North Dakota and Nevada have updated their breach notification laws this year, joining the growing list of states to do so.
In May 2017, new laws were passed to tighten up the legislation and expand “personal information” definitions, with the two states following the lead of joining California, Florida, Montana, Washington and Wyoming, which had already updated state breach notification laws.
The Health Insurance Portability and Accountability Act (HIPAA) – or more accurately the Breach Notification Rule of 2009 – places a number of requirements of Covered Entities (CEs) when it comes to taking action following a data breach involving Protected Health Information and Personal Identifiable Information.
HIPAA Rules are only a minimum set of requirements. States can pass laws to increase data privacy and security protections for patients and plan members and other persons affected by a healthcare data breach. Often states include provisions in their new laws for bodies covered under HIPAA and other federal laws.
The Sixty-fourth Legislative Assembly of North Dakota Met on January 6, 2015 and proposed Senate Bill 2214, which amends and reenacts subsection 4 of section 51- 30-01 and section 51-30-02 of the North Dakota Century Code, in relation to security breach notification. The law was signed in existence last week.
The new law further expands the definition of personal information to include an individual employee identification number if it is exposed in conjunction with a security or access code and/or password.
The law has been also amended to cover any entity, not just North Dakota businesses. If a company or person does business with North Dakota residents, no matter where they are based in the United States they will be required to adhere with the new breach notification rule.
The threshold for issuing breach notification letters to affected individuals and notifying the Attorney General will also be cut to 250. HIPAA rules only requires breaches of 500 or more records to be made known within 60 days. Smaller breaches only need to be reported to the OCR once every calendar year.
The amendment to the breach notification rules will be passed into law on August 1, 2015.
Meanwhile, Nevada’s breach notification law has also been amended in the past few days, expanding the definition of “personal information” to include usernames and unique identification numbers; specifically, driver authorization card numbers, medical identification numbers, and health plan or insurance ID membership numbers.
Nevada’s breach notification law has also been altered to include online accounts, and the information and passwords to gain access to personal data via web and patient portals. Similar updates have recently been passed in both California and Florida.
When the new breach notification law comes into being, any data breach involving an email addresses, username or unique identifier also involving passwords, login or access codes and/or answers to security questions that would permit an unauthorized individual to access online accounts, will also have to be reported to the Attorney General, and breach notification letters will have to be issued.
In Nevada there are strict rules in relation to data encryption. The new law amendment means that data encryption rules will also apply to the data now covered under the breach notification law update. Without encryption, the aforementioned data cannot be transferred or moved – via a data storage device – outside the control of the company – or the control of a data storage company if used – if it is not encrypted.
The law has now been signed off on and it will become effective on July 1, 2015.