Change of Law: Hospital Action Required
To: Rural Hospital Chief Executives, Psychiatric Hospital Chief Executives, Hospital Legal
Counsel and Government Affairs Staff
Please forward to your Privacy and Compliance Departments
From: Jaclyn Greenberg, JD, LLM, Policy Director, Legal Affairs
JaclynG@wsha.org | (206) 216-2506
Subject: Changes to State Laws on Data Breach Notification Requirements in Effect
The purpose of this bulletin is to provide an overview of recent changes to state laws requiring private entities and public agencies to provide notice of data breaches involving personal information, including protected health information (PHI), to impacted individuals and the Washington State Attorney General (AG).
Under HB 1071, which is in effect now, several significant changes were made, including expanding what constitutes “personal information” for purposes of triggering notice obligations and shortening the timing frame for notifying impacted individuals and the AG about the breach from 45 days to 30 days.
Under SB 6187, which goes into effect on June 11, 2020, the last four numbers of a person’s social security number will also be considered “personal information” for public agencies only.
WSHA’s advocacy in 2019 ensured that hospitals and other covered entities under the Health Insurance Portability and Accountability Act (HIPAA) will be deemed to have complied with the state law requirements if they comply with the requirements under the Health Information Technology for Economic and Clinical Health (HITECH) Act for breaches PHI. This means PHI-related breaches may be reported to individuals and the AG within 60 days, rather than the new 30-day timeline. Importantly, hospitals must comply with the 30-day reporting timeline and the other state law reporting requirements for breaches involving all other “personal information” that is not PHI.
State data breach laws apply to all hospitals, public and private.
- Private non-profit and for-profit hospitals are subject to 19.255 RCW.
- Public hospital districts, as public agencies, are subject to RCW 42.56.590.
State data breach laws apply to all information that meets the definition of “personal information,” including protected health information (PHI).
- Review this bulletin.
- Review and update, as needed, your hospital/health system’s security and privacy protocols to reflect the new information now included in the definition of “personal information.”
- Update data breach policies and procedures to incorporate the new timelines for reporting non-PHI data breaches, the additional means of communicating notice about a data breach, and the additional elements that must be included in notification to impacted individuals and the AG.
- Update data breach notice templates to incorporate the additional information about the breach required by the new laws.
Effective March 1, 2020, HB 1071 made several changes to Washington state’s data breach laws governing private entities and public agencies, including:
- expanding the definition of “personal information” subject to data breach reporting;
- authorizing electronic or email notification under certain circumstances;
- requiring additional information be disclosed to impacted individuals and the AG; and
- shortening the timeframe for notification to individuals and the AG for non-PHI data breaches from 45 days to 30 days.
Effective June 11, 2020, under SB 6187, for state and local agencies only, the last four numbers of a person’s social security number also constitute “personal information.”
Breaches involving HIPAA PHI: Importantly, the new laws maintain a carveout for breaches involving PHI held by HIPAA covered entities. Hospitals and other covered entities will be deemed to have complied with the state’s notification requirements with respect to breaches involving PHI if the entity complies with reporting requirements under HITECH (i.e. within 60 days following discovery of the breach—see here for a summary of those requirements from the federal Department of Health and Human Services). Note: Hospitals must notify the AG within 60 days of the breach.
Breaches involving other, non-PHI personal information. For all other data breaches, hospitals will need to comply with the requirements under state law.
1. Entities the laws apply to
Data breach notice requirements apply to:
- Any person or business that conducts business in Washington state that owns or licenses data that includes personal information, under 19.255 RCW; and,
- Any Washington state and local agency that owns or licenses data that includes personal information, under RCW 42.56.590.
These private entities and public agencies must disclose any data breach to any resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the personal information was not secured. Notice is not required if the breach is not reasonably likely to have subjected individuals to a risk of harm.
- Any person or business that maintains or possesses data that may include personal information, under 19.255 RCW and RCW 42.56.590.
These entities must notify the owner/licensee of the information of any breach following discovery so that that entity may notice impacted individuals and the AG.
2. Definition of “Personal Information”
HB 1071 and SB 6187 expand “personal information” for purposes of reporting data breaches in Washington state.
The chart below identifies the existing and new categories of information that constitute “personal information,” some of which will qualify as PHI under HIPAA/HITECH.
Note: “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state or local government records.
1) First name or first initial and last name, in combination with any of the following:
|1) First name or first initial and last name, in combination with any of the following:
|2) *NEW – Username or email address in combination with a password or security questions and answers that would permit access to an online account;||2) *NEW – Username or email address in combination with a password or security questions and answers that would permit access to an online account;|
|3) *NEW – Any of the data elements or any combination of the data elements described in (1) above without the consumer’s first name or first initial and last name if:
||3) *NEW – Any of the data elements or any combination of the data elements described in (1) above without the consumer’s first name or first initial and last name if:
3. Notification to Impacted Individuals
30 days to notify individuals for non-PHI data breaches. Under the new law, consumers must be notified within 30 calendar days of discovering the breach (shortened from 45 days). This is for non-PHI related data breaches. Existing directions and exceptions to this reporting deadline remain. Specifically, consumers are to be notified in the most expedient time possible, without unreasonable delay (but in any event, no later than 30 days); and reporting may be delayed at the request of law enforcement or due to any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. Under the public agencies law, public hospital districts may delay notification for up to an additional 14 days to allow for translation into the primary language of the impacted individuals.
Content of notice. Under the new law, hospitals must include a time frame of exposure, if known, including the date of the breach and the date the breach was discovered. This is in addition to the name and contact information of the reporting entity, a list of types of personal information that were or are reasonably believed to have been the subject of a breach, and toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed personal information. All the information must be written in plain language.
Provision of notice. Under the new law for private entities, notice may be provided electronically or by email if the breach involves personal information including a username or password. However, if the breach involves login credentials of an email account furnished by the person or business, the notification may not be sent to the email address. Regardless of how the notice is provided, it must inform the person to promptly change his or her password and security question and answer or to take other steps to protect the online account, as well as all other online accounts for which the person whose information was breached uses the same username or email address and password or security question and answer. Note: These electronic notice provisions do not apply to public agencies.
This electronic form of notice is the fourth means of communication. Under existing law, there are three other methods for communication, specifically:
- written notice;
- electronic notice, if consistent with federal guidelines; and
- substitute notice—which is available if certain cost and scope of breach thresholds are met—such as email notice, conspicuous posting on websites, or notice in major statewide media.
4. Notification to the Attorney General
If a single data breach involves the personal information of more than 500 Washington residents, the AG must be notified in addition to notifying impacted individuals.
Notice to the AG must also be provided within 30 days of discovering the breach (shortened from 45 days). Again, this timeline is for non-PHI data breaches. For PHI-related breaches, notice to the AG may follow the timelines set out under HITECH discussed above.
In addition to notifying the AG about the number of individuals impacted by the data breach, under the new laws, notice to the AG must also include:
- A list of the types of personal information that were or are reasonably believed to have been the subject of a breach;
- A time frame of exposure, if known, including the date of the breach and the date it was discovered;
- A summary of steps taken to contain the breach; and,
- A sample copy of the security breach notification, excluding any personally identifiable information.
If this information is unknown by the time the notice is due, the notice must be updated when the information is available.
The enforcement provisions under the state data breach laws are unchanged. Violation of the laws constitutes a consumer protection violation, subject to treble damages, and enforceable by the AG and individuals. Civil damages and injunctive relief are possible remedies.
WSHA’s 2020 New Law Implementation Guide
Please visit WSHA’s 2020 implementation guide online, where you will find a list of the high priority laws that WSHA is preparing resources and information on to help members implement the new laws, as well as links to resources such as this bulletin. In addition, you will find the Government Affairs team’s schedule for release of upcoming resources on other laws and additional resources for implementation.
HB 1071 (2019)
SB 6187 (2020)
19.255 RCW – Personal Information – Notice of Security Breaches (Private entities)
RCW 42.56.590 – Personal information – Notice of Security Breaches (Public entities)
Office of the Attorney General – Data Breach Notifications
Office of the Attorney General – Identity Theft and Privacy Guide for Businesses
HITECH Act, Section 13402 (42 USC § 17932)
HHS Breach Notification Rule