North Dakota has amended its Notice of Security Breach for Personal Information statute, North Dakota Century Code Section 51-30 et seq., to expand the definition of “personal information” to include “medical information” and health insurance information.” Pursuant to the amended statute, “medical information” includes any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional. “Health Insurance Information” is defined as an individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual. The amended statute also includes a carve out for covered entities, business associates, or subcontractors subject to breach notification obligations under HIPAA/HITECH. The amended statute took effect on August 1, 2013.
Prior to the amendment, North Dakota was already a state with a breach notification statute that defines personal information more broadly than an individual’s first name or first initial and last name plus one of the following data elements: Social Security number; driver’s license number or state issued ID card number; an account, credit card number or debit card number combined with security code, access code, PIN or password needed to access an account. Also included in North Dakota’s data breach statute’s definition of personal information are an individual’s date of birth, mother’s maiden name, employee identification number, and electronic signature.