As we approach 2019, companies will want to keep in mind the changes that are coming to various US states’ breach notice laws. On January 1, 2019 Iowa’s law, which has already been amended twice since it was passed in 2008, will change again.
Under this update companies subject to and compliant with HIPAA will have certain exceptions under the law. Previously only financial entities could take advantage of such exceptions. This change brings Iowa in line with many other states with similar exemptions. Encrypted will now be defined to mean a method that meet industry standards. Finally, the attorney general will need to be notified five days after notice is made to impacted individuals. This is instead of five days after discovering the breach.
Putting it Into Practice: Companies with nationwide incident response plans will want to tweak the deadlines for the AG notification in Iowa. They will also want to keep the definition of encryption in mind as well as new the HIPAA exemption. Stay tuned for more this month in this series of blog articles.