Pennsylvania § 4532 Exemptions

Pennsylvania Statutes

§ 4532 — Exemptions

Pennsylvania § 4532

JurisdictionPennsylvania

Title 40INSURANCE

PartPART II

Ch. 45INSURANCE DATA SECURITY

Subch.MISCELLANEOUS PROVISIONS

This text of Pennsylvania § 4532 (Exemptions) is published on Counsel Stack Legal Research, covering Pennsylvania primary law. Counsel Stack provides free access to over 12 million legal documents including statutes, case law, regulations, and constitutions.

Bluebook

40 Pa. Cons. Stat. § 4532 (2026).

Text

(a)Licensee criteria.--A licensee meeting any of the following criteria shall be exempt from sections 4512 (relating to risk assessment), 4513 (relating to information security program), 4514 (relating to corporate oversight), 4515 (relating to oversight of third-party service provider arrangements) and 4516 (relating to certification):

(1)The licensee has fewer than 10 employees.

(2)The licensee has less than $5,000,000 in gross revenue.

(3)The licensee has less than $10,000,000 in year-end total assets.

(b)Federal law.--A licensee that is subject to and governed by the privacy, security and breach notification rules issued by the United States Department of Health and Human Services under 45 CFR Pts. 160 (relating to general administrative requirements) and 164 (relating to secu

Free access — add to your briefcase to read the full text and ask questions with AI

(a) Licensee criteria.--A licensee meeting any of the following criteria shall be exempt from sections 4512 (relating to risk assessment), 4513 (relating to information security program), 4514 (relating to corporate oversight), 4515 (relating to oversight of third-party service provider arrangements) and 4516 (relating to certification):

(1) The licensee has fewer than 10 employees.

(2) The licensee has less than $5,000,000 in gross revenue.

(3) The licensee has less than $10,000,000 in year-end total assets.

(b) Federal law.--A licensee that is subject to and governed by the privacy, security and breach notification rules issued by the United States Department of Health and Human Services under 45 CFR Pts. 160 (relating to general administrative requirements) and 164 (relating to security and privacy), established in accordance with the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191, 110 Stat. 1936) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5, 123 Stat. 226-279 and 467-496), and which maintains nonpublic information in the same manner as protected health information shall be deemed to comply with the requirements of this chapter except for the notification requirements of section 4518(a), (b) and (c) (relating to notification of cybersecurity event).

(c) Employees, agents, representatives and designees.--An employee, agent, representative or designee of a licensee, who is also a licensee, shall be exempt from sections 4512, 4513, 4514, 4515 and 4516 and need not develop its own information security program to the extent that the employee, agent, representative or designee is covered by the information security program of the other licensee.

(d) Compliance.--If a licensee ceases to qualify for an exemption under this section, the licensee shall have 180 days to comply with this chapter.