Healthcare Information Security

HIPAA and Compliance News

Are More State Data Breach Notification Laws Recognizing PHI?

Several states have made adjustments to their data breach notification laws in the past year, but there are still some that do not account for medical information.

By Elizabeth Snell

Federal regulations, such as HIPAA and the HITECH Rule, garner the majority of attention when it comes to the data breach notification process. However, state laws also exist, and tend to vary.

State data breach notification processes do not always account for medical information

Covered entities and business associates must ensure they adhere to their state’s requirements for data breaches, along with the federal regulations.

As technology continues to evolve, and medical information becomes more highly sought after on the black market, more states are adjusting their data breach legislation. While not all states include health insurance or medical information under what is considered protected personal information, it is still necessary that healthcare organizations understand state law.

Here are some of the more recent cases of amendments and laws affecting the state data breach notification process.


READ MORE: Is Patient Privacy Violated with New Wellness Program Rules?

Earlier this year, Illinois Governor Bruce Rauner signed several amendments to a data breach notification law that would impact healthcare data security regulations starting in 2017.

The revised Personal Information Privacy Act will include health insurance and medical information under its definition of protected personal information. The regulation adds that organizations will need to report data breaches if they involve an individual’s first name or initial and last name in combination with specific healthcare data.

Biometric data, such as fingerprint, retina, and iris images, as well as user names or email addresses in conjunction with passwords or security question answers are also now considered protected personal information.

Health insurance information consists of “an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any medical information in an individual's health insurance application and claims history, including any appeals records,” according to the amendment.

Furthermore, all data collectors who report a healthcare data breach to HHS must also submit such notifications to the state’s Attorney General within five business days of notifying the federal department.

READ MORE: How Health Data Security Relates to Healthcare Biometrics


Nebraska also had an amendment signed earlier this year that would affect the state’s current data breach notification law.

In that case, changes were made relating to the Credit Report Protection Act, Consumer Protection Act, Uniform Deceptive Trade Practices Act, and Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006.

The amendment states that data will not be considered encrypted “if the confidential process or key was or is reasonably believed to have been acquired as a result of the breach of the security of the system.”

However, medical data and health insurance information were not included in the definition of personal information.

READ MORE: HHS Reviews HIPAA Regulations for Workplace Wellness Programs

“Fraudulent and consumer scamming practices are becoming more sophisticated. LB 835 will protect against minor Identity Theft by allowing parents to place a credit report freeze, and also enhance our ability to go after those who practice fraud in the area of charity solicitation,” Attorney General Peterson explained in a statement.

New York

Over the summer, legislation was introduced in New York that would include individuals’ medical information under its definition of personal information.

Titled A10475, the bill would consider unsecured PHI that is held by a HIPAA covered entity  the type of data that requires notification should it be compromised in a data breach. Biometric data, and email addresses or usernames, in combination with a password or security question answer would also be included in New York’s definition of personal information.

“New York's data breach notification law needs to be updated to keep pace with current technology,” stated a legislation memo. “This bill broadens the scope of information covered under the notification law and updates the notification requirements when there has been a breach of data.”

Rhode Island

Rhode Island also had the Rhode Island Identity Theft Protection Act go into effect in June 2016. The legislation requires businesses and organizations of all sizes to implement and maintain a risk-based information security program.

Medical information, health insurance information, and email addresses are now considered “personal information.”

“We live in a world where so much, if not all, of our personal information floats around in cyberspace, often with completely inadequate protections. This is the reality of our times,” bill sponsors Senator Louis DiPalma said in a statement. “The intent of this legislation is to set standards and to protect that vital information from those who wish to do harm or profit from the most personal details of our lives.”

The timeframe for notification was also updated, with the Act requiring organizations to give notice within 45 days after confirmation of a breach.


Tennessee also made strides in its data breach notification process earlier this year, and removed the word “unencrypted” from describing the type of compromised information that would necessitate notification.

The timeline was also updated, with the amendment calling for immediate disclosure, and no later than 14 days following the discovery of a breach.

“The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation,” the amendment states. “The notification required by this section shall be made no later than fourteen (14) days after the law enforcement agency determines that it will not compromise the investigation.”

Employees can also now be considered an “unauthorized person,” and if they unlawfully access information, they can be held accountable.

Dig Deeper:


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks