Although there is no federal law requiring data encryption, the frequency of data breaches in healthcare has inspired several states to update laws regarding data encryption.
Montana, New Jersey, Connecticut and Washington have all recently enacted or proposed legislation to update data encryption requirements for healthcare organizations, joining Massachusetts, which already requires companies to encrypt personal information. Many states do not have regulations requiring penalties, but the new laws in these states require punitive actions after the breach of medical information, according to Lexology.
Montana has updated its breach notification law, effective Oct. 1, including medical record information within the definition of personal information. "Personal information" also now includes a taxpayer ID number or an identity protection PIN issued by the IRS in combination with a first initial or first name and last name. Upon notifications, businesses must also notify the state attorney general's consumer protection office and issue a statement providing the data and method of the notification process, according to the report.
The New Jersey state legislature signed SB 562 into law in January, requiring health insurance companies in the state to encrypt personal information when compiling or maintaining electronic records that include personal information. The state's definition of personal information includes the person's first initial or first name and last name linked with either his or her Social Security number, driver's license number, state ID number, address or identifiable health information. Failure to encrypt qualifies as a violation of the state's consumer fraud statute, and the company is liable to prosecution with damages, according to the report.
The Connecticut General Assembly has proposed legislation that would require insurance companies to encrypt personal information and institute new regulation on the minimum standard for security technology.
Washington state also recently passed a bill imposing new requirements after a data breach — businesses must notify consumers and the state's attorney general no later than 45 days after the breach was discovered. Failure to do so makes the business liable under the state's Consumer Protection Act.
New Mexico is also considering legislation on data encryption but has yet to propose anything, according to the report.