State Compliance

Pennsylvania Healthcare Compliance: Breach Notification + Practice Operations

11 min read · Last reviewed May 23, 2026

Pennsylvania's Breach of Personal Information Notification Act (73 P.S. § 2301 et seq.) was substantially amended on June 28, 2024 by Act 33 of 2024 (P.L. 427, No. 33), which added the private-entity AG notice obligation at § 3(c.1) and the credit-monitoring offer at § 5.4. The biggest operational divergences from HIPAA: a private-sector entity must notify the Pennsylvania Attorney General concurrently with the affected-individual notice when more than 500 Pennsylvania residents are involved (with a separate 7-business-day window for Commonwealth agencies and contractors), credit monitoring must be offered when both the >500-resident CRA-notice trigger and the listed-data trigger are met, and consumer reporting agencies must be notified at a much lower threshold than under HIPAA.

What the Pennsylvania Breach Notification Act actually requires

The Act applies to any entity that maintains, stores, or manages computerized data that includes personal information of a Pennsylvania resident. "Personal information" at 73 P.S. § 2302 includes the resident's name in combination with SSN, driver's license number, financial account number, or health insurance information. Medical information is included only where it is in the possession of a state agency or a state agency contractor — for purely private healthcare-practice breaches the operative trigger is typically the SSN, financial account, driver's license, state ID, or health insurance information element rather than the underlying clinical record. Act 33 of 2024 expanded the definition and added the medical-information-in-state-agency-possession category.

The notice obligations under § 2303 and § 5 layer in four directions: notice to affected individuals without unreasonable delay; notice to consumer reporting agencies under § 5 when notice is provided to more than 500 Pennsylvania residents at one time; notice to the Pennsylvania Attorney General concurrently with the individual notice under § 3(c.1) (added by Act 33 of 2024) when more than 500 Pennsylvania residents are involved (with a separate 7-business-day AG window for Commonwealth agencies and contractors under § 3(a.1)-(a.2)); and an offer of at least 12 months of credit reporting or monitoring under § 5.4 (added by Act 33 of 2024) when an entity is required to provide CRA notification under Section 5 (i.e., notice to >500 persons at one time) AND the breached data includes a Social Security number, bank account number, driver's license number, or state ID number.

The HIPAA safe harbor is Section 5.3 of the Act, commonly cited as 73 P.S. § 2305.3. It provides that a covered entity that complies with the HIPAA Breach Notification Rule at 45 CFR 164.400-414 generally satisfies the individual-notice requirements of the Act. (Section 8 of the Act is the civil-relief / AG-enforcement provision, not the safe harbor.) After Act 33 of 2024, the AG notification and credit-monitoring tracks are separate and do not have an equivalent HIPAA carve-out.

Where Pennsylvania is stricter than HIPAA

PA's Act 33 of 2024 amendments require AG notice concurrent with the individual notice for any private-sector breach affecting more than 500 Pennsylvania residents under § 3(c.1) — there is no 60-day grace period running independently for the AG track. Commonwealth agencies and their contractors operate under a separate 7-business-day AG window under § 3(a.1)-(a.2). HIPAA's parallel requirement — notification to HHS at 45 CFR 164.408 — runs no later than 60 days from discovery for breaches affecting 500 or more individuals.

| Topic | HIPAA | Pennsylvania | Stricter | |---|---|---|---| | Individual notice timeline | Without unreasonable delay, no later than 60 days from discovery | Without unreasonable delay (no fixed outer date); HIPAA safe harbor satisfies | HIPAA on the floor | | Regulator notice (large breach), private entity | HHS within 60 days for 500+ individuals | PA AG concurrent with individual notice for 500+ PA residents (§ 3(c.1), added by Act 33 of 2024) | Pennsylvania (concurrent vs. 60-day) | | Regulator notice (large breach), Commonwealth entity | HHS within 60 days for 500+ individuals | PA AG within 7 business days for 500+ PA residents (§ 3(a.1)-(a.2)) | Pennsylvania | | Substitute notice threshold | $250,000 in costs or 500,000 individuals (45 CFR 164.404) | $100,000 in costs or 175,000 individuals (73 P.S. § 2303) | Pennsylvania | | Credit reporting agency notice | Not required under HIPAA | Required when notice is provided to more than 500 PA residents at one time (§ 5) | Pennsylvania | | Credit monitoring offer | Not required under HIPAA | 12-month offer required when § 5 CRA notification applies (>500 PA residents) AND SSN, bank account, driver's license, or state ID is involved (§ 5.4, added by Act 33 of 2024) | Pennsylvania | | Definition of breach | Acquisition, access, use, disclosure not permitted | Unauthorized access and acquisition of unencrypted computerized data | HIPAA broader on use/disclosure; PA narrower (computerized only) | | Medical record retention | 6 years (45 CFR 164.530(j) program docs) | 7 years from last service, or age 19 (minor + 1 year past majority) under 49 Pa. Code § 16.95(e) for physicians; hospital records 7 years or age 25 under 28 Pa. Code § 115.23 | Pennsylvania | | Private right of action | None | None under the breach act; UTPCPL allows private suits | Tie on the breach act itself |

The Pennsylvania Department of State separately licenses medical practices under the Medical Practice Act of 1985 at 63 P.S. § 422.1. Patient record retention under 49 Pa. Code § 16.95(e) is enforceable through the State Board of Medicine — at least seven years from the last date of service, and for minors at least one year past the age of majority (typically age 19) if longer than the seven-year baseline. Hospital records under 28 Pa. Code § 115.23 run at least seven years from the date of discharge, with minor records held until majority plus seven years (typically age 25). Both timelines exceed HIPAA's six-year program documentation retention.

Where HIPAA is stricter than Pennsylvania

HIPAA covers a much broader data set. PA's Act is computerized data only; HIPAA covers all PHI in any form (paper, oral, electronic). HIPAA's Security Rule at 45 CFR Part 164, Subpart C imposes administrative, physical, and technical safeguards with no Pennsylvania equivalent — no state risk analysis requirement, no encryption standard, no audit-log standard for medical practices outside specific licensed-facility regulations.

HIPAA's individual notice content requirements at 45 CFR 164.404(c) are also more prescriptive than Pennsylvania's § 2303. HIPAA requires a description of the breach, the types of information involved, steps individuals should take, what the covered entity is doing, and contact information. PA's content requirements are looser.

Breach notification timeline

For a Pennsylvania practice that experiences a breach involving PHI of a PA resident, the operational timeline runs in three parallel tracks:

  1. HIPAA discovery clock (day 0): The breach is discovered or should reasonably have been discovered per 45 CFR 164.404(a)(2). The 60-day federal individual-notice clock starts.
  2. PA AG track (concurrent with individual notice): If more than 500 PA residents are involved, the private-practice entity must notify the AG concurrently with the affected-individual notice under § 3(c.1). Act 33 of 2024 made the form and content of this notice prescriptive — use the AG's online portal. Commonwealth agencies and their contractors operate on a separate 7-business-day window under § 3(a.1)-(a.2).
  3. Consumer reporting agency notice (§ 5): If notice is provided to more than 500 Pennsylvania residents at one time, notify the three nationwide consumer reporting agencies of the timing, distribution, and content of the individual notices.
  4. Credit-monitoring offer (§ 5.4): If the § 5 CRA-notice trigger is met (>500 PA residents at one time) AND the breached data includes a Social Security number, bank account number, driver's license number, or state ID number, offer at least 12 months of credit reporting or monitoring at no cost.

Substitute notice — mass-media notice in lieu of individual notice — triggers under Pennsylvania law at a lower threshold than under HIPAA. Practices should not assume the federal substitute-notice threshold of $250,000 in costs or 500,000 individuals automatically applies; PA's threshold is $100,000 or 175,000 individuals.

Penalties + private right of action

The Pennsylvania Attorney General enforces the Act under Section 8 (civil relief / AG enforcement) as a deceptive or unfair act under the Pennsylvania Unfair Trade Practices and Consumer Protection Law. Civil penalties run up to $1,000 per violation, with each affected resident potentially constituting a separate violation. The AG can also seek restitution, injunctive relief, and costs. (Section 5.3, commonly cited as 73 P.S. § 2305.3, is the HIPAA safe harbor — a distinct provision from the civil-relief section.)

The Act itself does not create a private right of action — only the AG can sue under the breach statute. But the broader UTPCPL at 73 P.S. § 201-9.2 does allow private suits, including treble damages and attorneys' fees, for unfair or deceptive trade practices. Plaintiffs' counsel routinely uses UTPCPL as the vehicle for breach-related class actions in Pennsylvania, even though the breach act itself shields against direct suits.

HIPAA, by contrast, has no private right of action. HHS Office for Civil Rights enforces with civil monetary penalties capped at the tiered schedule under 45 CFR 160.404. State AGs may also enforce HIPAA under HITECH § 13410(e), and the Pennsylvania AG has done so in past cases.

Compliance checklist for in-state practices

For Pennsylvania practices, the minimum operational set:

  • Maintain a written breach response procedure that explicitly runs HIPAA's 60-day individual-notice clock and Pennsylvania's concurrent-with-individual-notice AG track in parallel, with a documented determination date that anchors both. If the practice is a Commonwealth contractor, layer the separate 7-business-day AG window under § 3(a.1)-(a.2) on top.
  • Update the breach response procedure to include the threshold counts: more than 500 PA residents triggers AG notice under § 3(c.1); notice provided to more than 500 PA residents at one time triggers consumer reporting agency notice under § 5; and the § 5.4 credit-monitoring offer requires both the § 5 CRA-notice trigger (>500 PA residents at one time) AND SSN, bank account, driver's license, or state ID number in the breached data.
  • Confirm the practice's substitute-notice threshold uses Pennsylvania's lower $100,000-cost / 175,000-individual benchmark for any incident involving PA residents.
  • Retain patient records under 49 Pa. Code § 16.95(e) for at least seven years from the last date of service, and for minors at least one year past the age of majority (typically age 19) if longer than seven years from last service. Hospital records under 28 Pa. Code § 115.23 run at least seven years from discharge, with minor records to majority plus seven years (typically age 25). Both timelines exceed HIPAA's six-year program documentation retention.
  • Document workforce training on the Pennsylvania-specific timelines separately from federal HIPAA training. The concurrent-with-individual AG notice requirement leaves no margin for a slow-walked determination.
  • For any breach involving more than 500 PA residents, draft the AG notice in parallel with the HHS and individual notices and submit through the PA Office of Attorney General intake at the same time the affected-individual notices go out. The AG has published a template — use it.
  • Review any vendor BAA for explicit cooperation language on the Pennsylvania concurrent-AG-notice requirement. A vendor that learns of a breach and tells you on day 5 already burned 5 days the AG track cannot recover.

The Pennsylvania-specific delta over a vanilla HIPAA program is small in volume but high in cycle time. The compliance binder captures the HIPAA backbone; PA practices layer the concurrent AG track and § 5.4 credit-monitoring trigger on top of the standard 60-day HIPAA workflow.

Cross-references: see Illinois BIPA and GIPA healthcare compliance for a state that adds substantive privacy rights HIPAA does not address, and Ohio Data Protection Act for a state that runs the opposite play — affirmative defense in lieu of penalty.

Step 1 · Get the binder

Get the d3rx compliance binder for your practice

Pre-filled to address the gaps this guide coversPennsylvania Healthcare Compliance: Breach Notification + Practice Operations. We will email you the section preview and your binder intake link.

No PHI required. We use your email to send the binder preview and intake link only.

Frequently asked

When does the Pennsylvania AG notice obligation actually trigger for a private practice?

Under 73 P.S. § 2303(c.1), added by Act 33 of 2024 (P.L. 427, No. 33, effective June 28, 2024), a non-public entity (private healthcare practice, business, or non-Commonwealth covered entity) that experiences a breach affecting more than 500 Pennsylvania residents must provide notice to the Pennsylvania Attorney General concurrently with the notice to affected individuals. The separate 7-business-day AG window applies to Commonwealth agencies, political subdivisions, and their contractors under § 2303(a.1)-(a.2). Document the determination date in writing — that anchor matters in any later enforcement review.

Does a HIPAA-compliant breach notice satisfy Pennsylvania's law?

Mostly, but not entirely. Section 5.3 of the Pennsylvania Breach of Personal Information Notification Act (commonly cited as 73 P.S. § 2305.3) has a HIPAA safe harbor: an entity that complies with the HIPAA notification rule satisfies most of the Pennsylvania notice requirements to affected individuals. But the 2024 amendments (Act 33 of 2024) added separate Attorney General notification at § 3(c.1) and credit-monitoring obligations at § 5.4 that are independent of HIPAA. A PA practice should run a parallel compliance check rather than assume the HIPAA notice covers everything.

Do we have to offer credit monitoring after a breach in Pennsylvania?

Sometimes. Section 5.4 of the Act (added by Act 33 of 2024) requires an entity that provides consumer-reporting-agency notification under Section 5 — i.e., a breach where notice is given to more than 500 Pennsylvania residents at one time — to offer at least 12 months of credit reporting or monitoring when the breached data also includes a Pennsylvania resident's Social Security number, bank account number, driver's license number, or state ID number. Both the >500-resident threshold and the listed-data trigger must be met. A private healthcare practice meeting both falls within it. Plaintiffs' counsel routinely demands credit monitoring even where the statute does not require it, so the operational baseline is to confirm both triggers and document the analysis.

How long must a Pennsylvania practice retain medical records?

Pennsylvania Code 28 Pa. Code § 115.23 requires hospital medical record retention for at least seven years from the date of discharge or, for a minor, until the patient's age of majority plus seven years (typically age 25), whichever is longer. Outpatient and private physician practice retention is governed by 49 Pa. Code § 16.95(e), which generally requires retention for at least seven years from the last date of service, and for minors at least one year past the age of majority (typically age 19) if that is longer than the seven-year baseline. Both timelines run past HIPAA's six-year program documentation retention at 45 CFR 164.530(j).

Is there a private right of action under Pennsylvania's breach law?

No. Section 8 of the Act provides that violations are enforced as deceptive or unfair acts under the Unfair Trade Practices and Consumer Protection Law and that the Attorney General has exclusive authority to bring an action under the breach act. Affected individuals have no direct cause of action under the statute. That said, plaintiffs routinely sue under common-law theories (negligence, breach of fiduciary duty) and the Pennsylvania Unfair Trade Practices and Consumer Protection Law (UTPCPL) at 73 P.S. § 201-1, which does allow private suits and treble damages.

Turn this into a review-ready binder

The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.

Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.

This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.

Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

Sources & Citations
  1. 73 P.S. § 2301 et seq.https://www.legis.state.pa.us/cfdocs/legis/LI/consCheck.cfm?txtType=HTM&ttl=73&div=0&chpt=23
  2. 45 CFR 164.400-414https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D
  3. 45 CFR 164.408https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.408
  4. 63 P.S. § 422.1https://www.legis.state.pa.us/cfdocs/legis/LI/uconsCheck.cfm?txtType=HTM&yr=1985&sessInd=0&smthLwInd=0&act=112
  5. 45 CFR Part 164, Subpart Chttps://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C
  6. 45 CFR 164.404(c)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404
  7. 73 P.S. § 201-9.2https://www.legis.state.pa.us/cfdocs/legis/LI/uconsCheck.cfm?txtType=HTM&yr=1968&sessInd=0&smthLwInd=0&act=387
  8. 45 CFR 160.404https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-D/section-160.404

Sources verified as of May 23, 2026

Research Aid Notice

This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.

Related Guides