WSR 13-07-053

PROPOSED RULES

OFFICE OF

INSURANCE COMMISSIONER

[ Insurance Commissioner Matter No. R 2012-14 -- Filed March 19, 2013, 7:43 a.m. ]

Supplemental Notice to WSR 12-23-071.

Preproposal statement of inquiry was filed as WSR 12-10-081.

Title of Rule and Other Identifying Information: Security breach notification.

Hearing Location(s): Insurance Commissioner's Office, TR 120, 5000 Capitol Boulevard, Tumwater, WA 98504-0255, on April 25, 2013, at 10:00 a.m.

Date of Intended Adoption: April 30, 2013.

Submit Written Comments to: Donna Dorris, P.O. Box 40258, Olympia, WA 98504-0258, e-mail rulescoordinator@oic.wa.gov, fax (360) 586-3109, by April 25, 2013.

Assistance for Persons with Disabilities: Contact Lorie Villaflores by April 24, 2013, TTY (360) 586-0241 or (360) 725-7087.

Purpose of the Proposal and Its Anticipated Effects, Including Any Changes in Existing Rules: The proposed rule will identify the insurance commissioner as a party requiring a notification of security breaches in addition to affected consumers and customers. Information required to be included in the notification will comply with state and federal requirements.

Reasons Supporting Proposal: In 2009, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act. On January 25, 2013, the final rule, Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; other modifications to the HIPAA rules, was released by the Department of Health and Human Services. The federal rules are effective on March 26, 2013. The changes clarify the definition of security breach, risk assessment and notice requirements related to security breaches.

Statutory Authority for Adoption: RCW 48.02.060, 48.30.010, and 48.43.505. The Gramm-Leach Bliley Act, Pub. L. 102-106; Sec. 501(b), Sec. 505 (B)(2). The Health Information Technology for Economic and Clinical Health Act, Pub. L. 111-5, Sec. 13402. Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; other modifications to the HIPAA rules, 45 C.F.R. Parts 160 and 164, January 25, 2013.

Statute Being Implemented: RCW 48.43.505.

Rule is necessary because of federal law, 45 C.F.R. Parts 160 and 164 (2013).

Name of Proponent: Mike Kreidler, insurance commissioner, governmental.

Name of Agency Personnel Responsible for Drafting: Donna Dorris, P.O. Box 40258, Olympia, WA 98504-0258, (360) 725-7040; Implementation: John Hamje, P.O. Box 40255, Olympia, WA 90504-0255 [98504-0255], (360) 725-7262; and Enforcement: Carol Sureau, P.O. Box 40255, Olympia, WA 98504-0255, (360) 725-7050.

No small business economic impact statement has been prepared under chapter 19.85 RCW. The increased cost for insurance licensees to meet this proposed new requirement (notifying the commissioner in cases of a security breach) is significantly less than 0.3 percent of the average Washington revenue of the smallest domestic licensees. Therefore a small business economic impact statement is not required for this proposed rule.

A cost-benefit analysis is required under RCW 34.05.328. A preliminary cost-benefit analysis may be obtained by contacting Donna Dorris, P.O. Box 40258, Olympia, WA 98504-0258, phone (360) 725-7040, fax (360) 586-3109, e-mail rulescoordinator@oic.wa.gov.

March 19, 2013

Mike Kreidler

Insurance Commissioner

OTS-5087.5


AMENDATORY SECTION(Amending Matter No. R 2000-08, filed 1/9/01, effective 2/9/01)

WAC 284-04-610   Violation.   A violation of this ((regulation)) chapter shall be deemed to be an unfair method of competition or an unfair or deceptive act and practice in this state.

[Statutory Authority: RCW 48.43.505 and Gramm-Leach-Bliley Act, Public Law 102-106, sec. 501(b), sec. 505 (b)(2). 01-03-034 (Matter No. R 2000-08), 284-04-610, filed 1/9/01, effective 2/9/01.]


NEW SECTION

WAC 284-04-625   Security breach notification requirements.   (1) The commissioner defines failure to provide notice of security breaches in compliance with this section as an unfair practice for the following reasons:

(a) Many licensees fail or periodically fail to protect personal information and protected health information as defined in subsection (2)(a) and (b) of this section, resulting in security breaches affecting their customers or consumers.

(b) When a customer or consumer whose personal or protected health information has been breached seeks assistance from the commissioner, information about security breaches and what actions a licensee is taking to protect customers or consumers must be available to the commissioner.

(2) All licensees must notify the insurance commissioner about the number of customers or consumers potentially affected and what actions are being taken in writing within two business days after determining notification must be sent to consumers or customers in compliance with RCW 19.255.010 and 45 C.F.R. 164 pertaining to:

(a) A breach of personal information as defined in RCW 19.255.010 (4) and (5) that seems reasonably likely to subject customers to a risk of criminal activity; or

(b) A breach of unsecured protected health information as defined in 45 C.F.R. 164.402 which compromises the security or privacy of the protected information for licensees subject to 45 C.F.R. 164.

(3) For breaches of protected health information, licensees subject to 45 C.F.R. 164 must comply with the regulations (45 C.F.R. 164.400 through 164.410) adopted by the U.S. Department of Health and Human Services (HHS) governing these requirements including:

(a) Notification requirements for a security breach as defined by 45 C.F.R. 164.402, meaning an acquisition, access, use, or disclosure of protected health information in a manner not permitted by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule which compromises the security or privacy of the protected health information.

(b) Notifying individuals, and other entities described in 45 C.F.R. 164.404 through 164.410.

(c) Notifying affected entities without unreasonable delay and in no case later than sixty calendar days following the discovery of the breach.

(d) Notifying documents that contain:

(i) A brief description of what happened, including the date of the breach and the date of discovery of the breach, if known;

(ii) A description of the types of unsecured protected health information involved in the breach;

(iii) Any steps individuals should take to protect themselves from potential harm resulting from the breach;

(iv) A brief description of what the covered entity is doing to investigate the breach, to mitigate harm to individuals and to protect against any further breaches; and

(v) Contact information for individuals to ask questions or learn additional information.

[]