(1) A covered entity under the federal health insurance portability and accountability act of 1996, 42 U.S.C. § 1320d et seq., is deemed to have complied with the requirements of this chapter with respect to protected health information if it has complied with section 13402 of the federal health information technology for economic and clinical health act, P.L. 111-5 as it existed on July 24, 2015. Covered entities shall notify the attorney general pursuant to RCW 19.255.010(7) in compliance with the timeliness of notification requirements of section 13402 of the federal health information technology for economic and clinical health act, P.L. 111-5 as it existed on July 24, 2015, notwithstanding the timeline in RCW 19.255.010(7).

(2) A financial institution under the authority of the office of the comptroller of the currency, the federal deposit insurance corporation, the national credit union administration, or the federal reserve system is deemed to have complied with the requirements of this chapter with respect to “sensitive customer information” as defined in the interagency guidelines establishing information security standards, 12 C.F.R. part 30, Appendix B, 12 C.F.R. part 208, Appendix D-2, 12 C.F.R. part 225, Appendix F, and 12 C.F.R. part 364, Appendix B, and 12 C.F.R. part 748, Appendices A and B, as they existed on July 24, 2015, if the financial institution provides notice to affected consumers pursuant to the interagency guidelines and the notice complies with the customer notice provisions of the interagency guidelines establishing information security standards and the interagency guidance on response programs for unauthorized access to customer information and customer notice under 12 C.F.R. part 364 as it existed on July 24, 2015. The entity shall notify the attorney general pursuant to RCW 19.255.010 in addition to providing notice to its primary federal regulator.

Effective date—2019 c 241: See note following RCW 19.255.010.