Recently, the Governor of New Hampshire approved Senate Bill 194 (SB 194), an insurance data security law that requires insurers who handle nonpublic information (including health information) to implement a series of cybersecurity measures. The New Hampshire insurance data security law goes into effect on January 1, 2020.
To Whom Does the New Hampshire Insurance Data Security Law Apply?
The law regulates “licensees” – insurers in New Hampshire. Licensees must implement measures that anticipate, and that remedy, breaches of personal data, financial data, and health information. Any person who is licensed, authorized to operate, or registered with the New Hampshire insurance department, is subject to the data security law.
What Information is Subject to the Data Security Law?
The New Hampshire insurance data security law applies to “nonpublic information,” and defines nonpublic information as information that is not publicly available. In addition to not being publicly available, the information must fall into one of the following two classes to qualify as “nonpublic information:”
Class 1: Any information concerning a consumer that because of name, number, personal mark, or other identifier, can be used to identify the consumer, in combination with one or more of the following pieces of data:
- Social Security number
- Driver’s license number or non-driver identification card number
- Financial account number, credit, or debit card number
- Any security code, access code, or password that would permit access to a consumer’s financial account
- Biometric records
Class 2: Any information, except age or gender, in any form or medium created by or derived from a healthcare provider or a consumer, that can:
- Be used to identify a particular consumer; and that relates to:
- The past, present, or future physical, mental or behavioral health or condition of any consumer or a member of the consumer’s family; or
- The provision of healthcare to any consumer; or
- Payment for the provision of healthcare to any consumer.
The data security law defines a consumer as an individual applicant, policyholder, insured, beneficiary, claimant, or certificate holder, of a covered insurer. The individual, to qualify as a consumer, must:
- Be a resident of New Hampshire; whose
- Nonpublic information is in a licensee’s possession, custody, or control.
What Does the Data Security Law Require That Insurers Do?
- Perform a Risk Assessment: The data security law requires licensees to perform risk assessments that identify and mitigate:
-
- Internal or external threats to the business and its nonpublic information (including nonpublic information accessible to or held by third-party service providers), that
- Are “reasonably foreseeable,” (note that the HIPAA Security Rule uses a similar phrase – “reasonably anticipated”).
-
- Construct an Information Security Program: Licensees, under the data security law, must use the results of the risk assessment to create an information security program.
-
- The program must be ultimately managed by the licensee’s Board of Directors, or by an appropriate committee of the Board of Directors.
- At least annually, the licensee must report the following information to the Board:
- How the information security program addresses (among other things) risk management; risk assessment; third-party service provider arrangements; and cybersecurity events. A cybersecurity event is defined as an event resulting in unauthorized access to, disruption or misuse of, an information system or nonpublic information stored on an information system.
-
- Respond to Cybersecurity Events: Licensees are required to promptly investigate cybersecurity events. Generally, licensees must notify the New Hampshire Insurance Commissioner, within 3 business days, any cybersecurity event that has a “reasonable likelihood” of materially harming either a New Hampshire consumer or any material part of the licensee’s normal business operations. This notice must include specific information, including a copy of the licensee’s privacy policy.
Does the Data Security Law Contain a Safe Harbor Provision?
The data security law contains a safe harbor provision for licensees that are in compliance with HIPAA if the licensees have established and maintained HIPAA required privacy, security, and data breach notification programs and procedures to protect both “protected health information,” as HIPAA defines that term, and any other “nonpublic information,” as the data security law defines that term. To qualify for safe harbor protection, licensees must submit written statements that indicate:
- The licensees are HIPAA compliant; and
- The licensees protect any other nonpublic information in the same way that they do protected health information.
This safe harbor provision is not to be confused with the HIPAA safe harbor rules, which require that protected health information (PHI) be de-identified.
Compliancy Group Simplifies HIPAA Compliance
Covered entities and business associates can address the HIPAA Security Rule requirements by working with Compliancy Group to address federal HIPAA security standards.
Our ongoing support and web-based compliance app, The Guard™, gives healthcare organizations the tools to address HIPAA Security Rule standards so they can get back to confidently running their business.
Find out how Compliancy Group has helped thousands of organizations like yours Achieve, Illustrate, and Maintain™ their HIPAA compliance!