The Governor of Pennsylvania, Tom Wolf, has signed Senate Bill 696 into law, which expands the definition of personal information under the Breach of Personal Information Notification Act that warrants individual notifications to be issued in the event of a data breach. The updated law will take effect on May 2, 2023.
The updated definition of personal information now includes medical information, health insurance information, and usernames and passwords. Notifications must be issued if any of that information is breached along with the name of a state resident.
Medical information is classed as individually identifiable information related to an individual’s current or past medical condition, diagnosis, or treatment that has been created by a healthcare professional. Health insurance information includes a health insurance policy number or subscriber number, combined with an access code or other information that would allow the misuse of an individual’s insurance benefits. Breaches of usernames also require notifications, if the password is also compromised or any other information such as a security question and answer that allows an individual’s online account to be accessed.
In the case of the latter, electronic notices can now be issued to individuals if a prior business relationship exists and the person or entity has a valid email address if the notice directs that individual to promptly change their password or other related account information for security reasons to protect their account. Standard notifications must be provided by mail to the last known home address of the individual, although telephonic notices are permitted if an individual can be reasonably expected to be reached by telephone.
Entities covered by the Health Insurance Portability and Accountability Act – HIPAA-covered entities and HIPAA business associates – are exempted, provided they comply with the breach notification requirements of the HIPAA Breach Notification Rule.
The post Pennsylvania Updates Data Breach Notification Law appeared first on HIPAA Journal.