• E-mail
• Print
• RSS

Data breaches lead to tougher notification requirement

HIPAA Weekly Advisor, September 20, 2010

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

The Connecticut Insurance Department issued a bulletin last month that calls for state insurers to notify affected individuals and the state’s insurance commissioner of a breach of patient information no later than five calendar days after its discovery.

This requirement is even stricter than the one instituted in California—its five “business days” requirement is considered one of the toughest in the country.

Connecticut’s insurance officials made the move “in order to assure that Connecticut consumers are fully protected and informed in the event of any information security incident … that could pose a potential risk to the privacy of an individual’s personal health and/or financial information,” according to the bulletin.

Dawn McDaniel, a spokesperson for the Connecticut Insurance Department, told HIPAA Update in an e-mail that the bulletin is in response to “some recent data breaches, which were not reported in what we believe to be a timely manner.”

Though McDaniel did not cite the incident specifically, Connecticut’s state attorney general office announced July 6 it had reached a settlement with Health Net and its affiliates over the failure last year to secure the private medical records of 1.5 million policyholders and for the insurers’ delay in reporting the breach.

The settlement imposed a $250,000 fine on the company for HIPAA and HITECH violations, and requires the insurers to adopt rigorous security and notification measures.

Read the full story on HIPAA Update.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive