New HIPPA Data Breach Regulation and Comparison of State Breach Laws

Entities covered by HIPPA (Health Insurance Portability and Accountability Act) are facing new regulations governing data breach notification requirements. Part of the regulation allows the HIPPA entity to be exempt from the notification requirement if the lost health information was encrypted according to the guidance set by the FTC and U.S. Department of Health and Human Services. This exemption for encrypted personal data is not uncommon, with the majority of state data breach notification laws including a provision for it.

One of the benefits of this type of exemption is it encourages entities to better secure their data. Further, companies utilizing encryption and other security protocols may have a lower security exposure and therefore get the benefit of lower premiums for security insurance coverages. Alternatively, security coverages, especially crisis management / notification expense coverages are a focal point for entities conducting business in those handful of states that require notification regardless of whether or not the lost data is encrypted. The states without the exemption provision include New Hampshire, New York, North Carolina, Ohio, Texas, Wisconsin, Wyoming, Washington DC and Louisiana. (Interestingly, a review of the Institute for Legal Reform’s (ILR) 2008 ranking of state liability systems shows the majority of states without the exemption also tend to score at the moderate to worst level for fairness and reasonableness for their tort liability system.)

Another key element of state data breach notification requirements is the provision that imposes civil or criminal fines and penalties for failure to promptly notify customers of a data breach. The majority of states do include this provision in their breach notification laws. Entities that have a notification plan in place will be better prepared to avoid the fine or penalty but insurance provisions can also play an important role in transferring the risk. While coverage for a criminal fine or penalty is unlikely, protection for the regulatory action-imposed civil fine or penalty is available.

To get a closer look at the state-by-state laws without reading the full statutes, try the Perkins Coie Security Breach chart.