In light of recent big data breaches, legislation has been
proposed to Congress that would set a nationwide data breach notification
standard. Among the proposed bills are
(1) Personal Data
Notification and Protection Act, (2) Data Security
and Breach Notification Act, (3) Data Security
Act, and (4) Consumer
Privacy Protection Act,. Proponents of a national standard claim
that it would simplify
the policies that companies must follow when reporting breaches. With forty-seven different state data breach
notification laws and no national law on the books, retailers are forced to
adhere to a patchwork of state laws.
However, the push for such a law has faced much opposition
over the years, as many lawmakers believe it would preempt more comprehensive
state notification laws. Elise Viebeck noted that past attempts to enact
similar legislation have failed due to Congressional turf wars. If history is
any indication, lawmakers will likely fail to reach an agreement.
At the state level, Illinois joins a growing number of
states (including New Jersey, Connecticut, California, and Nevada) that are advancing
consumer protection laws. Illinois Attorney
General Lisa Madigan stated, “the growing frequency and scope of
data breaches has necessitated an overhaul of Illinois’ notification law.” Currently, the Personal Information Protection
Act (“PIPA”) only extends to
unencrypted electronic forms of data including first and last name, social
security number, driver’s license or state identification card number, and
credit card or debit card number in combination with any information that would
permit access to a resident’s financial account. If a breach occurs, the entity must notify
each affected resident following discovery of the breach; however, government
notice of the breach is not required.
Illinois SB 1833,
drafted by Madigan, is pending in the Illinois General Assembly. This bill will strengthen
PIPA by requiring companies to notify consumers about data breaches
that expose financial information as well as geo-location data. Further, the
bill extends the
definition of personal information to include medical and health
insurance data. The Illinois Senate
passed the bill last month and it is awaiting approval by the Illinois House.
What does this mean for health law? Data breach notification protocol is essential
for any organization. The healthcare industry is no exception. The Anthem breach,
announced in early February, affected no less than 75 million people. Premera,
another health insurance provider, recently
announced the records of 11 million people were compromised. The consequences
of hacking healthcare information are unlike that of commercial retailers. When retailers are hacked, credit card
numbers are exposed and can easily be canceled. Hacking health and insurance data is more
troublesome as it reveals the keys to a person’s identity. Rebecca Fayed, a
privacy officer for the Advisory Board Co., asserted
the “flow of personal information is essential to delivering medical treatment
and to arranging payment. ‘We as individuals are never going to be able to know
every single entity that has our data.’”
The Health Insurance Portability and Accountability Act
(HIPAA) already requires covered entities and their business associates to
notify the necessary parties after protected health information is compromised. It further
requires the covered entities to encrypt stored health information
or health information transmitted electronically if reasonable and appropriate
for them to do so. Additionally, more
states are including medical and health insurance information in their definition
of personal information in their data breach notification laws.
Maintaining HIPPA compliance is still crucial; however, increasing
consumer protection (whether by state or federal law) will require healthcare
and insurance providers to take further steps to protect personal information
and respond more effectively in the event of a breach.
Kathryn Brown is currently a 2L at DePaul University College
of Law. Ms. Brown completed her undergraduate degree at Saint Ambrose
University, located in Davenport, IA. Ms. Brown wishes to pursue a career in
Health Law after graduating in May of 2017.