As of Oct. 1, health insurance providers in Maryland must notify the Maryland Insurance Administration if patient information is exposed in a cybersecurity incident, according to the HIPAA Journal.
Here are four things to know:
1. The requirements apply to health plans, health insurers, health maintenance organizations, managed care organizations, managed general agents and third-party insurance administrators.
2. If data elements are not encrypted, redacted or otherwise unreadable, insurance providers must alert the MIA of a breach when a patient’s first name or first initial and last name is affected along with one or more of the following: Social Security number, taxpayer identification number, passport number, driver's license number, health insurance number or credit card number.
3. The Maryland Insurance Administration's compliance and enforcement division must also be alerted if the organization believes patient information has been or is likely to be misused.
4. Along with sending a notification of the breach to members, health insurance providers must send a copy of the letter to the Maryland Insurance Administration.