HIPAA Covered Entities Get Pass on OR Data Breach Notification Law
April 10, 2018 – HIPAA covered entities in Oregon are exempt from a new requirement that organizations in the state report data breaches within 45 days of discovery.
Oregon Governor Kate Brown signed into law at the end of March amendments (Senate Bill 1551) to the data breach law that would impose the 45-day reporting requirement unless doing so would impede a law enforcement investigation.
The amendment would also prohibit credit reporting agencies from charging a fee to residents who want to freeze or unfreeze their credit reports.
According to analysis of the legislation by David Stauss, an attorney with the law firm of Ballard Spahr, the amendments exempt HIPAA covered entities, which are subject to a 60-day data breach notification requirement under the federal law.
Strauss noted that health insurance policy numbers, subscriber numbers, any medical history, or other information on a person’s physical or mental health are included under the definition of personal information subject to the data breach notification law.
“In the absence of a carve-out, there could have been circumstances under which a HIPAA covered entity may have been required to provide notice sooner than the 60-day requirement in the HIPAA Breach Notification Rule,” Stauss wrote.
“However, it should be emphasized that it will not always be the case that Oregon’s 45-day deadline will run before HIPAA’s 60-day deadline because the HIPAA deadline starts on ‘the first day on which such breach is known to the covered entity, or, by exercising reasonable diligence would have been known to the covered entity’,” he observed.
In addition, the new law expands the scope of those who must notify in case of a data breach to anyone who “has control over or access to” data containing personal information. It also requires those subject to the law to conduct risk assessments, provide regular training of employees, review user access privileges on a regular basis, apply security updates, and institute a reasonable security patch management program, wrote Stauss.