Date: September 29, 2015
To: Hospital Legal Counsel
From: Zosia Stanley, JD, MHA, Policy Director
Staff Contact: Zosia Stanley, ZosiaS@wsha.org or 
(206) 216-2511
Subject: State Law Change Strengthens Consumer Data Breach Notification Requirement, Exemption for Hospitals Complying with Federal HITECH Law
Purpose
The purpose of this bulletin is to provide an overview of recent changes to Washington State’s data breach notification law relevant to Washington State hospitals and health systems. The Washington State Hospital Association (WSHA) worked closely with the state Attorney General’s Office to develop important exceptions in the new law for entities covered under federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) when they are acting in compliance with the federal Health Information Technology for Economic and Clinical Health Act (HITECH).
Applicability/Scope
The change in state law on data breach notification applies to hospitals and health systems both in their capacity as a covered entity handling protected health information under federal HIPAA law and as entities that handle consumer financial information. The law, HB 1078, was effective as of July 24, 2015 and applies to individuals, businesses, and public entities.[1]
Recommendation
WSHA recommends that hospitals review the breach notification requirements under state law for both HIPAA protected health information and consumer personal information.
Overview
Washington law requires businesses, individuals, and public agencies to notify any Washington resident who is at risk of harm because of the unauthorized acquisition of data that compromises the security, confidentiality, or integrity of that resident’s personal information.
House Bill 1078 includes specific requirements on the content and timeliness of notice to consumers. The law also requires notice be provided to the Washington Attorney General when a single breach affects more than 500 Washington residents.[2]
Hospitals and health systems and other HIPAA covered entities that are in compliance with HITECH notification requirements are exempt from almost all state law content and timeliness requirements for notice in the event of a breach of protected health information.[3] Covered entities must notify the Washington Attorney General when a breach affects more than 500 Washington residents, but the timing for this notice is covered by HITECH timelines, not the 45 days required under state law.[4] Note that the obligation to notify the Washington Attorney General of large breaches is in addition to the obligation for covered entities to provide notice to the federal Secretary of Health and Human Services.[5]
If a hospital experiences a breach of data that does not involve protected health information, the hospital must comply with the state breach notification law as amended by HB 1078. Among those laws amended, RCW 19.255.010 applies to individuals and businesses and RCW 42.56.590 applies to state and local governments. Below is a brief summary of the new aspects of state breach notification law.
Overview of changes to Washington breach notification law:
Type of information subject to breach notification law:
Information covered by the law is expanded to include data stored in both electronic and hard copy.
Definition of “secured” data with encryption standard:
Personal information is considered “secured” if it is encrypted in a manner that meets or exceeds the National Institute of Standards and Technology (NIST) standard “or is otherwise modified so that it is rendered unreadable, unusable, or undecipherable by an unauthorized person.” [6]
Obligation to report breach of encrypted data:
Prior to the enactment of HB 1078, there was no obligation to notify consumers of a data breach if the personal information was encrypted. Per HB 1078, breach of personal information must be disclosed if the data was not secured or if “the confidential process, encryption key or other means to decipher the secured information was acquired by an unauthorized person.”[7]
Contents of notification:
HB 1078 adds content requirements for notification to provide consumers with basic information in plain language to help secure or recover their identities, including:
- the name and contact information for the reporting entity;
- the types of personal information that were subject to the breach; and
- toll-free telephone numbers and addresses for the major credit reporting agencies.[8]
Notification of the Attorney General:
A person or business must notify the Washington Attorney General when more than 500 Washington residents must be notified of a breach. A sample of the notice sent to consumers must be submitted electronically to the Washington Attorney General by the time consumers are notified.[9] More information on notification to the Washington Attorney General is available here.
Timeline for notification:
Notice to consumers and the Attorney General must be made in the most expedient time possible and without unreasonable delay, and no more than 45 days after the breach was discovered (with exceptions for law enforcement investigations).[10] However, notice is not required if the security breach is not reasonably likely to subject consumers to a risk of harm.[11]
Expanded enforcement power for Attorney General:
The Washington State Attorney General is authorized to enforce the state breach notification law by bringing civil actions on behalf of the state and its citizens under the Washington Consumer Protection Act. A consumer may bring a civil action for damages, but such a private right of action does not include a cause under the Consumer Protection Act.[12]
Background and References
Washington State Office of the Attorney General Information on Data Breaches
Washington State Office of the Attorney General Identity Theft and Privacy Guide for Businesses
