Data Breach Laws Amended in Nevada and North Dakota

by | Jun 2, 2015

North Dakota and Nevada have updated their breach notification laws this year, joining the growing list of states to do so.

In May 2017, new laws were passed to tighten up the legislation and expand “personal information” definitions, with the two states following the lead of joining California, Florida, Montana, Washington and Wyoming, which had already updated state breach notification laws.

The Health Insurance Portability and Accountability Act (HIPAA) – or more accurately the Breach Notification Rule of 2009 – places a number of requirements of Covered Entities (CEs) when it comes to taking action following a data breach involving Protected Health Information and Personal Identifiable Information.

HIPAA Rules are only a minimum set of requirements. States can pass laws to increase data privacy and security protections for patients and plan members and other persons affected by a healthcare data breach. Often states include provisions in their new laws for bodies covered under HIPAA and other federal laws.

The Sixty-fourth Legislative Assembly of North Dakota Met on January 6, 2015 and proposed Senate Bill 2214, which amends and reenacts subsection 4 of section 51- 30-01 and section 51-30-02 of the North Dakota Century Code, in relation to security breach notification. The law was signed in existence last week.

The new law further expands the definition of personal information to include an individual employee identification number if it is exposed in conjunction with a security or access code and/or password.

The law has been also amended to cover any entity, not just North Dakota businesses. If a company or person does business with North Dakota residents, no matter where they are based in the United States they will be required to adhere with the new breach notification rule.

The threshold for issuing  breach notification letters to affected individuals and notifying the Attorney General will also be cut to 250. HIPAA rules only requires breaches of 500 or more records to be made known within 60 days. Smaller breaches only need to be reported to the OCR once every calendar year.

The amendment to the breach notification rules will be passed into law on August 1, 2015.

Meanwhile, Nevada’s breach notification law has also been amended in the past few days, expanding the definition of “personal information” to include usernames and unique identification numbers; specifically, driver authorization card numbers, medical identification numbers, and health plan or insurance ID membership numbers.

Nevada’s breach notification law has also been altered to include online accounts, and the information and passwords to gain access to personal data via web and patient portals. Similar updates have recently been passed in both California and Florida.

When the new breach notification law comes into being, any data breach involving an email addresses, username or unique identifier also involving passwords, login or access codes and/or answers to security questions that would permit an unauthorized individual to access online accounts, will also have to be reported to the Attorney General, and breach notification letters will have to be issued.

In Nevada there are strict rules in relation to data encryption. The new law amendment means that data encryption rules will also apply to the data now covered under the breach notification law update. Without encryption, the aforementioned data cannot be transferred or moved – via a data storage device – outside the control of the company – or the control of a data storage company if used – if it is not encrypted.

The law has now been signed off on and it will become effective on July 1, 2015.



Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy