[BreachExchange] Are More State Data Breach Notification Laws Recognizing PHI?

[Audrey McNeil]

http://healthitsecurity.com/news/are-more-state-data-
breach-notification-laws-recognizing-phi

Federal regulations, such as HIPAA and the HITECH Rule, garner the majority
of attention when it comes to the data breach notification process.
However, state laws also exist, and tend to vary.

Covered entities and business associates must ensure they adhere to their
state’s requirements for data breaches, along with the federal regulations.

As technology continues to evolve, and medical information becomes more
highly sought after on the black market, more states are adjusting their
data breach legislation. While not all states include health insurance or
medical information under what is considered protected personal
information, it is still necessary that healthcare organizations understand
state law.

Here are some of the more recent cases of amendments and laws affecting the
state data breach notification process.

Illinois

Earlier this year, Illinois Governor Bruce Rauner signed several amendments
to a data breach notification lawthat would impact healthcare data security
regulations starting in 2017.

The revised Personal Information Privacy Act will include health insurance
and medical information under its definition of protected personal
information. The regulation adds that organizations will need to report
data breaches if they involve an individual’s first name or initial and
last name in combination with specific healthcare data.

Biometric data, such as fingerprint, retina, and iris images, as well as
user names or email addresses in conjunction with passwords or security
question answers are also now considered protected personal information.

Health insurance information consists of “an individual’s health insurance
policy number or subscriber identification number, any unique identifier
used by a health insurer to identify the individual, or any medical
information in an individual's health insurance application and claims
history, including any appeals records,” according to the amendment.

Furthermore, all data collectors who report a healthcare data breach to HHS
must also submit such notifications to the state’s Attorney General within
five business days of notifying the federal department.

Nebraska

Nebraska also had an amendment signed earlier this year that would affect
the state’s current data breach notification law.

In that case, changes were made relating to the Credit Report Protection
Act, Consumer Protection Act, Uniform Deceptive Trade Practices Act, and
Financial Data Protection and Consumer Notification of Data Security Breach
Act of 2006.

The amendment states that data will not be considered encrypted “if the
confidential process or key was or is reasonably believed to have been
acquired as a result of the breach of the security of the system.”

However, medical data and health insurance information were not included in
the definition of personal information.

“Fraudulent and consumer scamming practices are becoming more
sophisticated. LB 835 will protect against minor Identity Theft by allowing
parents to place a credit report freeze, and also enhance our ability to go
after those who practice fraud in the area of charity solicitation,”
Attorney General Peterson explained in a statement.

New York

Over the summer, legislation was introduced in New York that would include
individuals’ medical information under its definition of personal
information.

Titled A10475, the bill would consider unsecured PHI that is held by a
HIPAA covered entity  the type of data that requires notification should it
be compromised in a data breach. Biometric data, and email addresses or
usernames, in combination with a password or security question answer would
also be included in New York’s definition of personal information.

“New York's data breach notification law needs to be updated to keep pace
with current technology,” stated a legislation memo. “This bill broadens
the scope of information covered under the notification law and updates the
notification requirements when there has been a breach of data.”

Rhode Island

Rhode Island also had the Rhode Island Identity Theft Protection Act go
into effect in June 2016. The legislation requires businesses and
organizations of all sizes to implement and maintain a risk-based
information security program.

Medical information, health insurance information, and email addresses are
now considered “personal information.”

“We live in a world where so much, if not all, of our personal information
floats around in cyberspace, often with completely inadequate protections.
This is the reality of our times,” bill sponsors Senator Louis DiPalma said
in a statement. “The intent of this legislation is to set standards and to
protect that vital information from those who wish to do harm or profit
from the most personal details of our lives.”

The timeframe for notification was also updated, with the Act requiring
organizations to give notice within 45 days after confirmation of a breach.

Tennessee

Tennessee also made strides in its data breach notification process earlier
this year, and removed the word “unencrypted” from describing the type of
compromised information that would necessitate notification.

The timeline was also updated, with the amendment calling for immediate
disclosure, and no later than 14 days following the discovery of a breach.

“The notification required by this section may be delayed if a law
enforcement agency determines that the notification will impede a criminal
investigation,” the amendment states. “The notification required by this
section shall be made no later than fourteen (14) days after the law
enforcement agency determines that it will not compromise the
investigation.”

Employees can also now be considered an “unauthorized person,” and if they
unlawfully access information, they can be held accountable.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160927/7b56eff8/attachment.html>