South Carolina became the second state to enact data security legislation for health insurers in June 2020. The State of South Carolina Insurance Data Privacy Act was enacted on July 13th, 2020, and is modeled after the National Association of Insurance Commissioners’ Model Act.
The Act states that any electronic or online claims submitted by or received by the insurer will be protected by a password or code provided by the insurer that is unique to the insurer and will only be used for online claims processing and other authorized purposes. Also, the Act requires insurance carriers to obtain from patients their permission before releasing any personally identifiable information to third parties for any reason. Finally, the Act requires all insurance carriers to report data breaches to the state Department of Insurance within 24 hours. If the breach is due to a patient’s negligence, then the policyholder has the right to file a suit against the carrier responsible for the breach.
One of the primary goals of the South Carolina Insurance Data Privacy Act is to provide health insurers with additional protections in the face of ever-changing threats. While most security efforts have focused on protecting the databases themselves, many companies specialize in creating encryption software and maintaining those applications. While it is impossible to completely secure data systems from attacks that originate outside of the network, it is impossible to reduce the risk that a data breach will occur or that identity and personal information will be compromised.
One of the primary motivations for passing the Act was ensuring that data was secure even if a breach occurred. For example, if an individual provided a health insurance plan with a password that was compromised by a criminal element, the insurance company would have no way to access the data or even to find out how to get into the plan. On the other hand, if the same individual provided the same password and PIN to a third party, the third party would have the ability to read the data’s contents in the same manner as the insurer.
While it may be difficult to measure the South Carolina Insurance Data Privacy Act’s success, its implementation has led to a significant reduction in the number of reported cases of identity theft, fraud, and other types of security breaches. While a significant number of the incidents that have occurred resulted in data loss are still being investigated and remedied, it has resulted in a significant reduction in the number of data breaches that have resulted in a loss of life for individuals and businesses.
The Insurance Data Privacy Act is one of the many “smart data” and identity security model laws introduced in recent years. While these laws are primarily designed to provide insurance providers with protection against identity theft, they also allow policyholders to protect their privacy and limit the use of their information if they so choose. While each state will vary in the extent to which it applies to each type of sensitive data, the South Carolina Act provides essential guidance for consumers who care about their data security.