Share this article on:
North Dakota and Nevada have joined the growing list of states to update their breach notification laws this year. Last month, new laws were passed to tighten up the legislation and expand “personal information” definitions, with the two states joining California, Florida, Montana, Washington and Wyoming, which have already updated state breach notification laws.
The Health Insurance Portability and Accountability Act (HIPAA) – specifically the Breach Notification Rule of 2009 – places a number of requirements of Covered Entities (CEs) when it comes to responding to a data breach involving Protected Health Information and Personal Identifiable Information.
HIPAA Rules are only a minimum set of standards. States can introduce laws to increase data privacy and security protections for patients and plan members and other individuals affected by a healthcare data breach. Often states include provisions in their new laws for entities covered under HIPAA and other federal laws.
New Breach Notification Law in North Dakota
The Sixty-fourth Legislative Assembly of North Dakota Met on January 6, 2015 and put forward Senate Bill 2214, which amends and reenacts subsection 4 of section 51- 30-01 and section 51-30-02 of the North Dakota Century Code, with respect to security breach notification. The law was passed last week.
The new law expands the definition of personal information to include an individual employee identification number if it is exposed in conjunction with a security or access code and/or password.
The law has been also changed to cover any entity, not just North Dakota businesses. If a company or individual does business with North Dakota residents, no matter where they are based in the United States they will be required to comply with the new breach notification rule.
The threshold for sending breach notification letters to affected individuals and notifying the Attorney General will also be cut to 250. HIPAA rules only requires breaches of 500 or more records to be reported within 60 days. Smaller breaches only need to be reported to the OCR every year.
The amendment to the breach notification rules will come into effect on August 1, 2015.
Breach Notification Law Changes in Nevada
Nevada’s breach notification law has also been changed in the past few days, expanding the definition of “personal information” to include usernames and unique identification numbers; specifically, driver authorization card numbers, medical identification numbers, and health plan or insurance ID numbers.
Nevada’s breach notification law has also been amended to include online accounts, and the information and passwords to gain access to personal information via web and patient portals. Similar updates have recently been made in both California and Florida.
When the new breach notification law comes into effect, any data breach involving an email addresses, username or unique identifier also involving passwords, login or access codes and/or answers to security questions that would allow an unauthorized individual to access online accounts, will also be reportable to the Attorney General, and breach notification letters will be required.
In Nevada there are strict rules on data encryption. The new law change means that data encryption rules will also apply to the data now covered under the breach notification law update. Without encryption, the above mentioned data cannot be transferred or moved – via a data storage device – outside the control of the company – or the control of a data storage company if used – if it is not encrypted.
The law has now been passed and it will become effective on July 1, 2015.
State Breach Notification Laws Updated in Washington in April
Engrossed Substitute House Bill 1078 updated Washington’s Consumer Protection Act and from July 24, 2015 any person or company doing business with residents of the state of Washington, will be required to abide by the state’s breach notification rules. The new law applies to physical and electronic records.
The state attorney general’s office must also be informed of the breach, and action can be taken against individuals and companies if breach laws are ignored. This includes being liable for actual damages, costs, and fees (treble damages) up to $25,000.
In contrast to HIPAA, the breach notification period is 45 days after discovery of a breach, provided the data is unencrypted or encrypted with the security keys also disclosed.
Covered Entities with obligations under HIPAA and/or the Graham-Leach-Bliley Act will be deemed to be in compliance with the new Washington law if they abide by the Acts’ rules and issue a breach notification to the Washington Attorney General if state residents have been affected, along with individual breach notices to affected individuals.
Montana Changes Breach Notification Requirements
In Montana, breach notification laws have been updated with the new rules taking effect from October 1, 2015. The Montana Attorney General must be notified of a data breach and must now also be provided with an electronic copy of the breach notice. Details of the number of affected individuals and the method of distribution of breach notices must also be supplied with the AG’s breach notice. Under the new rules, the state attorney general and consumers must be notified of the data breach at the same time, within the stipulated timescales.
Wyoming Breach Notification Law Changes
In February of this year, “Personal Information” definitions were expanded with the new definitions coming into effect on July 1, 2015. The definition of personal information now includes shared secrets and/or security tokens, usernames and email addresses in combination with passwords, or any username and password combination that would allow online accounts to be accessed.
Health Insurance information (Unique identifiers & subscriber ID number) unique biometric data, taxpayer ID numbers, birth or marriage certificates, and medical information (medical history, physical and mental health condition, treatments provided and diagnoses received) are all now covered under state breach notification rules following the update.
A provision is included for entities covered under HIPAA:
A covered entity or business associate that is subject to and complies with the Health Insurance Portability and Accountability Act, and the regulations promulgated under that act, 45 C.F.R. Parts 160 and 164, is deemed to be in compliance with this section if the covered entity or business associate notifies affected Wyoming customers or entities in compliance with the requirements of the Health Insurance Portability and Accountability Act and 45 C.F.R. Parts 160 and 164.