Several States in Process of Updating their Healthcare Data Breach Notification Laws

Federal Health Insurance Portability and Accountability Act (HIPAA) requirements remain a top concern of covered entities that are grappling with breach notification issues, but several states are in the process of updating their data breach laws.  Tennessee and Oregon are two states that recently enacted updates to ensure that their residents have greater protections. As cybersecurity threats and healthcare data breaches increase, more state officials are looking their legislative and regulatory options. 

Recent research suggests that less than half of states include healthcare data or medical information in their data breach notification standards.  The HIPPA breach notification rule requires that covered entities and their business associates provide notification following a breach of unsecured protected healthcare information (PHI). Healthcare organizations are required under HIPAA to notify patients, the Department of Health and Human Services (HHS) and potentially the media.

Tennessee recently enacted a change to its data breach notification laws. The new law removes the word “unencrypted” from describing the type of compromised information that would necessitate notification. In addition, the state is now requiring that disclosure of a breach has to be made immediately, at least within 14 days following the discovery of a breach.  This amended law will become effective July 1, 2016, and will apply to data breaches that occur after that date.   

Oregon also enacted updates to its breach notification laws earlier this year.  Under the new law, companies and government agencies must now notify the state attorney general of a data breach affecting more than 250 state residents.  The law also states that only unencrypted information is applicable and delineates that the compromised information would also need to “be sufficient to permit a person to commit identity theft against the consumer whose information was compromised.”

It is also important to note that on July 7, 2015, the National Association of Attorneys General (NAAG) sent a letter to Congress saying that federal law should not preempt state law when it comes to data breach notification.

NAAG supports the idea that states are “better equipped to quickly adjust to the challenges presented by a data-driven economy,” and “any additional protections afforded consumers by a federal law must not diminish the important role states already play protecting consumers from data breaches and identity theft.”