WSR 13-11-004

PERMANENT RULES

OFFICE OF

INSURANCE COMMISSIONER

[ Insurance Commissioner Matter No. R 2012-14 -- Filed May 1, 2013, 4:29 p.m. , effective June 1, 2013 ]


     Effective Date of Rule: Thirty-one days after filing.

     Purpose: The purpose of this new rule is to require that the insurance commissioner be notified within two business days of a licensee determining that notification regarding a security breach of personal health or private information in compliance with RCW 19.255.010 and 45 C.F.R. must be made to consumers or customers.

     Citation of Existing Rules Affected by this Order: Amending WAC 284-04-610.

     Statutory Authority for Adoption: RCW 48.02.060, 48.30.010, and 48.43.505.

     Other Authority: The Gramm-Leach Bliley Act, Pub. L. 102-106, Sec. 501(b), Sec. 505 (B)(2), 45 C.F.R. Parts 160 and 164 (2013).

      Adopted under notice filed as WSR 13-07-053 on March 19, 2013.

     A final cost-benefit analysis is available by contacting Donna Dorris, P.O. Box 40255, Olympia, WA 98504-0258, phone (360) 725-7040, fax (360) 586-3109, e-mail donnad@oic.wa.gov.

     Number of Sections Adopted in Order to Comply with Federal Statute: New 0, Amended 0, Repealed 0; Federal Rules or Standards: New 1, Amended 0, Repealed 0; or Recently Enacted State Statutes: New 0, Amended 0, Repealed 0.

     Number of Sections Adopted at Request of a Nongovernmental Entity: New 0, Amended 0, Repealed 0.

     Number of Sections Adopted on the Agency's Own Initiative: New 1, Amended 1, Repealed 0.

     Number of Sections Adopted in Order to Clarify, Streamline, or Reform Agency Procedures: New 0, Amended 0, Repealed 0.

     Number of Sections Adopted Using Negotiated Rule Making: New 0, Amended 0, Repealed 0;      Pilot Rule Making: New 0, Amended 0, Repealed 0; or Other Alternative Rule Making: New 1, Amended 1, Repealed 0.

     Date Adopted: May 1, 2013.

Mike Kreidler

Insurance Commissioner

OTS-5087.5


AMENDATORY SECTION(Amending Matter No. R 2000-08, filed 1/9/01, effective 2/9/01)

WAC 284-04-610   Violation.   A violation of this ((regulation)) chapter shall be deemed to be an unfair method of competition or an unfair or deceptive act and practice in this state.

[Statutory Authority: RCW 48.43.505 and Gramm-Leach-Bliley Act, Public Law 102-106, sec. 501(b), sec. 505 (b)(2). 01-03-034 (Matter No. R 2000-08), § 284-04-610, filed 1/9/01, effective 2/9/01.]


NEW SECTION

WAC 284-04-625   Security breach notification requirements.   (1) The commissioner defines failure to provide notice of security breaches in compliance with this section as an unfair practice for the following reasons:

     (a) Many licensees fail or periodically fail to protect personal information and protected health information as defined in subsection (2)(a) and (b) of this section, resulting in security breaches affecting their customers or consumers.

     (b) When a customer or consumer whose personal or protected health information has been breached seeks assistance from the commissioner, information about security breaches and what actions a licensee is taking to protect customers or consumers must be available to the commissioner.

     (2) All licensees must notify the insurance commissioner about the number of customers or consumers potentially affected and what actions are being taken in writing within two business days after determining notification must be sent to consumers or customers in compliance with RCW 19.255.010 and 45 C.F.R. 164 pertaining to:

     (a) A breach of personal information as defined in RCW 19.255.010 (4) and (5) that seems reasonably likely to subject customers to a risk of criminal activity; or

     (b) A breach of unsecured protected health information as defined in 45 C.F.R. 164.402 which compromises the security or privacy of the protected information for licensees subject to 45 C.F.R. 164.

     (3) For breaches of protected health information, licensees subject to 45 C.F.R. 164 must comply with the regulations (45 C.F.R. 164.400 through 164.410) adopted by the U.S. Department of Health and Human Services (HHS) governing these requirements including:

     (a) Notification requirements for a security breach as defined by 45 C.F.R. 164.402, meaning an acquisition, access, use, or disclosure of protected health information in a manner not permitted by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule which compromises the security or privacy of the protected health information.

     (b) Notifying individuals, and other entities described in 45 C.F.R. 164.404 through 164.410.

     (c) Notifying affected entities without unreasonable delay and in no case later than sixty calendar days following the discovery of the breach.

     (d) Notifying documents that contain:

     (i) A brief description of what happened, including the date of the breach and the date of discovery of the breach, if known;

     (ii) A description of the types of unsecured protected health information involved in the breach;

     (iii) Any steps individuals should take to protect themselves from potential harm resulting from the breach;

     (iv) A brief description of what the covered entity is doing to investigate the breach, to mitigate harm to individuals and to protect against any further breaches; and

     (v) Contact information for individuals to ask questions or learn additional information.

[]