Recent, large-scale breaches of health information have served to highlight the fact that federal agencies have only rarely assessed penalties against companies as a result of these breaches, while many states do not have regulations providing for such penalties. States have begun to address this situation through legislation focusing on breaches of health information. Montana and New Jersey recently passed stricter laws regarding the protection of health and medical information, and the Connecticut and Washington state legislatures may follow suit during the current legislative sessions.
Montana’s updated data breach notification law, signed into law on February 27, 2015, now includes medical record information within the definition of personal information. The law also expands the definition of personal information to include a taxpayer identification number, or an identity protection personal identification number issued by the IRS, in combination with a first initial or name and last name. In the event that notifications are issued under the law, a business must also “simultaneously” notify the state attorney general’s consumer protection office by submitting “an electronic copy of the notification” issued to Montana residents and “a statement providing the date and method of distribution of the notification.” If more than one Montana resident is notified, the copy of the notification issued to the residents must indicate the number of residents who received the notification. The amended law goes into effect October 1.
Montana is not the only state that has recently addressed breaches of medical information in legislation. In January, New Jersey Senate Bill 562 was signed into law, requiring health insurance carriers that issue health insurance in New Jersey to encrypt personal information when compiling or maintaining computerized records that include personal information. Health insurance carriers are defined to include insurance companies, health service corporations, hospital service corporations, medical service corporations, or health maintenance organizations. The encryption requirement broadly applies to a person’s first name or first initial and last name linked with at least one of the following: (1) Social Security number, (2) driver’s license number or other state identification card number, (3) address, or (4) identifiable health information. Failure to encrypt personal information constitutes a violation of New Jersey’s consumer fraud statute and subjects violators to the attorney general’s enforcement powers as well as treble damages. Enforcement penalties under the New Jersey Consumer Fraud Act amount to $10,000 for a first offense and $20,000 for all subsequent offenses. The law will take effect on August 1, 2015, making New Jersey the second state, after Massachusetts, to require encryption of health information.
In late February 2015, a bill was introduced in the Connecticut General Assembly that, if passed and signed into law, would require insurance businesses to encrypt personal information and also calls for new regulations on the minimum standard for security technology. In addition to health insurers and healthcare centers, the legislation would impact pharmacy benefits managers, third-party administrators that administer health benefits and utilization review companies.
The Washington State House recently passed House Bill 1078 which imposes several new requirements in the event of a data breach. First, the bill would require notification to consumers and the state attorney general’s office no later than 45 calendar days after the breach was discovered. Failure to notify consumers of the breach would qualify as a violation of the state Consumer Protection Act, and the state attorney general could bring an action on behalf of the state or consumers living in Washington. The state legislature in New Mexico – one of the few states which does not have a data breach notification law – is also considering a proposed data breach notification law, although it does not incorporate health information into its proposed definition of personal information.