California’s privacy breach notification law SB1386 started the ball rolling with regard to what is now at least 40 U.S. states, including the District of Columbia, that have breach notice laws. Most of the subsequent state laws largely based theirs upon SB1386, including how the law defines “personal information.”
Effective January 1, 2008, the definition of “personal information” changes when AB1298 goes into effect in California.
The original SB1386 defined “personal information” as an individual’s name in addition to: Social Security number; driver’s license number or California identification card number; or an account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
Under the updated CA AB1298 there are two new additional categories of information to the definition of “personal information”: “medical information” and “health insurance information”…both of which now must be disclosed under this law.
“Medical information” is defined as any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
“Health insurance information” is an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.
An excerpt from the California notice:
“AB 1298 expands state law requirements governing the privacy of confidential computerized information maintained by state agencies and businesses by adding the data elements of medical and health insurance information to the State Breach Notification law. State government and businesses engaged in health care can no longer avoid the obligation of notifying residents of security breaches of unencrypted data by removing social security numbers from computerized files.
When a person’s name plus medical information or health insurance information in unencrypted computerized form are acquired, or believed to be acquired, by an unauthorized person, the law requires individual notification of the breach, regardless of whether social security numbers are involved. By adding medical and health insurance data to the law, the State Breach Notification law is amended from a financial identity theft law to a far broader law triggering breach notifications whenever medical or health insurance policy information are breached. The intent is to prevent the growing crime of medical identity theft and to protect confidential medical information by encouraging encryption.
Whenever there is a breach of computerized unencrypted data containing a person’s name, the Department of Health Care Services (DHCS) must determine whether data that has become lost or stolen or transmitted to an unauthorized party would trigger a security breach notification. AB 1298 adds two new breach-triggering data categories to the law of ‚Äúhealth insurance information‚Äù defined as a health insurance policy or subscriber number(s), any information in an individual’s application and claims history, including any appeals records; and ‚Äúmedical information‚Äù including any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
According to the author, adding ‚Äúmedical information‚Äù and ‚Äúhealth insurance information‚Äù to the data elements that will trigger a breach notice will enable persons whose private medical or health insurance information has been compromised to become aware of potential problems and take any necessary corrective measures. In 2003, California was the first state in the nation to enact a breach notification law relating to financial information (SB 1386; Chapter 915, statutes of 2002). Other states are following our lead and now Congress is considering a proposal to legislate a uniform national breach notification process.”
I sure hope there is a thoughtful, practical and effective federal uniform breach notice law enacted soon!
Review your information security incident and privacy breach response plans to ensure they address these additional definitions.
Tags: AB1298, awareness and training, breach notice law, Information Security, information security policies, insider threat, IT compliance, personally identifiable informatio, PII, policies and procedures, risk management, SB1386, security risk, security training