The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Pennsylvania Updates Data Breach Notification Law

Posted By on Nov 15, 2022

The Governor of Pennsylvania, Tom Wolf, has signed Senate Bill 696 into law, which expands the definition of personal information under the Breach of Personal Information Notification Act that warrants individual notifications to be issued in the event of a data breach. The updated law will take effect on May 2, 2023.

The updated definition of personal information now includes medical information, health insurance information, and usernames and passwords. Notifications must be issued if any of that information is breached along with the name of a state resident.

Medical information is classed as individually identifiable information related to an individual’s current or past medical condition, diagnosis, or treatment that has been created by a healthcare professional. Health insurance information includes a health insurance policy number or subscriber number, combined with an access code or other information that would allow the misuse of an individual’s insurance benefits. Breaches of usernames also require notifications, if the password is also compromised or any other information such as a security question and answer that allows an individual’s online account to be accessed.

In the case of the latter, electronic notices can now be issued to individuals if a prior business relationship exists and the person or entity has a valid email address if the notice directs that individual to promptly change their password or other related account information for security reasons to protect their account. Standard notifications must be provided by mail to the last known home address of the individual, although telephonic notices are permitted if an individual can be reasonably expected to be reached by telephone.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Entities covered by the Health Insurance Portability and Accountability Act – HIPAA-covered entities and HIPAA business associates – are exempted, provided they comply with the breach notification requirements of the HIPAA Breach Notification Rule.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist