In May 2023, Pennsylvania’s recent amendments to the state’s Breach of Personal Information Notification Act (“the Act”) will become law. The amendments expand the protected categories of “personal information” to include “medical information.” The Act now applies to any entity that stores electronic data that includes medical information, even to senior living entities that are not “health care providers.”
The Act defines “medical information” as “any individually identifiable information contained in the individual’s current or historical record of medical history, medical treatment or diagnosis created by a healthcare professional.”
However, the Act is not limited to health care providers but potentially applies to senior living entities (assisted living facilities, personal care homes, home care agencies, etc.) that generally are not subject to the federal Health Insurance Portability and Accountability Act (HIPAA) and its patient notification requirements following a breach.
Pennsylvania’s notification requirements are triggered when there is a breach in the security of a computerized data system involving “any resident of this Commonwealth whose unencrypted personal information was or is reasonably believed to have been accessed by an unauthorized person.”
Once there is a breach of personal information, including medical information, the entity is required to provide notice to the individuals whose information has been compromised. However, the Act exempts any entity that already is subject to, and complies with, the federal HIPAA breach notification requirements.
While many senior living entities generally follow HIPAA guidelines as best practices – even if they technically do not qualify as “covered entities” – some may be unaware of the new Pennsylvania requirements. These organizations should familiarize themselves with the new legal requirements and begin preparing by assessing the risks to any electronic medical data that they maintain; implementing and enhancing data security measures; and adding cyber-liability insurance coverage if needed.
If you have any questions about the amendments to Pennsylvania’s Breach of Personal Information Notification Act, please contact Christopher J. Churchill or any member of Barley Snyder’s Senior Living or Health Care Industry groups or the Cybersecurity team.