In May, the Governor of Illinois, Bruce Rauner, signed amendments to the Illinois Personal Information Protection Act (“PIPA”), 815 ILCS 530/1 et seq., expanding the definition of protected personal information and adding more breach notification requirements. This amendment action follows the California Attorney General’s 2016 Data Breach Report, which provides a list of safeguards that the Attorney General believes constitute reasonable safeguards for Personally Identifiable Information (“PII”)—that is, reasonable security practices required by California law. See California Determines What Is Reasonable and Appropriate for Securing Health Information: HIPAA & HITECH Act Blog by Jonathan P. Tomes, March 10, 2016 at http://www.veteranspress.com/california-determines-reasonable-and-appropriate.

 The original Illinois law limited “personal information” (“PI”) to an individual’s first name or first initial and last name in combination with the individual’s Social Security number; driver’s license number, or state identification card number; or account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account. Note that even this limited information would constitute HIPAA protected health information (“PHI”) if maintained in a system of records by a covered entity. The amendments, effective January 1, 2017, expand the definition of “personal information” to include medical information, health insurance information, or unique biometric data—clearly PHI. And, the amendment makes usernames or email addresses, in combination with a password or security question and answer that would permit access to an online account, PI (and hence often PHI) when either the username, email address, password, or security question and answer are neither encrypted nor redacted.

The amendments also require entities that suffer a security breach to inform Illinois residents of the breach even if the PI was encrypted or redacted if the keys to undecrypt or unredact the PI was also a part of the breach. This provision is stricter than HIPAA and, hence, would “trump” HIPAA in the event of PI that constituted PHI. And the HITECH Act requires covered entities to follow state reporting laws, as well as its requirements. Under the Illinois law, if an entity is required to give notice and the breach of security involved an individual’s username or email address, the notice must direct individuals to promptly change their usernames or passwords and security questions or answers, as applicable, or to take other steps appropriate to protect all online account for which the individual uses the same username or email address and password or security question and answer.

An entity in possession of personal information will be required to implement and maintain reasonable security measures to protect the records from unauthorized access, destruction, or disclosure. The amendments deem that a HIPAA covered entity or business associate subject to and compliant with the HIPAA privacy and security standards will be in compliance with PIPA. Further, a covered entity or business associate that is required to provide notification of a breach to the Secretary of Health and Human Services under the HITECH Act must also provide such notification to the Illinois Attorney General.

Are these two states harbingers of a trend toward more and more state amplification of HIPAA? Stay tuned!

To read the entire PIPA, go to www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702.