[BreachExchange] Maryland insurers must follow new data breach rules: 4 things to know

Destry Winant destry at riskbasedsecurity.com
Thu Sep 26 10:52:31 EDT 2019


As of Oct. 1, health insurance providers in Maryland must notify the
Maryland Insurance Administration if patient information is exposed in
a cybersecurity incident, according to the HIPAA Journal.

Here are four things to know:

1. The requirements apply to health plans, health insurers, health
maintenance organizations, managed care organizations, managed general
agents and third-party insurance administrators.

2. If data elements are not encrypted, redacted or otherwise
unreadable, insurance providers must alert the MIA of a breach when a
patient’s first name or first initial and last name is affected along
with one or more of the following: Social Security number, taxpayer
identification number, passport number, driver's license number,
health insurance number or credit card number.

3. The Maryland Insurance Administration's compliance and enforcement
division must also be alerted if the organization believes patient
information has been or is likely to be misused.

4. Along with sending a notification of the breach to members, health
insurance providers must send a copy of the letter to the Maryland
Insurance Administration.

More information about the BreachExchange mailing list