[co-author: Kathryn Smith*]

Pennsylvania recently amended its data breach notification law to expand its definition of personal information and provide for a HIPAA exception. The process for providing notice in the event of a username/email breach has also changed. The amendments will not be effective until May 2, 2023.

As amended, personal information will include medical and health insurance information. This mirrors many other states, which have also recently expanded their definitions of personal information to include these data elements. Pennsylvania’s breach notice law will also mirror that of almost half of the other US states in including in its definition of personal information usernames or e-mail addresses, in combination with a password or security question that would permit access to an online account.

In addition to amending the definition of personal information, Pennsylvania will add a HIPAA compliance exception to the breach notice law. Under that exception, entities that are both subject to and in compliance with HIPAA’s privacy and security standards will be deemed compliant with the state’s breach notice law.

Finally, beginning in May 2023, if there has been a usernames/email accounts breach, companies can provide “electronic notification.” To be sufficient, it needs to tell the individual to change their password or take other protective measures.

Putting it Into Practice: Pennsylvania’s changes will not have a significant impact for those entities who maintain incident response programs that address the requirements of all US jurisdictions. Companies will want to keep in mind that medical and health insurance information, as well as usernames/email account and passwords will become personal information under the breach notice law beginning May 2023.

* Kathryn Smith is a fellow in the firm’s Chicago office.