Virginia Adds Medical Information Breach Notice Law

The state of Virginia has passed a breach notice law requiring notice of security breaches involving medical information. 

UPDATE:  Note, this law only applies to governmental entities, or other orgnizations "supported wholly or principally by public funds."   The version we previously linked to was an older version of the Virginia House's bill and had a broader definition of "entity."

"Entity" means any authority, board, bureau, commission, district or agency of the Commonwealth or of any political subdivision of the Commonwealth, including cities, towns and counties, municipal councils, governing bodies of counties, school boards and planning commissions; boards of visitors of public institutions of higher education; and other organizations, corporations, or agencies in the Commonwealth supported wholly or principally by public funds.

Medical information is defined  in the Virginia law as follows:

"Medical information" means the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of the Commonwealth, when the data elements are neither encrypted nor redacted:

1. Any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or

2. An individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual's application and claims history, including any appeals records.

The term does not include information that is lawfully obtained from publicly available information, or from federal, state, or local government records lawfully made available to the general public."Breach of the security of the system" means unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security, confidentiality, or integrity of medical information maintained by an individual or entity. Good faith acquisition of medical information by an employee or agent of an individual or entity for the purposes of the individual or entity is not a breach of the security of the system, provided that the medical information is not used for a purpose other than a lawful purpose of the individual or entity or subject to further unauthorized disclosure.

Breaches that trigger the notice obligations are defined as follows:

"Breach of the security of the system" means unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security, confidentiality, or integrity of medical information maintained by an individual or entity. Good faith acquisition of medical information by an employee or agent of an individual or entity for the purposes of the individual or entity is not a breach of the security of the system, provided that the medical information is not used for a purpose other than a lawful purpose of the individual or entity or subject to further unauthorized disclosure.

Even if the data is encrypted, the law requires notice if the breach involved a person with access to the encryption key.  The law requires notice to affected individuals (residents of Virginia) as well as Virginia's Office of Attorney General.  The Attorney General can bring an action for violations of the law and impose civil penalties up to $150,000 per breach (or a series of similar breaches of a similar nature that are discovered in a single investigation).  The law does not apply to persons or entities that must report the breach under the HITech Act.