Physician Practice

States tightening up data security laws to protect consumers and address healthcare breaches

Physician Practice Insider, July 14, 2015

[Editor's note: This article has been updated to reflect a fuller list of states that have adopted new or revised privacy and security laws this year.]

Connecticut Governor Dannel Malloy (D-CT) signed a new data breach security bill into law on June 30, making the Constitution State the latest to beef up its data security protections.

Earlier this year, Washington, Montana, Wyoming, Utah, Texas, Oregon, Wyoming, Illinois, Tennessee, Virginia, and North Dakota also updated their data breach laws, and Alabama is on its way to becoming the 48th state to adopt such legislation.

New York is also considering a bill to update information security laws
 while the New Hampshire legislature just passed a bill requiring that state’s education department notify students and teachers if their personal data was possibly breached. Bills in several other states are also pending or failed to pass, according to information compiled by the National Conference of State Legislatures.

In Connecticut, S.B. 949, “An Act Improving Data Security and Agency Effectiveness,” requires any company doing business in the state or contracting with a state agency to encrypt all sensitive personal data—such as Social Security numbers and taxpayer ID numbers—that is transmitted wirelessly or via a public Internet connection. Personal data on portable devices has to be encrypted as well.

The bill specifically includes health data within the scope of confidential information and as of October 1, 2015, recognizes all health insurers, medical facilities, and other entities licensed to transact business in the state involving PHI, as companies that must comply with the law. As such, they will have to notify individuals if PHI is compromised.

Companies will also be required to install comprehensive data security programs by October 1, 2017, to protect the confidential information they maintain on clients, plan members, or patients. Security programs must be in writing and contain multiple safeguards that consider size, scope, and type of business, available company resources, the amount of data being maintained, and the overall need for security and confidentiality of the data.

Most new provisions of the revised law took effect July 1, 2015, including requirements on companies to notify potential victims within 90 days of a cyber-attack or data breach and offer no less than one year of identity theft prevention services. Government contractors must also notify the state agency they are working for and the attorney general’s office of a data breach.

Prior to the new law, the state only required businesses to notify victims “without unreasonable delay” after a breach and did not set a minimum length of time to offer identity theft protection services, reports The Hartford Courant.

The 90-day provision is actually less stringent than what is currently required by HIPAA, however—notice within 60 days. The full text of the bill is available on the Connecticut legislature’s website.

In North Dakota, the amended data breach law takes effect August 1, 2015, specifically addressing data breaches involving more than 250 people. The revisions expand the scope of the law from anyone who conducts business in the state to include anyone who owns or licenses computerized data containing personal information. Those individuals or entities are then required to disclose any breach of their system affecting more than 250 victims.

The Alabama Information Protection Act of 2015 is currently before the state senate and specifically includes protection of health data and breach notification to the attorney general’s office, although it notably does not cover financial institutions.

In Oregon, a revised state law was signed by Governor Kate Brown (D-OR) June 10 and will take effect January 1, 2016. That law will now include a person’s medical information, require notification to the attorney general of a breach affecting more than 250 state residents, change existing reporting thresholds, and allow the attorney general to bring legal action against entities that violate the law under another state law on unlawful trade practices.

Covered entities that must comply with HIPAA, however, are exempted from the data breach law as long as they send a copy of any breach notifications to the attorney general’s office as well.

This article originally appeared in HIM-HIPAA Insider.

Most Popular