Trend: States Strengthening Health Data Privacy

Connecticut and Oregon both strengthened laws protecting health care data this year. Specifically the states , strengthened protections of personally identifiable information (“PII”).

• Connecticut did this:
  • Effective October 1, 2015, S.B. 941 
    • Requires notice of a breach of personal information within 90 days of discovery
    • If a breach involves social security numbers, must offer a year of complimentary identity theft prevention and mitigation services, and the notifications must include information on signing up for these services, as well as information on placing a credit freeze. 
    •  Health insurance companies must implement, maintain, and update annually a “comprehensive information security program” to protect personal information (including protected health information, government-issued ID numbers, biometric data, and financial information).
• Oregon did this:
  • Senate Bill 601 (SB 601) is effective January 1, 2016, and will:
    •  Expand the definition of “personal information” triggering a required notification to include:
      • 1) biometrics
      • 2) health insurance policy number or subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the individual; or
      • 3) any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the individual.
    •  The Attorney General must be notified for breaches of personal information involving 250 residents of the state or more & may bring Deceptive Trade Practices Act violations.
    • The threshold for notification is altered  to an “unlikely to suffer harm” standard in place of the previous standard of “no reasonable likelihood of harm” and requires this determination be made in writing by the effected entity and maintained for at least five years.  

The Beat @ CooleyHealth