Another California data breach has led state lawmakers to introduce additional laws in regards to HIPAA. California has already introduced some of the toughest data breach notification laws in the United States, and these may soon become even tougher after the new bill is signed into effect.
If a California data breach occurs, state law requires that data breach notifications to be issued to consumers. This includes any breach of financial or banking information such as Social Security numbers, health insurance information, medical information, driver’s license numbers, passwords, and data collected through automated license plate recognition systems. That list will continue to grow by including passport numbers and biometric data such as fingerprints, iris/retina scans, and facial recognition data, if the new bill is approved.
Assembly member, Marc Levine introduced the new bill, AB 1130 in hopes of eliminating a loophole in the current California data breach notification law, which could allow breaches of highly sensitive information to go unreported.
The HIPAA Breach Notification Rule is a set of standards that covered entities and business associates must follow in the event of a data breach of PHI or ePHI. A breach is an impermissible use or disclosure of protected health information (PHI). PHI is any demographic information that can be used to identify a patient, including many of the identifiers already included in California data breach notification requirements. The Breach Notification Rule distinguishes between two kinds of breaches that may occur depending on the scope and size, known as Minor Breaches or Meaningful Breaches. Regardless of the size of the breach, organizations must report all breaches to HHS OCR.
In November 2018, Marriott reported a massive data breach. A database containing sensitive information of guests of the Starwood Hotels chain was stolen, resulting in the theft of guests’ names, addresses, and more than 25 million passport numbers. As a result, 327 million guests’ personal information was stolen by cybercriminals.
The new California AB 1130 bill was prompted by the massive Marriott data breach because the current California data breach notification laws would have allowed information such as passport numbers to go unreported. Attorney General Xavier Bercerra feels that California citizens should be given the opportunity to take action if their sensitive information is exposed.
“Knowledge is power, and all Californians deserve the power to take action if their passport numbers or biometric data have been accessed without authorization,” said Attorney General Bercerra. “AB 1130 closes a gap in California law and ensures that our state remains the nation’s leader in data privacy and protection.”
California will become the fourth state to require that breach notifications be issued for breaches of passport numbers, along with Alabama, Florida, and Oregon, if the bill passes. In addition, the state will also join Iowa and Nebraska, which already require breach notifications to be issued for the exposure of biometric data.
California and other states are sending a strong message to healthcare professionals by expanding their laws on data breach notifications. Organizations can protect themselves from the threat of data breaches by adopting an effective compliance program that will adhere to all HIPAA rules.
Compliancy Group helps healthcare professionals develop an effective compliance program with our web-based compliance tool, The Guard™.
The Guard allows users to address every aspect of HIPAA compliance with our unique Achieve, Illustrate, Maintain™ (AIM) methodology. We help users effectively implement The Guard’s methodology, documenting an organization’s “good faith effort” toward HIPAA compliance and maintaining compliance with annual reminders to reassess necessary portions of an organization’s compliance plan.