layered defenses, employee training on handling personal information, and establishing an incident response plan.”

Notifications to the state attorney general are required if the data breach affects 500 or more individuals, or 1,000 or more individuals in the case of a data breach at a credit bureau. Notifications must be issued without unreasonable delay and no later than 60 days from the date of discovery of a data breach. The notifications must include the date of the breach, the date of its determination, the nature of the breach, the type of personal information exposed, the number of residents of this state affected, the estimated monetary impact of the breach (to the extent such impact can be determined), and any reasonable safeguards the entity employs.

Individuals and entities that are compliant with the notification requirements of the Oklahoma Hospital Cybersecurity Protection Act of 2023 or the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule are exempt from complying with the individual notice requirements, provided they issue the requisite notices to the state Attorney General.

The new requirements detailed in Senate Bill 626 will take effect on January 1, 2026.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist