Updated Pennsylvania Breach of Personal Information Notification Act Now in Effect
the 2022 update to the Pennsylvania Breach of Personal Information Notification Act (BPINA) is now in effect. The update broadened the definition of personal information to include medical information, health insurance information, and usernames in combination with a password or security question/answer that allows an account to be accessed. The update to BPINA was signed into law on November 3, 2022, and took effect on May 2, 2023.
Medical information is defined as any individually identifiable information contained in an individual’s current or historical record of medical history or medical treatment or diagnosis created by a health care professional. Health insurance information is defined as a health insurance policy number or subscriber identification number in combination with an access code or other medical information that permits misuse of an individual’s health insurance benefits.
The updated BPINA applies to state agencies, political subdivisions of the Commonwealth, and individuals or businesses that do business in the Commonwealth of Pennsylvania. A state agency includes any agency, board, commission, authority, or department of the Commonwealth and the General Assembly. The update also applies to state agency contractors, which are persons, businesses, subcontractors, or third-party subcontractors that have a contract with a state agency for goods or services, which requires access to personal information.
The updated BPINA requires notification to be issued when unencrypted and unredacted personal information is reasonably believed to have been accessed and acquired by an unauthorized individual, and if encrypted data is breached and the key to decrypt the data is also reasonably believed to have been obtained. No time frame is stipulated for issuing notifications, other than requiring them to be issued “without unreasonable delay”. When a breach occurs at a vendor, the vendor is required to notify the entity that provided the data, and that entity is responsible for making determinations and discharging any remaining notification duties.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Notifications must be issued by mail to the last known address, by telephone if the individuals concerned can be reasonably expected to be contacted by phone and are not required to provide personal information for verification, or via email, if a previous business relationship exists and a valid email address is known for that individual. Electronic notifications are permitted if the notice directs the user to promptly change their password and security question or answer or to take other steps appropriate to protect that individual’s online account, provided sufficient contact information is held to allow the electronic notice to be served.
Any entity that is required by law to comply with HIPAA or the HITECH Act will be determined to be compliant with the updated BPINA provided they are compliant with the privacy and security standards of HIPAA and the HITECH Act, as will any state agency or state agency contractor that is compliant with the breach notification requirements or procedures established by the entity’s, state agency’s or state agency’s contractor’s primary state or functional federal regulator.