Back to Blog>> Washington & Oregon Data Breach Notification Law Changes

Washington & Oregon Data Breach Notification Law Changes

Here in the Northwest, legislatures in both Oregon and Washington hold their regular sessions during the winter and spring of the year. In their regular sessions in 2015, both amended state laws related to data breach notification, which means your Incident Response Plan (IRP) likely needs updating.

Washington state data breach notification law changes are effective July 24, 2015. Changes include:

  • A covered entity that complies with HIPAA Breach Notification Rule requirements is deemed to have also complied with Washington State law.
  • Information about what must be included in the consumer notice.
  • A new requirement that if a single breach impacts more than 500 Washington state residents, the attorney general must also be sent an electronic copy of the breach notice by the time consumers receive notice. The AG must also be informed of the number of people impacted by the breach. This requirement also applies to covered entities that have been deemed compliant by complying with HIPAA.
  • Notice must be provided to consumers no more than 45 days after breach discovery unless law enforcement requests a delay.

Oregon state data breach notification law changes are effective January 1, 2016.

  • The definition of personal information has been expanded to include:
    • Biometric information that is used to authenticate identity (like your thumbprint, Apple IOS users)
    • Health insurance policy or subscriber number
    • Information about medical history, mental or physical condition or diagnosis or treatment
  • There is a new requirement that if a single breach impacts more than 250 Oregon state residents, the attorney general must also be notified.
  • If consumer reporting agencies must be notified because the breach impacts more than 1,000 Oregon residents, then any police report number assigned to the breach by law enforcement must be included in the notice.
  • A covered entity that complies with HIPAA Breach Notification Rule requirements is deemed to have also complied with Oregon State law as long as the CE sends a copy of the breach notice to the AG.  

Business associates – even though the covered entity complies with both state laws if the CE complies with the HIPAA Breach Notification Rule – this interpretation does not apply to you as a business associate.

State laws are tricky, and always changing. If you would like help updating your Incident Response Plan (IRP) and data breach notification templates, give Apgar and Associates a call at 877-376-1981.