On May 31, 2015, the Illinois House and Senate passed a bill proposing amendments to the Illinois Personal Information Protection Act (PIPA). The amendments impact definitions, notice requirements, and the security of data under the statute, increasing the burden for healthcare providers in many key respects. Illinois’ amendments reflect a national response to increased data breaches, as states continue to take legislative measures to protect their residents. For instance, in 2014, Florida signed the Florida Information Protection Act of 2014 (FIPA), repealing its previous data breach laws in the process. FIPA expanded categories of personal information, reduced breach notification periods from 45 to 30 days, and added reporting requirements to the Florida Department of Legal Affairs for breaches affecting 500 or more residents. Illinois healthcare institutions must now examine their policies and practices to ensure compliance with the new regime.

Definitional Changes to PIPA

The definitional changes to the Act broaden the types of “personal information” protected under PIPA including medical, health insurance, consumer marketing information, and geolocation information. The inclusion of geolocation information may prove especially burdensome to healthcare entities, as it includes all information generated from electronic devices sufficient to identify the street name, city, or town in which an Illinois resident is located. Currently, “personal information” is limited to social security, driver’s license and financial account numbers.

Increased Notification Measures in PIPA

The amendments also outline specific security breaches of personal information requiring notice to the Illinois Attorney General. Generally under the proposed amendments, a breach of personal information concerning more than 250 Illinois residents will require such notice. However, the content of the notification will vary depending on whether or not the notifying party owns or leases the data in question.

PIPA Data Security Requirements

The PIPA revisions add new data security requirements. Under the new regime, healthcare providers that utilize secure patient portals must implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure. Moreover, the amendments require a privacy policy to be conspicuously posted on the homepage, or first significant page after entering the website. The statute permits the use of icons and text hyperlinks to direct users to the privacy policy, so long as the links contain the word “privacy.” Privacy policies must be posted by operators of commercial websites or online services and must include specific provisions that disclose the collection, uses, and dissemination of personal information.

US DOJ Guidance on Compliance with PIPA Amendments

Although it may be impossible to safeguard against all potential data breaches, healthcare providers should implement data security measures that appropriately protect the personal information they handle and collect. The Department of Justice’s Cybersecurity Unit has developed a Reporting Cyber Incidents best practices guidebook to assist organizations during all phases of a data breach. Key practices recommended by the DOJ include:

  • Creating and testing an actionable response plan before a data breach;
  • Recording and preserving information during a breach; and
  • Conducting a post-incident review to measure the organization’s response to a breach.

As the PIPA amendments await action by the Governor, healthcare providers should review their data security policies and website for compliance and examine their response plans for alignment with the best practices prescribed by the DOJ. By preparing for the PIPA changes and integrating the DOJ best practices, healthcare providers can develop a data security strategy that will minimize business interruptions and costs associated with responding to a breach. As Illinois awaits gubernatorial action, Akerman will continue to monitor state and federal agencies for legislative developments and guidance on data breach laws.