The Commonwealth of Virginia recently enacted a law requiring notice of data breaches involving medical information. The new law is effective on January 1, 2011.
The new law, section 32.1-127.1:05 of the Virginia Code, requires any governmental entities or other organizations supported by public funds that own or license computerized data that includes medical information (defined below) to provide notification of a breach involving medical information to affected residents and the Office of the Attorney General. For this purpose, “breach” means unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security, confidentiality, or integrity of medical information maintained by an individual or entity.
Notices must be sent without unreasonable delay, but may be reasonably delayed to allow the entity to determine the scope of the breach and restore the reasonable integrity of the system.
“Medical information” means the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a Virginia resident, when the data elements are neither encrypted nor redacted:
1. Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or
2. An individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.
The required notice to affected individuals and the Attorney General must contain specific content, including:
1. A description of the incident in general terms;
2. The type of medical information that was subject to the unauthorized access and acquisition;
3. The general acts of the individual and entity to protect the personal information from further unauthorized access; and
4. A telephone number that the person may call for further information and assistance, if one exists.
Virginia has a general data breach notification law, in place since 2008, that is applicable to all individuals and companies with personal information of Virginia residents.