The State of Oregon (where our main office is based, though we do serve Anchorage and Spokane, as well) has updated its data breach notification laws. If you live in Oregon and your personal information is exposed in a data breach (defined as “an unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains”), notifications now have to be done with 45 days instead of the 60-days required by the federal government in the HIPAA Breach Notification Rules.
In addition, the definition of personal information has been expanded to include first name or first initial and last name in combination with any of the following:
- Social Security number
- Driver’s license number
- State identification card number from the Department of Transportation
- Passport number
- Other U.S. identification numbers
- Data from automatic measurements of physical characteristics (including iris and retina scans and fingerprints) that are used to authenticate transactions
- A health insurance policy number or subscriber ID number in combination with any unique identifier that can identify an individual
- Details of mental or health conditions
- Medical histories
- Financial information that includes an access code or passwords that would permit an unauthorized individual to gain access to the financial account
There are some overlaps on the definitions of personal information under state law and the definition of protected health information under HIPAA which means there is some question as to whether the 45-day requirement applies, but best to err on the side of caution and avoid going longer than necessary to avoid more fines.
Hopefully you’re never going to have such a notification occur and we can help keep you protected. We are HIPAA specialists and our services include monitored anti-virus, HIPAA training, managed Windows patching, compliance audits and risk assessments, whole disk encryption and other services built to help your clinic stay in compliance and hopefully never have a breach.