In May of 2019, the Governor of Oregon signed Senate Bill 684 (SB 684). SB 684 amends Oregon’s existing data breach notification law (now known as the “Oregon Consumer Information Protection Act”) to provide additional protection to consumers. The amendments become effective as of January 1, 2020.

To Whom Does the Amended Data Breach Notification Law Apply?

The amended data breach notification law applies to covered entities and to vendors (the Oregon law’s equivalent, essentially, of “business associates”), and regulates their use and access of personal information.

A covered entity is defined under the Oregon law as a person (i.e., an individual, private or public corporation, partnership, cooperative association, estate, limited liability company, organization or other entity) who:

• Owns,
• Licenses,
• Maintains,
• Stores,
• Manages,
• Collects,
• Processes,
• Acquires, 

or otherwise possesses personal information in the course of the person’s business, vocation, occupation or volunteer activities. 

The data breach notification law defines a vendor as a person with which a covered entity contracts to:

• Maintain,
• Store,
• Manage,
• Process,

or otherwise access personal information, for the purpose of, or in connection with, providing services to or on behalf of a covered entity.

What Information is Subject to the Amended Data Breach Notification Law?

The information that is subject to the amended data breach notification law is “personal information.” The law defines “personal information” to include three types of information:

Information Type Number One

A consumer’s (an individual resident of the state of Oregon) first name or first initial and last name, in combination with one or more specified data elements. These data elements include (among other items) a Social Security number, a driver’s license number or state identification card number issued by the Oregon Department of Transportation, or any information about a consumer’s medical history or mental or physical condition or about a healthcare professional’s medical diagnosis or treatment of the consumer. For this data combination to qualify as personal information, one of two conditions must be met:

• Encryption, redaction, or other methods have not rendered the data unusable; or
• The data elements are encrypted and the encryption key has been acquired. 

Information Type Number Two

A user name or other means of identifying a consumer for the purpose of permitting access to the consumer’s account, together with any other method necessary to authenticate the user name or means of identification.

Information Type Number Three

Any of the data elements or any combination of the data elements described in Information Type Number One or Information Type Number Two above, without the consumer’s user name, or the consumer’s first name or first initial and last name, if:

• Encryption, redaction or other methods have not rendered the data element or combination of data elements unusable; and
• The data element or combination of data elements would enable a person to commit identity theft against a consumer. 

What Does the Amended Data Breach Notification Law Require?

The law imposes reporting requirements on both covered entities and vendors. The law also requires to develop, implement and maintain safeguards to protect the security, confidentiality and integrity of personal information.

Reporting Requirements

Covered Entities

Under the law, if a covered entity is subject to a breach of security of personal information, or receives notice of a breach of security from a vendor, the covered entity must give notice of the breach of security to:

• The consumer to whom the personal information pertains, and
• The Oregon Attorney General, in writing or electronically, if the number of affected consumers exceeds 250 consumers

The covered entity must give notice of a breach of security as expeditiously as possible, and without unreasonable delay, but not later than 45 days after discovering or receiving notification of the breach of security.

Vendors

A vendor that discovers a breach of security, or has reason to believe that a breach has occurred, must notify the vendor’s covered entity as soon as is practicable, but not later than 10 days after discovering the security breach or having reason to believe the breach occurred.

A vendor must notify the Oregon Attorney General in writing or electronically if the vendor was subject to a breach of security that involved the personal information of more than 250 consumers or a number of consumers that the vendor could not determine.

Safeguard Requirements

The amended data breach notification law requires that both covered entities and vendors develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of personal information, including safeguards that protect the personal information when the covered entity or vendor disposes of the personal information.

Does the Data Breach Notification Law contain a HIPAA Safe Harbor provision?

Yes.

Under the data breach notification law, covered entities and vendors that are in compliance with HIPAA and the HITECH Act are exempt from the requirements of the amended Data Breach Notification Law. This means that, if covered entities and vendors have already enacted HIPAA- compliant measures with respect to PHI, then these covered entities and vendors have satisfied the Oregon law’s data security requirements with respect to that PHI.

What is an Example of the Safe Harbor Provision at Work?

For example: If Oregon regards a Social Security number as “personal information” (which it does), and HIPAA happens to regard that same piece of information – Social Security Number – as PHI (which HIPAA does), then:

A covered entity or vendor who already is compliant with the HIPAA regulations and the HITECH Act, need not give the notice about the breach of the Social Security number PHI that the amended data breach notification law would otherwise require covered entities and vendors to give. 

Instead, all that covered entities and vendors need do, notice-wise, is to provide, to the Oregon Attorney General, a copy of the notice it has already sent to HHS, as required by the HIPAA data breach notification rule. This requirement to provide a “copy” only applies to breaches of security that affect over 250 customers.

A Second Safe Harbor Provision

Notably, the data breach law contains a second, fairly unique “safe harbor” provision. The law states that compliance with the data security safeguards set forth in HIPAA may be raised as an affirmative defense in any action alleging that a covered entity or vendor has failed to comply with the amended data breach notification law’s own data security safeguarding requirements.

What this means is that if you are an entity that is not subject to HIPAA, but you nonetheless are in compliance with HIPAA’s data security safeguard requirements, then you can assert (and be given the chance to prove) that you, by being so compliant, are compliant with the amended Oregon law requiring that you develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of personal information.

Compliancy Group Simplifies HIPAA Compliance

Compliancy Group was founded to help simplify the HIPAA compliance challenge. We give health care organizations everything they need to address the full extent of the HIPAA regulations.

Our ongoing support and web-based compliance app, The Guard™, gives health care organizations the tools to address the law so they can get back to confidently running their business. 

Find out how Compliancy Group has helped thousands of organizations like yours Achieve, Illustrate, and MaintainTM  their HIPAA compliance.