Digging into the new data breach bill
HIPAA Weekly Advisor, August 23, 2010
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
The new “Data Security and Breach Notification Act of 2010,” reported in last week’s HIPAA Weekly Advisor and filed August 5 by U.S. Senators Mark Pryor (D-AR) and Jay Rockefeller (D-WV), extends civil action power to state attorneys general, much like HITECH does. It includes a maximum of $11,000 per day for each day an entity is found not to be in compliance and caps a single violation at:
- $5 million for each violation of the security and compliance requirements
- $5 million for all violations of the breach notification requirements
Such security and compliance requirements include:
- Security policy with respect to the collection, use, sale, other dissemination, and maintenance of such personal information
- Identification of an officer or other individual as the point of contact with responsibility for the management of information security
- Process for identifying and assessing any reasonably foreseeable vulnerabilities and regular monitoring for a breach of security
- Process for taking preventive and corrective action to mitigate against any vulnerabilities
- Process for disposing of data in electronic form containing personal information by shredding, permanently erasing, or otherwise modifying the personal information to make permanently unreadable or indecipherable
The bill's breach notification requirements include:
- Nationwide notification. Following the discovery of a breach of security, the covered entity must:
- Notify each individual who is a citizen or resident of the United States whose personal information was acquired or accessed as a result of such a breach of security
- Notify the Federal Trade Commission (FTC)
- Third-party/service provider notification requirements. Much like a business associate of a healthcare covered entity, a third-party or service provider handling sensitive information must notify the covered entity of the breach of security.
- Reports to credit agencies. If a breach involves more than 5,000 individuals, the covered entity must notify the major credit reporting agencies that compile and maintain files on consumers on a nationwide basis.
- 60-day requirement. Notification must be made not later than 60 days following the discovery of a breach of security, unless the CE can prove it was absolutely necessary to take that long.
The bill is in the hands of the Committee on Commerce, Science and Technology.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Identify potential Medicaid RAC target areas
- Topic: CMS, OESS post new security compliance review information, checklist
- HIPAA Q&A: Level of encryption needed for email
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- OB services: Coding inside and outside of the package
- QA:Coding multiple initial infusions
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- Catch up on what's new with injections and infusions
- CMS has reformulated payments for some bilateral procedures
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- ED-to-inpatient transfers are flawed with safety gaps
- Searched