• Privacy
  • August 10, 2017 | Authors: Christia A. Pritts; Lawrence D. Coppel; Andrew D. Bulgin; Marjorie A. Corwin; Peter B. Rosenwald; D. Robert Enten; David S. Musgrave; Robert A. Gaumont; Christopher R. Rahl; Bryan M. Mull; Chastity E.C. Threadcraft
  • Law Firm: Gordon Feinblatt LLC - Baltimore Office
  • Maryland Personal Information Protection Act – Data Breach Requirements Revised
    HB974 (Chapter 518)
    (effective January 1, 2018)

    This law amends the Maryland Personal Information Protection Act, which is Maryland’s data breach law. It imposes additional duties on businesses that have an individual’s personal information to protect that information and it changes the notification requirements that apply when a business experiences a security breach affecting computerized personal information of an individual residing in Maryland. The definition of personal information is expanded to include, among other information, health information, health insurance information, and biometric data. For the first time, Maryland’s law specifically addresses breaches involving only email account information. While amendments were introduced during the legislative session that would have adversely impacted existing exemptions, they were defeated. New exemptions have been added for a business that is subject to and in compliance with the federal HIPAA requirements and affiliates of such businesses.

    Practice Point: There continues to be an exemption from the Maryland Personal Information Protection Act for businesses subject to and in compliance with Section 501(b) of the federal Gramm-Leach-Bliley Act and various identified federal guidelines and guidance (e.g., depository financial institutions) and their affiliates, as well as businesses in compliance with requirements established by a primary or functional federal or Maryland regulator.

    Financial Records Requested by the Department of Human Resources
    SB671 / HB752 (Chapters 202 and 203)
    (effective October 1, 2017)

    This law requires the Department of Human Resources to request financial records from a fiduciary institution (e.g., banks, savings and loans, credit unions) doing business in Maryland if an applicant for long-term care Medicaid benefits has been unable to obtain those financial records and the records are necessary to establish the applicant’s eligibility for Medicaid benefits. This change is intended to eliminate barriers to Medicaid eligibility determinations.

    Practice Point: Maryland’s Confidential Financial Records Act already allows fiduciary institutions to disclose financial records to the Department of Human Resources in order to verify an individual’s eligibility for public assistance.