Connecticut and Oregon were recently added to the increasing list of states adopting stricter laws addressing the handling of health information and penalties in connection with breaches of health information. Both states amended their respective data security and breach notification laws and they will now levy stricter requirements on entities that store or process personally identifiable information (“PII”) including but not limited to health-related information. Stricter laws adopted by states come in response to the multiple recent breaches of data in the consumer and health industry.
Effective October 1, 2015, S.B. 941 modifies Connecticut’s Public Act 15-142 and requires notice of a breach of personal information (which includes identifiable health information) be provided to the individual not later than 90 days after discovery. If a breach involves social security numbers, the law also requires breached entities to offer a year of complimentary identity theft prevention and mitigation services, and the notifications must include information on signing up for these services, as well as information on placing a credit freeze. The law also places additional obligations on health insurance companies to to implement, maintain, and update annually a “comprehensive information security program” to protect personal information (including protected health information, government-issued ID numbers, biometric data, and financial information).
Senate Bill 601 (SB 601), adds new requirements to the Oregon Consumer Identity Theft Protection Act of 2007 that go into effect January 1, 2016. The new legislation expands the definition of “personal information” that requires notification to the individual in case of a breach to include: 1) biometrics; 2) health insurance policy number or subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the individual; or 3) any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the individual. The law also requires that the state Attorney General be notified for breaches of personal information involving 250 residents of the state or more. The threshold for notification is altered to an “unlikely to suffer harm” standard in place of the previous standard of “no reasonable likelihood of harm” and requires this determination be made in writing by the effected entity and maintained for at least five years. The law also requires entities to notify the Attorney General of a data breach involving more than 250 residents and allows the Attorney General to bring action against entities that violate the statute pursuant to Oregon’s Unlawful Trade Practices Act.
With the increase in recent large scale data breaches and the increase in state laws addressing these breaches, companies that hold personally identifiable information, including health information, should ensure proper privacy, security, and breach response procedures are in place and updated to comply with these amended laws in order to prevent and respond to breaches of health information appropriately.