Update Applicable to:
All employers of employees covered by HIPPA in the state of Pennsylvania
What happened?
On November 4, 2022, Governor Wolf signed Senate Bill 696 (SB 696) into law, amending Pennsylvania’s breach notification law.
What are the details?
Effective May 2, 2023, SB 696 expands the definition of “personal information” to include the following data elements when compromised in combination with a resident’s name:
- Medical information: any individually identifiable information contained in the individual’s current or historical record of medical history or medical treatment, or diagnosis created by a healthcare professional.
- Health insurance information: an individual’s health insurance policy number or subscriber number in combination with access code or other medical information that permits misuse of an individual’s health insurance benefits.
- Username or e-mail address, in combination with a password or security question that would permit access to an online account
SB 696 also provides a new permissible method of providing notice of a breach if the affected personal information consists of a username or email address in combination with a password, allowing for electronic notice “if the notice directs the person whose personal information has been materially compromised by a breach of the security of the system to change the person’s password promptly and security question or answer, as applicable, or to take other steps appropriate to protect the person’s online account….” Additionally, SB 696 excludes covered entities and business associates subject to HIPAA.
For more information, please see the links below:
What do employers need to do?
Employers should review the links provided above and ensure that their privacy and security standards comply with the law’s new amendments come May 3, 2023.
Need help understanding how changes to employment laws will affect your business?
Learn more about how Vensure's Pennsylvania PEO services can help you navigate complex employment laws and keep your business compliant.
This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.
