Oregon recently enacted SB684, whose law will go into effect next year. Two points we'd like to share include:
One, vendors contracted to maintain or access personal information on behalf of a covered entity will be required to:
(i) notify the covered entity “as soon as is practicable but not later than 10 days” after discovering a security breach or believing a breach has occurred; and
(ii) notify the state Attorney General if a security breach involves personal information of more than 250 consumers, or an undetermined amount of consumers, provided that the covered entity has not already done so.
10 days is a pretty tight timeline and requires Business Associates to remain vigilant to security incidents, violations or other suspected (e)PHI breaches.
Two, allows a Covered Entity or Business Associate to defend itself from allegations of failing to adequately safeguard personal information if they can demonstrate "...reasonable security measures that would be required for personal information subject to the applicable Act...". In the case of ePHI, using HIPAA as a framework should fulfill this requirement.