On April 19, 2013, the North Dakota legislature amended the state’s breach notification law (Section 51-30-01 of the North Dakota Century Code) to expand the definition of “personal information” to include “health insurance information” and “medical information.” Pursuant to the amended breach law, “health insurance information” is defined to mean an “individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.” “Medical information” is defined to mean “any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.” The amendment also carves out an exemption for covered entities, business associates and subcontractors that are subject to the breach notification requirements of 45 C.F.R. 164, Subpart D.

In addition to the standard data elements that, in combination with an individual’s name, typically constitute personal information under the state breach notification laws (i.e., Social Security number, driver’s license number or nondriver photo identification card number, and financial account number), North Dakota’s breach law already included an individual’s date of birth, mother’s maiden name, employee identification number and electronic signature in the definition of “personal information.”

The amendments took effect on August 1, 2013. View the amended breach law.