By Jack L. Caynon, III

On May 24, 2019, the Oregon legislature amended the Oregon Consumer Information Protection Act (the “OCIPA”).  The amendment becomes effective on January 1, 2020.

In some ways, OCIPA is a close relative of the federal government’s Health Insurance Portability and Accountability Act (“HIPAA”) because OCIPA, in part, covers medical information, too.  Under ORS 646A.602, a data breach is defined as “unauthorized acquisition of computerized data that materially comprises the security, confidentiality or integrity of personal information (PI) that an entity maintains.”  PI is classified as an individual’s first and last name in connection with any of the following:

  • Social Security numbers;
  • Credit or debit card numbers in connection with a security code, access code or password;
  • Driver’s license numbers;
  • Fingerprint, retina or other biometric data;
  • Health insurance policy number or identification number in combination with a unique identifier; or
  • Medical history or mental or physical condition, diagnosis or treatment information.

In addition to breach notices to affected individuals, if a data breach exposes the PI of more than 250 state residents, a breach notice must be submitted to the Oregon Attorney General via

Although OCIPA requires notice to be provided “in the most expeditious manner possible,” HIPAA covered entities and business associates are exempt from OCIPA’s 45-day notice requirement and should follow HIPAA’s 60-day notice requirement.

Violations of OCIPA, either by failing to protect PI or failing to provide notification of a data breach as required under OCIPA, may subject an organization to monetary penalties, as well as liability under the state’s unfair trade practices laws.

OCIPA has been amended several times over the past three years.  This means it has changed frequently and keeping pace can be a challenge.  Regardless of its challenges, Oregon HIPAA covered entities and business associates must incorporate OCIPA’s requirements into their Breach Response Processes and should work with experienced counsel to efficiently integrate their compliance efforts.

Jack L. Caynon is a health care lawyer at Sussman Shank LLP.  He focuses on health care law and all areas of corporate transactions.  He can be reached at 503.243.1652 or