New Data Breach Notification Requirements in Maryland for Health Insurers

Share this article on:

From October 1, 2019, providers of health insurance and associated services are required to notify the Maryland Insurance Administration (MIA) in the event of a breach of insureds’ personal information.

The law change applies to health plans, health insurers, HMOs, managed care organizations, managed general agents and third-party health insurance administrators.

The Compliance & Enforcement Unit at the MIA must be notified if the breach investigation determines there is a risk that insureds’ personal information has been or is likely to be misused.

Personal information is defined as an individuals’ first name or first initial and last name in combination with one or more of the following data elements, if those data elements are not encrypted, redacted, or otherwise unreadable:

Social Security number, Individual Taxpayer Identification Number, passport number, other federal ID number, driver’s license number, State identification card number, health information, biometric data, or health insurance policy/certificate number, health insurance subscriber identification number, or an account number, credit/debit card number, username or e-mail address along with a password/access code or security question and answer that allows the account to be accessed.

Article §4-406 of the Annotated Code of Maryland states that the carrier must provide the notification at the same time that a notification is sent to the Maryland Office of the Attorney General, as required under Subtitle 35 of the Maryland Personal Information Protection Act (§ 14–3504(h)).

Notifications must be sent by mail or email using the breach notification form on the MIA website. Notifications must include the company name, name and contact details of the person supplying the notification, and a brief description of the circumstances of the data breach.

The MIA must also be supplied with a copy of the breach notification letter sent to affected individuals and a copy of the breach notification letter sent to the Maryland Attorney General.

Author: HIPAA Journal

Share This Post On