25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Extended Data Breach Notification Deadline for California Healthcare Providers

Posted By on Nov 20, 2014

A recent change to the California legislation will extend the time limit for issuing data breach notifications, with certain healthcare providers being allowed up to 15 days to issue notifications to affected persons under Assembly Bill 1755. The current deadline is 5 days.
Under AB1755, healthcare providers covered by California Health and Safety Code Section 1280.15 must issue a notice of a breach of medical data to the California Department of Public Health and any individual affected – or their representative. This change affects clinics, health care facilities, hospices and home health agencies.
In addition to the 10-day extension to the notification deadline some additional flexibility has been introduced with AB1755 regarding the method of contacting any patient affected by a data breach. The law currently requires that the patient (or his/her representative) is notified by mail to their last known address.
The change accommodates HIPAA regulations on confidential communications (45 CFR 164.522(b)) under which a covered healthcare provider may “accommodate reasonable requests by individuals to receive communications”. This includes the use of alternate means and/or locations to communicate issues of protected health information. Notification by E-mail is only permissible if prior content has been agreed in writing by the patient.
The recent changes to the legislation also make provision for law enforcement delays, with the notifications to be made within 15 days of the conclusion of any law enforcement delay. Currently the time limit is 5 days.
However, complications may arise where HIPAA standards apply. A 15 day delay in issuing notifications may be considered unacceptable under HIPAA as healthcare providers are required to issue data breach notifications without unreasonable delay.
It is important that health care providers are ready to act quickly following a data security incident and there should be a response plan in place, which should be frequently revised to accommodate changes in legislation. Because HIPAA standards may apply the California Health and Safety Code Section 1280.15 time limit should not be used as the sole guide to when a notification must be issued.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist