In recent months, a large number of states have sought to improve their healthcare security in various ways. Each of the following amendments and laws that have been passed tackles a different aspect of personal information protection including PHI and other sensitive data. But the list below is not only limited to the laws themselves, rather it includes any precedents that may have a significant effect on how healthcare is dealt with in the future.
Ohio: Senate Bill 273: March 20, 2019Ohio has enforced a new bill that requires insurance companies to develop and adopt a written information security program which protects sensitive business and customer data. The program must include an internal risk assessment that can identify potential threats and vulnerabilities to systems. Based on the results of risk assessments, safeguards must be put in place to protect nonpublic information that could negatively impact those affected by data breaches. Nonpublic information can consist of health data, social security numbers, financial information, account numbers and any data that could identify a person in relation to their health and anything related to it.
Massachusetts: Data Breach Notification Law: April 11, 2019In January of 2019, Massachusetts governor, Charlie Baker, signed a new data breach notification law. It acts as an update to an existing law and introduces some new notification requirements. While the previous time limit for breach notification has not changed, companies that suffer a data breach can no longer wait until they have identified everyone who has been impacted to issue the breach notification. In cases where updates are required, the legislation says that the person or agency "shall provide additional notice as soon as practicable and without unreasonable delay upon learning such additional information." Additionally, those affected must be offered a minimum of 18 months of complimentary credit monitoring services. However, credit monitoring agencies must offer a minimum of 42 months.
New Jersey: Consumer Fraud Act Amendment: June 14, 2019New Jersey has passed a bill that updates the definition of personal information that consumers must be notified of in the event of a data breach. Previous laws were riddled with gaps that made it possible for businesses to avoid notifying customers of breaches related to online information. This is because the previous definition of personal information only included social security, driver's license and bank account numbers as well as credit or debit card information. The bill adds email addresses, usernames, passwords and security question answers to the list.
Moreover, the new law adds that breach notifications can be sent by mail or electronically. If the notification costs exceed a quarter of a million dollars or the number of affected individuals exceeds half a million, an alternative breach notice can be issued via email as well as through an easy to see post on the company's website. Naturally, companies cannot issue notifications through breached email accounts.
Vermont: New Precedent for Private Cause of ActionVermont's Supreme court set a new precedent when it ruled that a patient can sue a hospital or healthcare professional for a privacy violation. In this instance, the patient attempted to sue an ER nurse and a hospital after the nurse determined that the patient was intoxicated and notified a police officer. The patient had driven to the hospital and planned to drive home after leaving the hospital. While the plaintiff's lawsuit failed, this is the first time such a suit has been given standing, considering that both HIPAA and Vermont law do not contain private cause of action. Instead, the case was given standing under a common-law private right of action for the damages the patient suffered.
Oregon: The Oregon Consumer Information Protection Act: January 1, 2020Oregon is the third state to update its data breach notification laws. Senate Bill 684, or what was once known as The Oregon Consumer Identity Theft Protection Act, has been renamed The Oregon Consumer Information Protection Act. Like other states, Oregon has broadened its definition of personal information to include user names "or other means of identifying a consumer for the purpose of permitting access to the consumer's account, together with any other method necessary to authenticate the user name or means of identification."
Another definition that has been updated is the definition of a covered entity, which now refers to "a person that owns, licenses, maintains, stores, manages, collects, processes, acquires or otherwise possesses personal information in the course of the person's business, vocation, occupation or volunteer activities." Moreover, business associates (BA) or vendors that fall victim to data breaches must notify covered entities within 10 days of breach discovery. If a subcontractor who works for a vendor that has a contract with a covered entity is breached, the subcontractor must notify its vendor within 10 days.
Washington DC: Data Breach Notification Law: March 1, 2020>Like the new New Jersey Bill, DC's Data Breach Notification law expands the definition of personal information to include full dates of birth, bio-metrics, keys for electronic signatures, medical histories, user names, email addresses with security question answers, as well as military, passport, student and health insurance ID numbers. If any of the above data elements is compromised, customers or patients must be notified. Additionally, the notification time limit has been reduced to 30 days after the breach is discovered, though notifications should be issued as soon as practicable. Entities that are covered by HIPAA will automatically be deemed compliant with this law if they are also in compliance with the HITECH Act.