The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Delaware Data Breach Notification Law to be Strengthened

Posted By on Jul 5, 2017

Delaware data breach notification law is likely to be expanded to include medical information in the definition of personal information.

The data breach notification law in Delaware has remained unchanged for 12 years so an update is certainly due. The bill was sponsored by Rep. Paul Baumbach (D), with an updated version (House Substitute No. 1 for HB 180) passed by the House on June 28 with a vote of 37-3. The bill will now go before the Senate where it is expected to be passed. Gov. John Carney (D) is in favor of the amendment and is expected to sign the bill.

The updated breach notification law will see the definition of personal information expanded to include biometric data, usernames together with passwords, routing numbers to accounts, taxpayer identification numbers, health insurance identifiers, passport numbers and medical information.

If passed, the new legislation will apply to all legal and commercial entities that do business in the state of Delaware that collect or use personal information; however, the updated Delaware data breach notification law will still not apply to HIPAA-covered entities or any other industry that is already covered by more stringent federal data protection and notification laws.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Companies will be required to conduct a risk analysis to determine whether a security breach is likely to result in breach victims coming to harm. Only if that risk analysis determines there is a low risk of harm will breach notifications not be required. In line with HIPAA, the updated Delaware data breach notification law will require breach notifications to be issued to all affected individuals within 60 days of the discovery of a data breach.

The bill will also require a substitute breach notice to be placed on the company website, if a website is maintained by the company and a notification must be sent to the state attorney general if a breach impacts more than 500 individuals.

The bill also calls for companies to offer a minimum of one year of complimentary identity theft protection services to breach victims whose Social Security number has been compromised in a breach. Only two other states – California and Connecticut – have similar measures in place.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist