Attivo Networks Blogs

HIPAA Covered Entities Get Pass on OR Data Breach Notification Law

April 10, 2018 – HIPAA covered entities in Oregon are exempt from a new requirement that organizations in the state report data breaches within 45 days of discovery.

Oregon Governor Kate Brown signed into law at the end of March amendments (Senate Bill 1551) to the data breach law that would impose the 45-day reporting requirement unless doing so would impede a law enforcement investigation.

The amendment would also prohibit credit reporting agencies from charging a fee to residents who want to freeze or unfreeze their credit reports.

According to analysis of the legislation by David Stauss, an attorney with the law firm of Ballard Spahr, the amendments exempt HIPAA covered entities, which are subject to a 60-day data breach notification requirement under the federal law.

Strauss noted that health insurance policy numbers, subscriber numbers, any medical history, or other information on a person’s physical or mental health are included under the definition of personal information subject to the data breach notification law.

“In the absence of a carve-out, there could have been circumstances under which a HIPAA covered entity may have been required to provide notice sooner than the 60-day requirement in the HIPAA Breach Notification Rule,” Stauss wrote.

“However, it should be emphasized that it will not always be the case that Oregon’s 45-day deadline will run before HIPAA’s 60-day deadline because the HIPAA deadline starts on ‘the first day on which such breach is known to the covered entity, or, by exercising reasonable diligence would have been known to the covered entity’,” he observed.

In addition, the new law expands the scope of those who must notify in case of a data breach to anyone who “has control over or access to” data containing personal information. It also requires those subject to the law to conduct risk assessments, provide regular training of employees, review user access privileges on a regular basis, apply security updates, and institute a reasonable security patch management program, wrote Stauss.


Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Ready to find out what’s lurking in your network?

Scroll to Top