- State data breach laws can be critical for protecting sensitive data, and healthcare organizations must ensure they adhere to them along with federal regulations.
The data breach notification process is a crucial aspect to state law, and can lead to settlements should entities fail to adhere to state requirements. With large-scale data breaches continuing to be a regular occurrence in numerous industries – including healthcare – more states are updating their data breach response process.
More states are also beginning to account for medical information and data protected under HIPAA regulations. Nearly every state has its own state data breach notification law in place, and there has even been a push in 2017 for one standardized national notification law.
Below, HealthITSecurity.com reviews the updated state data breach laws from the past year, along with proposed laws and how national standards could potentially change.
Accounting for medical data, encryption measures
Delaware updated its data breach notification law in August 2017, accounting for medical information being compromised in data breaches.
Delaware Governor John Carney signed House Substitute 1 for House Bill 180 and explained in a statement that it “makes sense” to offer additional protections for state residents who may have their data affected in a cybersecurity incident.
The bill requires that “any person who conducts business in Delaware and maintains personal information must safeguard that information.” A security breach includes unauthorized access, use, modification, or disclosure of personal information, the legislation stated.
An individual’s medical history considered “personal information,” which includes mental or physical condition, medical treatment, or diagnosis by a healthcare professional or deoxyribonucleic acid profile.
The bill also requires that a health insurance policy number, subscriber identification number, or any unique identifier used by a health insurer for identification be protected.
“Unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes” is also considered personal information that must remain secure.
The Maryland Personal Information Protection Act (HB 974) was also updated earlier this year, requiring that information protected under HIPAA be considered “personal information.” Specifically, any data regarding an individual’s medical history, medical condition, or medical treatment or diagnosis, health insurance policy, certificate number, or health insurance subscriber identification number in combination with a unique identifier that permits access to the information will need to be protected.
Biometric data, such as fingerprints, voice prints, and genetic prints, was also added.
Tennessee also updated its data breach notification law. It does not apply to data covered under HIPAA or the HITECH Act, but does require that notification only be given should the information be unencrypted.
“A breach of system security occurs when an unauthorized person acquires unencrypted computerized data or encrypted computerized data and the encryption key, and the acquisition materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder,” read the bill summary of Senate Bill 547.
The New Mexico Senate helped push forward the state’s first data breach notification bill by passing legislation in early 2017. Rep. Bill Rehm introduced House Bill 15, which moved onto the Senate Judiciary Committee after it was passed by a State Senate Committee.
“A person that owns or maintains records containing personal identifying information of a New Mexico resident shall arrange for proper disposal of the records when they are no longer reasonably needed for business purposes,” the legislation stated. “As used in this section, ‘proper disposal’ means shredding, erasing or otherwise modifying the personal identifying information contained in the records to make the personal identifying information unreadable or undecipherable.”
Medical information and health insurance data were not included in the bill’s definition of personal information.
Proposals made in wake of large-scale breaches
Following the Equifax data breach that exposed 143 million Americans’ personal information, Vermont and New York were at least two states that sought to make changes to better protect sensitive data.
The Vermont House Committee on Commerce and Economic Development said it would hold hearings to discuss data privacy and security issues.
“Representatives from the Attorney General’s Office, the Department of Financial Regulation, and the Office of Legislative Council will join the Committee in presenting a brief summary of current law and recommended responses to security breaches,” the Committee said in a press release. “Members of the House of Representatives and the Senate have been invited to join the Committee at these hearings.”
New York Attorney General Eric T. Schneiderman introduced the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which would require companies to adopt “reasonable” administrative, technical, and physical safeguards for sensitive data.
“New York's data breach notification law needs to be updated keep pace with current technology,” the bill’s summary read. “This bill broadens the scope of information covered under the notification law and updates the notification requirements when there has been a breach of data. It also broadens the definition of a data breach to include an unauthorized person gaining access to information.”
Bill sponsor Senator David Carlucci said New York is “woefully unprepared to protect against cyber attacks.” But the state will work to improve protections “while the federal government drags their feet.”
National notification standard, harsher punishments
The Equifax data breach also prompted Rhode Island Congressman Jim Langevin to reintroduce the Personal Data Notification and Protection Act in September 2017.
“This bill will replace the patchwork of 48 state breach notification laws with a single nationwide standard that would clarify and strengthen companies’ obligations to report intrusions that compromise consumers’ personal information,” Langevin said in a statement. “Americans put a lot of trust in companies by giving them personal and private information, and they should have confidence that their data is secure.”
The Act excludes HITECH covered entities or “business entities to the extent that they act as vendors of personal health records.”
Risk assessments were also a key aspect of the proposed legislation. Should an organization conduct a risk assessment and find there is “no reasonable risk that a security breach” would lead to harm or did harm to individuals whose information was involved, that entity may qualify for Safe Harbor.
Legislation introduced in November 2017 aims to create a more prompt notification process and allow for criminal penalties should an entity deliberately try to conceal a data breach.
Florida Senator Bill Nelson introduced an updated version of the Data Security and Breach Notification Act.
“We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,” Nelson said in a statement. “Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what’s best for consumers, the choice is clear.”
HITECH Act or HIPAA Security Rule entities “shall be deemed in compliance with…respect to any data governed” by those requirements, according to the bill.
“Any person who, having knowledge of a breach of security and of the fact that notification of the breach of security is required under the Data Security and Breach Notification Act, intentionally and willfully conceals the fact of the breach of security, shall, in the event that the breach of security results in economic harm to any individual in the amount of $1,000 or more, be fined under this title, imprisoned for not more than 5 years, or both,” the bill read.
Healthcare organizations must ensure that they regularly train all employees on state and federal regulations. With state laws updating in the wake of large-scale attacks, it is increasingly critical to keep training programs up-to-date so staff members understand all requirements in regard to data security.