Washington state passes bill which tightens protected health information standards, shortens breach notification time

May 3, 2019
Medicare Web

The Washington legislature unanimously passed a bill in April that will shorten the state’s data breach notification time to 30 days, which is half the time required by HIPAA.

HIPAA’s breach notification rule requires that, following a breach of protected health information (PHI), covered entities provide notification to affected individuals, the HHS Secretary, and, in certain circumstances, to the media within 60 days following the discovery of the breach. Washington law previously required that breach notifications be provided to consumers and the state attorney general within 45 days of discovering the breach.

In addition to shortening notification time, the bill also specifies that its definition of “personal information” can consist of any of the PHI data elements even in the absence of the consumer’s name if encryption, redaction, or other mentions haven’t rendered the data unusable and the data would still enable a person to commit identity theft.

The new law will also require breach notifications to include a time frame of the exposure, if known, including the date of the breach and the discovery date of the breach. This is more specific than HIPAA’s requirement to include a brief description of the breach.

Other states, including North Carolina and Oregon, are considering similar legislation.

Related Topics: 
HIM/HIPAA, HIPAA