HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Illinois Data Breach Notification Law Updated

Illinois data breach notification law has been updated, broadening the definition of personal information and changing the timescale for notifying the Attorney General of data breaches.

A breach notification will need to be issued if a person’s full name or last name and initial is exposed in combination with any of the following data elements:

  • Driver’s license number
  • Social Security number
  • Credit or debit card number
  • Biometric data
  • Usernames and email addresses (along with passwords or other data that would allow access to accounts to be gained)
  • Medical information
  • Health insurance information

Notifications will not be required if a breach occurs and data are encrypted, or if exposed data are publicly available.

The new law specifically mentions health insurance information which includes a subscriber ID number, health insurance policy number, or any other unique identifier used to identify an individual. Any medical data provided to a health insurer in an application, appeals records, or claims history, is also included in the new definition.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The exposure of information relating to a person’s mental or physical condition, medical history, or diagnosis and treatment information is also now specified. The law applies to companies that store these data, but also data submitted via mobile applications and websites.

The definition of personal information has been expanded to include usernames if combined with a password or answers to security questions, as has occurred in California, Florida, and Nebraska. However, rather than requiring a written notification to be sent to affected individuals, notifications of breaches of “online information” can be issued electronically. Breach victims will need to be instructed how they can change their login names, passwords, or security questions as appropriate, and should be instructed to do so promptly.

Organizations that are required to comply with the Health Insurance Portability and Accountability Act (HIPAA) – including business associates of HIPAA-covered entities – will be deemed to be in compliance with the new state laws, although only if a breach notification is required to be issued to the HHS’ Office for Civil Rights (OCR).

HIPAA-covered entities will be required to issue a breach notification to the state attorney general within 5 days of the notice being provided to the OCR.

State governor Bruce Rauner signed the new law earlier this month and the updates will come into effect on January 1, 2017.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.