WSR 12-23-071

PROPOSED RULES

OFFICE OF

INSURANCE COMMISSIONER

[ Insurance Commissioner Matter No. R 2012-14 -- Filed November 20, 2012, 8:36 a.m. ]

     Original Notice.

     Preproposal statement of inquiry was filed as WSR 12-10-081.

     Title of Rule and Other Identifying Information: Security breach notification.

     Hearing Location(s): Insurance Commissioner's Office, TR 120, 5000 Capitol Boulevard, Tumwater, WA 98504-0255, on December 27, 2012, at 10:00 a.m.

     Date of Intended Adoption: January 2, 2013.

     Submit Written Comments to: Donna Dorris, P.O. Box 40258, Olympia, WA 98504-0258, e-mail rulescoordinator@oic.wa.gov, fax (360) 586-3109, by December 27, 2012.

     Assistance for Persons with Disabilities: Contact Lorie Villaflores by December 26, 2012, TTY (360) 586-0241 or (360) 725-7087.

     Purpose of the Proposal and Its Anticipated Effects, Including Any Changes in Existing Rules: The proposed rule will identify who is required to be notified when a security breach occurs and what information is required to be included in the notification. The proposed regulation will provide consistency between state and federal requirements.

     Reasons Supporting Proposal: In 2009, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The changes affect notice requirements related to security breaches, such as unintentional disclose of personal health information. State regulations will be consistent with federal requirements.

     Statutory Authority for Adoption: RCW 48.02.060, 48.30.010 and 48.43.505. The Gramm-Leach Bliley Act, Pub. L. 102-106, Sec. 501(b), Sec. 505 (B)(2). The Health Information Technology for Economic and Clinical Health Act, Pub. L. 111-5, Sec. 13402.

     Statute Being Implemented: RCW 48.43.505.

     Rule is necessary because of federal law, The Gramm-Leach Bliley Act, Pub. L. 102-106, Sec. 501(b), Sec. 505 (B)(2). The Health Information Technology for Economic and Clinical Health Act, Pub. L. 111-5, Sec. 13402.

     Name of Proponent: Mike Kreidler, insurance commissioner, governmental.

     Name of Agency Personnel Responsible for Drafting: Donna Dorris, P.O. Box 40258, Olympia, WA 98504-0258, (360) 725-7040; Implementation: John Hamje, P.O. Box 40255, Olympia, WA 90504-0255 [98504-0255], (360) 725-7262; and Enforcement: Carol Sureau, P.O. Box 40255, Olympia, WA 98504-0255, (360) 725-7050.

     No small business economic impact statement has been prepared under chapter 19.85 RCW. The increased cost for insurance licensees to meet this proposed new requirement (notifying the commissioner in cases of a security breach) is significantly less than 0.3% of the average Washington revenue of the smallest domestic licensees. Therefore a small business economic impact statement is not required for this proposed rule.

     A cost-benefit analysis is required under RCW 34.05.328. A preliminary cost-benefit analysis may be obtained by contacting Donna Dorris, P.O. Box 40258, Olympia, WA 98504-0258, phone (360) 725-7040, fax (360) 586-3109, e-mail rulescoordinator@oic.wa.gov.

November 20, 2012

Mike Kreidler

Insurance Commissioner

OTS-5087.2


AMENDATORY SECTION(Amending Matter No. R 2000-08, filed 1/9/01, effective 2/9/01)

WAC 284-04-610   Violation.   A violation of this ((regulation)) chapter shall be deemed to be an unfair method of competition or an unfair or deceptive act and practice in this state.

[Statutory Authority: RCW 48.43.505 and Gramm-Leach-Bliley Act, Public Law 102-106, sec. 501(b), sec. 505 (b)(2). 01-03-034 (Matter No. R 2000-08), § 284-04-610, filed 1/9/01, effective 2/9/01.]


NEW SECTION

WAC 284-04-625   Security breach notification requirements.   (1) The commissioner defines failure to provide notice of security breaches in compliance with this section as an unfair practice for the following reasons:

     (a) Many licensees fail or periodically fail to protect personal information and protected health information as defined in subsection (2)(a) and (b) of this section, resulting in security breaches affecting their customers or consumers.

     (b) When a customer or consumer whose personal or protected health information has been breached seeks assistance from the commissioner, information about security breaches and what actions a licensee is taking to protect customers or consumers must be available to the commissioner.

     (2) All licensees must notify the insurance commissioner in writing within two business days about the number of customers or consumers potentially affected and what actions are being taken following discovery of:

     (a) A breach of personal information as defined in RCW 19.255.010 (4) and (5) that seems reasonably likely to subject customers to a risk of criminal activity; or

     (b) A breach of unsecured protected health information as defined in 45 C.F.R. 164.402 which compromises the security or privacy of the protected information for licensees subject to 45 C.F.R. 164.

     (3) For breaches of protected health information, licensees subject to 45 C.F.R. 164 must comply with the regulations (45 C.F.R. 164.400 through 164.410) adopted by the U.S. Department of Health and Human Services (HHS) governing these requirements including:

     (a) Notification requirements for a security breach as defined by 45 C.F.R. 164.400, meaning an acquisition, access, use, or disclosure of protected health information in a manner not permitted by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule which compromises the security or privacy of the protected health information.

     (b) Notifying individuals, and other entities described in 45 C.F.R. 164.404 through 164.410.

     (c) Notifying affected entities without unreasonable delay and in no case later than sixty calendar days following the discovery of the breach.

     (d) Notifying documents that contain:

     (i) A brief description of what happened, including the date of the breach and the date of discovery of the breach, if known;

     (ii) A description of the types of unsecured protected health information involved in the breach;

     (iii) Any steps individuals should take to protect themselves from potential harm resulting from the breach;

     (iv) A brief description of what the covered entity is doing to investigate the breach, to mitigate harm to individuals and to protect against any further breaches; and

     (v) Contact information for individuals to ask questions or learn additional information.

[]