Insurance Fraud NEWS
Washington legislature passes 30-day data breach notification law
April 24, 2019, Olympia, WA
The Washington legislature unanimously passed new legislation that effectively truncates the time organizations in the state must begin notifying victims of a data breach to just 30 days.
For healthcare organizations, the breach notification timeframe has been effectively cut in half, as HIPAA gives providers 60 days to report a breach from time of discovery. Further, the Washington Attorney General must also be notified within 30 days and without reasonable delay.
In addition to modifying notification requirements, the bill expands the definition of consumer information. Currently, the state’s law defines a breach as the combination of an individual’s name with their Social Security number, state identification, or financial account data.
Under the law, a breach now includes the combination of a consumer’s name with their full birth date, health insurance identification numbers, medical history, student ID, military ID, passport, username and password, biometrics, like DNA profiles or fingerprints, and electronic signatures, as well.
The law also requires organizations to specify the precise data involved in the breach in its notification letter.
The bill comes in response to the spate of breaches impacting Washington residents, which officials estimate totals about 3.4 million between 2016 and 2017 – or an increase of about 26 percent from the previous year.
“Not only is the amount of data being collected and stored about consumers increasing, the number of breaches of secure storage of the data is increasing at an alarming rate as well,” Bill Co-Sponsor State Rep. Shelley Kloba said in a statement. “Companies who collect and store data will need to pay more attention to safeguarding it against internal and external threats.”
“Time and time again, millions of Americans have had their most private information stolen and abused due to poor corporate stewardship over the data we entrust them with,” State Sen. Joe Nguyen said in a statement. “This legislation will ensure that we have mechanisms for accountability put in place so that when a data breach occurs, we can act quickly and decisively to mitigate further harm.”
This is the state’s second privacy bill to pass in less than two years. In June 2017, Washington legislature bolstered its patient privacy rights with a law that limits the use of medical and mental health records in discrimination lawsuits.
Washington joins a host of other states moving to tighten privacy and data breach laws to better protect consumers in light of the increased security incidents across the country. North Carolina and Oregon are working on similar legislations, while Florida is considering new biometric data privacy legislation to establish requirements and restrictions on the use, collection, and maintenance of biometric data and identifiers.
Several members of Congress from both sides of the aisle have proposed their own versions of tighter privacy and breach laws in recent months. There have also been several Congressional meetings to consider the potential of a national, uniformed privacy law to supersede the patchwork of states laws.
Source: HealthIT Security