News & Thought Leadership from Sulloway & Hollis

September 30, 2016

Brief Comments on New Hampshire Privacy/Security

New Hampshire’s Security Breach Notification law

  • As with other states, New Hampshire has enacted a breach notification law with respect to breaches of computerized data that includes “personal information.” Found at RSA 359-C:19-21, this statute requires notification to the New Hampshire Attorney General’s office and to affected individuals of a “security breach” – meaning the “unauthorized acquisition of computerized data that compromises the security or confidentiality of personal information maintained by a person doing business in this state.” Breach notifications are posted online at http://www.doj.nh.gov/consumer/security-breaches/c.htm
  • Good faith acquisition by employee or agent not considered a breach if PI not used or subject to further unauthorized disclosure.
  • “Personal Information” means first name or initial and last name in combination with SSN; OR driver’s license or other government id; OR account number, credit card number, or debit number in combination with any required security code, access code or password that would permit access to an individual’s financial account.
    • BUT ONLY WHEN EITHER THE NAME OR DATA ELEMENTS ARE NOT ENCRYPTED. (As with HIPAA, encryption takes you out of the breach definition/notification requirements.)
  • New Hampshire does not define “compromises.” However, the statute does allow you to determine “the likelihood that the information has been or will be misused.” Notification is only required if you determine that “misuse” has occurred or is reasonably likely to occur OR if a determination cannot be made.
    • This assessment must be done “promptly,” and is slightly different from other states. For example, in Maine, notification is required “if misuse has occurred or if it is reasonably possible that misuse will occur.” So, the analysis may differ from state to state.
  • Notice must be given “as soon as possible.”
  • A person injured by any violation of the breach notification requirements may bring action for actual damages and/or equitable relief (up to 3x damages for willful or knowing violation).
  • Recommend state breach notification procedure be built into standard HIPAA breach notification procedure.

Patient Information and Marketing

  • RSA 332-I:1 & I:4 require a HIPAA-compliant authorization for marketing.
  • BUT New Hampshire’s definition of marketing is a bit broader than HIPAA (for example, there is no exception for refill reminders), so there may be a use or disclosure of PHI by a health care provider or business associate of a health care provider that is allowed under federal law, but not permitted by New Hampshire statute.
  • Any violation of New Hampshire’s marketing provisions gives right to a civil action – not less than $1000/violation plus costs/fees.