The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Illinois Data Breach Notification Law Updated

Posted By on May 20, 2016

Illinois data breach notification law has been updated, broadening the definition of personal information and changing the timescale for notifying the Attorney General of data breaches.

A breach notification will need to be issued if a person’s full name or last name and initial is exposed in combination with any of the following data elements:

  • Driver’s license number
  • Social Security number
  • Credit or debit card number
  • Biometric data
  • Usernames and email addresses (along with passwords or other data that would allow access to accounts to be gained)
  • Medical information
  • Health insurance information

Notifications will not be required if a breach occurs and data are encrypted, or if exposed data are publicly available.

The new law specifically mentions health insurance information which includes a subscriber ID number, health insurance policy number, or any other unique identifier used to identify an individual. Any medical data provided to a health insurer in an application, appeals records, or claims history, is also included in the new definition.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The exposure of information relating to a person’s mental or physical condition, medical history, or diagnosis and treatment information is also now specified. The law applies to companies that store these data, but also data submitted via mobile applications and websites.

The definition of personal information has been expanded to include usernames if combined with a password or answers to security questions, as has occurred in California, Florida, and Nebraska. However, rather than requiring a written notification to be sent to affected individuals, notifications of breaches of “online information” can be issued electronically. Breach victims will need to be instructed how they can change their login names, passwords, or security questions as appropriate, and should be instructed to do so promptly.

Organizations that are required to comply with the Health Insurance Portability and Accountability Act (HIPAA) – including business associates of HIPAA-covered entities – will be deemed to be in compliance with the new state laws, although only if a breach notification is required to be issued to the HHS’ Office for Civil Rights (OCR).

HIPAA-covered entities will be required to issue a breach notification to the state attorney general within 5 days of the notice being provided to the OCR.

State governor Bruce Rauner signed the new law earlier this month and the updates will come into effect on January 1, 2017.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist