- Last month, Illinois Governor Bruce Rauner signed several amendments to a data breach notification law that would impact healthcare data security regulations starting in 2017.
Under the revised Personal Information Privacy Act, protected personal information will include health insurance and medical information. The new regulation states that organizations will soon be required to report data breaches if they involve an individual’s first name or initial and last name in combination with specific healthcare data.
The amendments stipulate that health insurance information is “an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any medical information in an individual's health insurance application and claims history, including any appeals records.”
Meanwhile, medical information includes “an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional, including such information provided to a website or mobile application.”
In addition to healthcare information, the amendments will expand the definition of protected personal information to include unique biometric data, such as fingerprint, retina, and iris images, as well as user names or email addresses in conjunction with passwords or security question answers.
Additionally, the Personal Information Privacy Act amendments will add another step to healthcare data breach reporting in Illinois.
All data collectors who report a healthcare data breach to the Department of Health and Human Services in compliance with HIPAA Rules and HITECH regulations must also submit such notifications to the state’s Attorney General within five business days of notifying the federal department.
While the modified data breach notification law spells out new regulations for healthcare organizations in Illinois, the amendments will also affect more general data security concerns.
Under the current Personal Information Privacy Act, the state provides a safe harbor for data collectors who experience a data breach involving redacted or encrypted personal information. But, the amended version clarifies that the safe harbor will not apply to encrypted or redacted information if the key was or reasonably believed to be acquired in the data breach.
The revised data breach notification law also allows for more flexible notification methods for data collectors, such as electronic notices.
For example, data collectors can electronically contact affected Illinois residents if the data breach involved user names or email addresses in combination with passwords or security questions and answers. The notification should direct individuals to change their online credentials for all accounts that use the affected profile.
Data collectors may also use a substitute notice, such as local media sources, in the event a data breach affects individuals that are likely to reside in one geographic area and the notice can reasonably reach all affected persons.
Beyond data breach notification rules, the amendments will require all data collectors to “implement and maintain reasonable security measures,” including the addition of data security provisions to contracts that disclose personal information to another entity.
The governor’s approval of the amendments has been a year in the making for many Illinois lawmakers.
Last August, Governor Rauner vetoed amendments to the proposed amendments, which would have extended the type of protected information to include medical and health insurance data. He argued that the bill would implement burdensome requirements on data collectors, especially by including geolocation and consumer marketing data as protected personal information.
The most recent version of the amendments omitted these additions to the definition of protected personal information.
Other state lawmakers have also been busy updating or implementing data breach notification laws.
Recently, Nebraska Governor Pete Ricketts signed an amended version of its state’s data breach notification law. Similar to the Illinois amendments, the changes noted that data is not considered encrypted if the key was or is reasonably believed to have been obtained in the data breach.
The Nebraska law also expanded its definition of personal information, but it did not include any healthcare-related data.
An Oregon data breach notification law also went into effect at the beginning of this year. Although it did not account for medical or health insurance information, the law required businesses and government agencies to notify the state’s attorney general of data breaches that affect more than 250 Oregon residents.
With a new data security incident seemingly occurring each day, healthcare organizations are not the only entities trying to develop more comprehensive data protection measures. Many states are attempting to update data breach notification laws to cover these new threats to consumer data, but many healthcare organizations may still be waiting for laws that address their unique collection of patient information.