On November 3rd 2022, Pennsylvania Governor Tom Wolf signed Senate Bill (‘SB’) 696 to amend the Breach of Personal Information Notification Act of 2005 to broaden the definition of personal information.
Under the new amendments, businesses who experience a breach of the personal information they manage are required to notify those affected. However, the type of information that requires a notification can vary from state to state, as well as format, timing, and other conditions. Companies who have clients in many states must keep track of and adhere to a multitude of varying requirements. Additionally, notifications issued by breached businesses must include the name of the state resident.
Medical information, health insurance information, and usernames and passwords are now included in the new definition of personal information. Medical information is defined as personally identifiable data created by a healthcare provider that relates to a patient’s present or previous medical condition, diagnosis, or treatment. Health insurance information consists of a health insurance policy number, subscriber number, access code, and other details that could be used to abuse a person’s insurance benefits. In addition, any information that allows an unauthorized individual to access an online account requires a notification. These include usernames, passwords, or answers to a security question. Digital notifications can now be sent to people if there has been a prior business relationship and they have a legitimate email address, as long as the notice instructs them to change their password or other relevant account information immediately in order to secure their account. Standard notices must be sent by letter to the affected individual’s last-known residence. However, telephonic notices are acceptable if it is reasonable to assume that the person can be contacted by phone.
The amendment to the legislation will take effect on May 2, 2023. In the event of a notification violation, the Pennsylvania Attorney General has the authority to punish non-compliant entities under the state ‘deceptive trade practices’ statutes. Entities and their business associates regulated by the Health Insurance Portability and Accountability Act are not required to adhere to the Breach of Personal Information Notification, provided they comply with the standards of the HIPAA Breach Notification Rule.