25% off all training courses Offer ends May 8, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 8, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

New Data Breach Notification Requirements in Maryland for Health Insurers

Posted By on Sep 25, 2019

From October 1, 2019, providers of health insurance and associated services are required to notify the Maryland Insurance Administration (MIA) in the event of a breach of insureds’ personal information.

The law change applies to health plans, health insurers, HMOs, managed care organizations, managed general agents and third-party health insurance administrators.

The Compliance & Enforcement Unit at the MIA must be notified if the breach investigation determines there is a risk that insureds’ personal information has been or is likely to be misused.

Personal information is defined as an individuals’ first name or first initial and last name in combination with one or more of the following data elements, if those data elements are not encrypted, redacted, or otherwise unreadable:

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Social Security number, Individual Taxpayer Identification Number, passport number, other federal ID number, driver’s license number, State identification card number, health information, biometric data, or health insurance policy/certificate number, health insurance subscriber identification number, or an account number, credit/debit card number, username or e-mail address along with a password/access code or security question and answer that allows the account to be accessed.

Article §4-406 of the Annotated Code of Maryland states that the carrier must provide the notification at the same time that a notification is sent to the Maryland Office of the Attorney General, as required under Subtitle 35 of the Maryland Personal Information Protection Act (§ 14–3504(h)).

Notifications must be sent by mail or email using the breach notification form on the MIA website. Notifications must include the company name, name and contact details of the person supplying the notification, and a brief description of the circumstances of the data breach.

The MIA must also be supplied with a copy of the breach notification letter sent to affected individuals and a copy of the breach notification letter sent to the Maryland Attorney General.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist