HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

New Data Breach Notification Requirements in Maryland for Health Insurers

From October 1, 2019, providers of health insurance and associated services are required to notify the Maryland Insurance Administration (MIA) in the event of a breach of insureds’ personal information.

The law change applies to health plans, health insurers, HMOs, managed care organizations, managed general agents and third-party health insurance administrators.

The Compliance & Enforcement Unit at the MIA must be notified if the breach investigation determines there is a risk that insureds’ personal information has been or is likely to be misused.

Personal information is defined as an individuals’ first name or first initial and last name in combination with one or more of the following data elements, if those data elements are not encrypted, redacted, or otherwise unreadable:

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Social Security number, Individual Taxpayer Identification Number, passport number, other federal ID number, driver’s license number, State identification card number, health information, biometric data, or health insurance policy/certificate number, health insurance subscriber identification number, or an account number, credit/debit card number, username or e-mail address along with a password/access code or security question and answer that allows the account to be accessed.

Article §4-406 of the Annotated Code of Maryland states that the carrier must provide the notification at the same time that a notification is sent to the Maryland Office of the Attorney General, as required under Subtitle 35 of the Maryland Personal Information Protection Act (§ 14–3504(h)).

Notifications must be sent by mail or email using the breach notification form on the MIA website. Notifications must include the company name, name and contact details of the person supplying the notification, and a brief description of the circumstances of the data breach.

The MIA must also be supplied with a copy of the breach notification letter sent to affected individuals and a copy of the breach notification letter sent to the Maryland Attorney General.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.