Bruce Rauner – the Governor of Illinois – has recently signed a number of amendments to Illinois data breach notification law. The changes are intended to better protect Illinois residents in the event that their personal information is exposed or stolen.
Health Insurance and Medical Information Included in Illinois Data Breach Notification Law
Changes have been made to the Personal Information Privacy Act (PIPA) which expand the definition of protected personal information (PPI), which will include medical and health insurance information. Illinois residents will need to be notified of a data breach that includes their first names – or initials – and last name, along with health insurance information, medical information, or any other data elements already included in the state’s PPI definition.
Medical information now includes biometric data such as retinal scans, iris images, and fingerprints as well as medical histories, medical treatments and diagnoses, individuals’ physical condition, and state of mental health. The amendments to Illinois data breach notification law cover data collected by a healthcare provider or other organization in person as well as data collected via the Internet.
The new laws also cover the exposure of usernames in conjunction with security questions or passwords which would enable third parties to gain access to personal data.
Health insurance information includes unique identifiers, data submitted with health insurance applications, and information contained in claims histories.
How the Amended Law Applies to Healthcare Organizations
Healthcare organizations covered under the Health Insurance Portability and Accountability Act (HIPAA) must abide by the HIPAA Breach Notification Rule. This requires covered entities to notify the Department of Health and Human Services’ Office for Civil Rights of a breach of Protected Health Information. That notification must be provided within 60 days of the discovery of a PHI breach. Under the amended Illinois data breach notification law, the Illinois attorney general’s office must also receive a notification. That notification must be provided within 5 days of notifying the OCR of the breach.
There is currently a safe harbor for organizations that experience a security breach that results in encrypted data being exposed or stolen. The amended law clarifies the state’s position on these breaches. When the new law comes into effect in early 2017, the safe harbor will not apply if an organization experiences a breach of encrypted data (or redacted information) if a decryption key is “reasonably believed” to have also been compromised or acquired by an attacker.