Washington Legislature’s 30-day Data Breach Notification Law Effective March 1, 2020
The Washington legislature unanimously passed new legislation that effectively truncates the state’s data breach notification time to just 30 days – half the time required by HIPAA. In addition to modifying notification requirements, the bill expands the definition of consumer information. Under the law, a breach now includes the combination of a consumer’s name with their full birth date, health insurance identification numbers, medical history, student ID, military ID, passport, username and password, biometrics, like DNA profiles or fingerprints, and electronic signatures, as well. This is the state’s second privacy bill to pass in less than two years. In June 2017, Washington legislature bolstered its patient privacy rights with a law that limits the use of medical and mental health records in discrimination lawsuits.