48 US States currently have Data Breach Notification Laws that are all just a little bit different. For any Covered Entities or Business Associates that operate in a single state, it is pretty simple to comply, however, with those that operate or have customers in multiple states, it becomes more difficult to know and comply with each state’s different laws.
Congressman Jim Langevin (D-RI) proposed bill (H.R. 3806), the Personal Data Breach Notification Act, that is intended to standardize these individual state laws into a single national law. This law has been long overdue.
Any organization or entity that collects the data of over 10,000 individuals over a 12 month period will take precedent over any individual state law.
This doesn’t mean that if you have less than 10,000 patient records that you are exempt from this. Far from it.
HIPAA Breach Notification Laws protect the following information:
-Address (all geographic subdivisions smaller than state, including street address, city, county, zip code)
-All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death and exact age)
-Social Security Number
-Medical Record Number
-Health Plan Beneficiary Number
-Any vehicle or other device serial number
-Medical Device Identifier on Implants
-Finger or Voice Prints
-State ID Card
-Any Other Characteristics That Could Uniquely Identify the Individual
A breach of any of these items must be reported to both the effected patient as well as to Office for Civil Rights within 60 days of knowing of the breach.
The new proposed Personal Data Breach Notification Act law has the following identifiers as requiring notification within 30 days:
-An individual’s first and last name or first initial and last name in combination with any two of the following data elements:
-Home address or telephone number
-Mother’s Maiden Name
-Month, day and year of birth
-A Social Security number (but not including only the last four digits of a Social Security number), driver’s license number, passport number, or alien registration number or other Government-issued unique identification number.
-Unique biometric data such as a finger print, voice print, a retina or iris image, or any other unique physical representation.
-A user name or electronic mail address, in combination with a password or security question and answer that would permit access to an online account.
-Any combination of the following data elements:
-An individual’s first and last name or first initial and last name.
-A unique account identifier, including a financial account number or credit card or debit care number, electronic identification number, user name or routing code.
-Any security code, access code, or password, or source code that could be used to generate such codes or passwords.
This law is in response to not just the increase in data breaches overall in the past few years, but the staggering number of breaches this year alone (see www.acsdt.com/single-post/2017/10/21/Data-Breach-Report-for-2017)