HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Delaware Data Breach Notification Law to be Strengthened

Delaware data breach notification law is likely to be expanded to include medical information in the definition of personal information.

The data breach notification law in Delaware has remained unchanged for 12 years so an update is certainly due. The bill was sponsored by Rep. Paul Baumbach (D), with an updated version (House Substitute No. 1 for HB 180) passed by the House on June 28 with a vote of 37-3. The bill will now go before the Senate where it is expected to be passed. Gov. John Carney (D) is in favor of the amendment and is expected to sign the bill.

The updated breach notification law will see the definition of personal information expanded to include biometric data, usernames together with passwords, routing numbers to accounts, taxpayer identification numbers, health insurance identifiers, passport numbers and medical information.

If passed, the new legislation will apply to all legal and commercial entities that do business in the state of Delaware that collect or use personal information; however, the updated Delaware data breach notification law will still not apply to HIPAA-covered entities or any other industry that is already covered by more stringent federal data protection and notification laws.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Companies will be required to conduct a risk analysis to determine whether a security breach is likely to result in breach victims coming to harm. Only if that risk analysis determines there is a low risk of harm will breach notifications not be required. In line with HIPAA, the updated Delaware data breach notification law will require breach notifications to be issued to all affected individuals within 60 days of the discovery of a data breach.

The bill will also require a substitute breach notice to be placed on the company website, if a website is maintained by the company and a notification must be sent to the state attorney general if a breach impacts more than 500 individuals.

The bill also calls for companies to offer a minimum of one year of complimentary identity theft protection services to breach victims whose Social Security number has been compromised in a breach. Only two other states – California and Connecticut – have similar measures in place.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.