Healthcare Data Privacy

Overdose Prevention and Patient Safety Act Passed by House

Posted by HIPAA Journal

The Overdose Prevention and Patient Safety Act – H.R. 6082 – aims to ease restrictions on the sharing of health records of patients with addictions, aligning 42 CFR Part 2 – Confidentiality of Substance Use Disorder Patient Records – with HIPAA.

Currently, 42 CFR Part 2 only permits the disclosure of health records of patients with substance abuse disorder without written consent to medical staff in emergency situations, to specified individuals for research and program evaluations, or if required to do so by means of a court order.

Under current regulations, a special release form must be signed by a patient authorizing the inclusion of substance abuse disorder information in their medical record.

Preventing doctors from having access to a patient’s entire medical history means decisions could be taken without full understanding of their potential consequences. If details of substance abuse disorder can be accessed, doctors will be able to make more informed decisions which will help them to safely and effectively treat patients.

The Overdose Prevention and Patient Safety Act allows the health records of substance abuse disorder patients to be disclosed without written consent from patients for the purposes of treatment, payment, and healthcare operations, aligning with the HIPAA Privacy Rule.

Additionally, the criminal penalties for violations involving substance abuse disorder records would align with the penalty structure of HIPAA and would not be treated separately.

Privacy protections are also enhanced for patients, which will prohibit the use of SUD information in criminal and civil prosecution cases, will protect against discrimination by prohibiting the sharing of substance abuse discover information with employers and landlords, and would require notifications to be issued in the event of the breach of that information in line with the requirements of the HITECT Act.

The House passed the Overdose Prevention and Patient Safety Act with a vote of 357-57. The Act will now go to the senate chamber for consideration.

The post Overdose Prevention and Patient Safety Act Passed by House appeared first on HIPAA Journal.

Common Rule Compliance Date Delayed Until January 2019

Posted by HIPAA Journal

On June 19, 2018, the federal government published the final rule for the Federal Policy for the Protection of Human Subjects – The Common Rule.

The aim of the Common Rule is to protect individuals who voluntarily participate in research, while also reducing the administrative and regulatory burdens for low-risk research.

A revised Common Rule was due to take effect on January 19, 2018 with an effective compliance date on the same date. However, an interim final rule was published on January 17, 2018 delaying the effective date for six months – The new compliance date was due to be July 19, 2018.

On April 20, 2018, a notice of proposed rulemaking was published seeking comments about whether the new Common Rule requirements should be delayed for a further six months. After assessing the comments received on the notice of proposed rulemaking, the proposals made in that NPRM have been adopted and the compliance date has now been extended until January 21, 2019.

In the final rule it was noted, “We acknowledge that the timing of the interim final rule was not ideal and led to frustration within the regulated community. We believe that the 2018 NPRM and this final rule to delay the general compliance date for the 2018 Requirements while permitting the use of three burden-reducing provisions of the 2018 Requirements provides the regulated community with sufficient notice about when the 2018 Requirements will go into effect, and when regulated entities will be required to comply with the 2018 Requirements.”

Regulated entities will be required to continue to comply with the pre-2018 version of the Common Rule until the new January 2019 compliance date. However, institutions will be permitted to implement, for certain research studies, three of the burden-reducing principles in the 2018 Common Rule between July 19, 2018 and January 19, 2019, although adoption of those principles is not mandatory.

Those three provisions are:

  • A revised definition of research in which certain research activities are no longer covered by the Common Rule – such as public health surveillance activities to monitor the spread of disease
  • The elimination of the requirement for annual continuing review with respect to certain categories of research
  • The elimination of the requirement that institutional review boards (IRBs) review grant applications or other funding proposals related to the research

If those three principles are implemented for studies initiated during the delay period, full compliance with the 2018 Common Rule requirements is required from January 21, 2019 until the study ends.

The Revised Common Rule will enable more secondary research of EHR data. Certain low-risk studies, such as observational studies to find patterns in patient records that will help to improve how certain medical procedures are performed, will be exempted if conducted by certain HIPAA-covered entities.

Changes are also made to how consent must be obtained. Important information about a study must be explained clearly and concisely in a way that would allow a reasonable person to understand how their data will be used. It is also possible for broad consent to be obtained, which will help to ensure that biospecimens and patient-reported data are made available for secondary research.

A new option is also included to assist with screening potential research participants to help ensure that patients who could potentially benefit from new treatments will be likely to hear about those treatments.

The post Common Rule Compliance Date Delayed Until January 2019 appeared first on HIPAA Journal.

Washington Health System Suspends Several Employees for Inappropriate PHI Access

Posted by HIPAA Journal

Following the alleged inappropriate accessing of patient health records by employees, Washington Health System has taken the decision to suspend several employees while the privacy breach is investigated.

While it has not been confirmed how many employees have been suspended, Washington Health System VP of strategy and clinical services, Larry Pantuso, issued a statement to the Observer Reporter indicating around a dozen employees have been suspended, although at this stage, no employees have been fired for inappropriate medical record access.

The privacy breaches are believed to relate to the death of an employee of the WHS Neighbor Health Center. Kimberly Dollard, 57, was killed when an out of control car driven by Chad Spence, 43, rammed into the building where she worked. Spence and one other individual were admitted to the hospital after sustaining injuries in the accident.

Pantuso did not confirm that this was the incident that prompted the employees to access patients’ medical records, although he did confirm that the alleged inappropriate access related to a “high profile case.”

The accessing of medical records without any legitimate work reason for doing so is a violation of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA only permits the accessing of PHI by employees for treatment, payment, or healthcare operations.

Any healthcare employee discovered to have violated HIPAA Rules faces disciplinary action which can involve suspension, termination, loss of license and, potentially, criminal charges.

There have been several recent cases where employees have been fired snooping on the medical records of high profile patients.

In February 2018, 13 employees of the Medical University of South Carolina were fired for HIPAA violations after they accessed the medical records of patients without authorization, many of whom accessed the medical records of high profile patients.

One of the most recent actions taken against a healthcare employee for a HIPAA violation was taken by the New York nursing board’s Office for Professional Discipline. Martha Smith-Lightfoot was provided with a list of patients prior to leaving her employment at University of Rochester Medical Center (URMC) to take up a new position at Greater Rochester Neurology. Smith-Lightfoot provided that list to her new employer and patients were contacted in an attempt to solicit business.

Smith-Lightfoot signed a consent order with the nursing board admitting the violation and had her license to practice suspended for one year, received a stayed suspension for another year, and three years of probation when she returns to practice.

Snooping on medical records is likely to be discovered as logs are created when health records are accessed. Those logs are periodically checked and if inappropriate PHI access is discovered it is likely to result in termination and will make it hard to obtain future employment in healthcare.

The post Washington Health System Suspends Several Employees for Inappropriate PHI Access appeared first on HIPAA Journal.

May 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

April was a particularly bad month for healthcare data breaches with 41 reported incidents. While it is certainly good news that there has been a month-over-month reduction in healthcare data breaches, the severity of some of the breaches reported last month puts May on a par with April.

Healthcare Data Breaches (May 2018)

There were 29 healthcare data breaches reported by healthcare providers, health plans, and business associates of covered entities in May – a 29.27% month-over month reduction in reported breaches. However, 838,587 healthcare records were exposed or stolen in those incidents – only 56,287 records fewer than the 41 incidents in April.

Healthcare Data Breaches - Records (May 2018)

In May, the mean breach size was 28,917 records and the median was 2,793 records. In April the mean breach size was 21,826 records and the median was 2,553 records.

Causes of May 2018 Healthcare Data Breaches

Unauthorized access/disclosure incidents were the most numerous type of breach in May 2018 with 15 reported incidents (51.72%). There were 12 hacking/IT incidents reported (41.38%) and two theft incidents (6.9%). There were no lost unencrypted electronic devices reported in May and no improper disposal incidents.

The 12 hacking/IT incidents reported in May resulted in the exposure/theft of 738,883 healthcare records – 88.11% of the total for May. Unauthorized access/disclosure incidents affected 97,439 patients and health plan members – 11.62% of the total. Theft incidents resulted in unauthorized individuals obtaining the PHI of 2,265 individuals – 0.27% of the monthly total.

Causes of Healthcare Data Breaches (May 2018)

Largest Healthcare Data Breaches Reported in May 2018

The largest healthcare data breach reported in May 2018 – by some distance – was the 538,127-record breach at the Baltimore, MD-based healthcare provider LifeBridge Health Inc. The breach was reported in May, although it occurred more than a year and a half earlier in September 2016, when malware was installed on its server that hosts electronic health records.

In addition to names and contact information, clinical and treatment information, insurance information, and, in some instances, Social Security numbers, were compromised. The scale of the breach and the types of information exposed makes it one of the most serious healthcare data breaches discovered in 2018.

As the table below shows, hacks and IT incidents were behind the most serious breaches in May.

Breached Entity Entity Type Records Breached Breach Type
LifeBridge Health, Inc Healthcare Provider 538127 Hacking/IT Incident
The Oregon Clinic, P.C. Healthcare Provider 64487 Hacking/IT Incident
Dignity Health Healthcare Provider 55947 Unauthorized Access/Disclosure
Aultman Hospital Healthcare Provider 42625 Hacking/IT Incident
Holland Eye Surgery and Laser Center Healthcare Provider 42200 Hacking/IT Incident
USACS Management Group, Ltd. Business Associate 15552 Hacking/IT Incident
Florida Hospital Healthcare Provider 12724 Hacking/IT Incident
Aflac Health Plan 10396 Hacking/IT Incident
Cerebral Palsy Research Foundation of Kansas, Inc. Healthcare Provider 8300 Unauthorized Access/Disclosure
Associates in Psychiatry and Psychology Healthcare Provider 6546 Hacking/IT Incident

 

Records Exposed in Healthcare Data Breaches (May 2018)

Location of Breached Protected Health Information

In May, the most common location of breached protected health information was email. 11 of the 29 reported breaches involved hacks of email accounts and misdirected emails. It was a similar story in April, when email was also the main location of breached PHI.

In May there were 7 incidents affecting network servers – hacks, malware infections, and ransomware incidents – and 7 incidents involving paper records.

Healthcare Data Breaches (May 2018) - Location of Breached PHI

Data Breaches by Covered Entity Type

Healthcare providers experienced the lion’s share of the healthcare data breaches in May 2018, with 22 incidents reported. Only two health plans suffered a data breach in May.

Five business associates of HIPAA-covered entities reported a breach, although a further four breaches had some business associate involvement.

Healthcare Data Breaches (May 2018) - Breaches by Covered Entity Type

Healthcare Data Breaches by State

California and Ohio were the worst affected by healthcare data breaches in May 2018, with each state having four breaches. Oregon and Texas each experienced two data breaches in May. Nevada saw four breaches reported, but three of those were the same incident, only reported separately by each of the three Dignity Health hospitals affected.

One healthcare data breach was reported by a HIPAA-covered entity or business associate based in Arkansas, Arizona, Colorado, Florida, Georgia, Indiana, Kansas, Massachusetts, Maryland, Michigan, Minnesota, Nebraska, and New York.

Financial Penalties for HIPAA Violations

While OCR and state attorneys general continue to enforce HIPAA Rules and take action against covered entities and business associates for noncompliance, there were no financial settlements announced by either in May 2018.

Data Source: The Department of Health and Human Services’ Office for Civil Rights.

The post May 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

OCR Announces $4.3 Million Civil Monetary Penalty for University of Texas MD Anderson Cancer Center

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has announced its fourth largest HIPAA violation penalty has been issued to The University of Texas MD Anderson Cancer Center (MD Anderson). MD Anderson has been ordered to pay $4,348,000 in civil monetary penalties to resolve the HIPAA violations related to three data breaches experienced in 2012 and 2013.

MD Anderson is an academic institution and a cancer treatment and research center based at the Texas Medical Center in Houston, TX. Following the submission of three breach reports in 2012 and 2013, OCR launched an investigation to determine whether the breaches were caused as a result of MD Anderson having failed to comply with HIPAA Rules.

The breaches in question were the theft of an unencrypted laptop computer from the home of an MD Anderson employee and the loss of two unencrypted USB thumb drives, each of which contained the electronic protected health information (ePHI) of its patients. In total, the PHI of 34,883 patients was exposed and could potentially have been viewed by unauthorized individuals.

The investigation revealed that MD Anderson had conducted a risk analysis, as is required by HIPAA. That risk analysis revealed the use of unencrypted devices posed a serious threat to the confidentiality, integrity, and availability of ePHI. To address the risk, in 2006 MD Anderson developed policies that required all portable storage devices to be encrypted.

However, even though policies called for the use of encryption, encryption was not implemented until March 24, 2011. When encryption was implemented, it was not implemented on all portable devices in its inventory. MD Anderson reported to OCR that by January 25, 2013, it had only encrypted 98% of its computers. If MD Anderson had implemented encryption on all portable electronic devices containing ePHI, the three breaches would have been prevented.

Preventable Data Breaches Experienced by MD Anderson

The laptop was stolen from the home of Dr. Randall Millikan on April 30, 2012. Dr. Millikan confirmed that the ePHI on the device were not encrypted, the laptop was not password protected, and the ePHI could potentially have been viewed by family members at his home as a result, as well as by the individual who stole the laptop.

The USB devices were lost on or around July 12, 2012 and December 2, 2013. The first contained an Excel file containing the ePHI of 2,264 individuals. The device was lost by a summer intern on her way home from work. The second USB drive was lost by a visiting researcher from Brazil at some point over the Thanksgiving weekend. The device was usually left in the tray on her desk. Neither device was encrypted or password protected.

Between 2010 and 2011, MD Anderson’s Information Security Program and Annual Reports stated clearly that the storage of ePHI on mobile media was a key risk area that had not yet been mitigated, which was also detailed in its risk analysis for fiscal year 2011. That risk analysis determined that employees were downloading ePHI onto portable storage devices for use outside the institution. The failure to address the risk was a violation of 45 C.F.R. § 164.312(a)(2)(iv) and its own policies.

Penalties for HIPAA Violations

When financial penalties are deemed appropriate, OCR usually negotiates with the covered entity and a settlement is agreed; however, MD Anderson disagreed with OCR’s decision and maintained the financial penalty was unreasonable. Specifically, MD Anderson claimed that it was not obligated to use encryption as the data on the devices were used for research purposes, and that the research was not subject to HIPAA’s nondisclosure requirements. A covered entity has the right to contest penalties for HIPAA violations. Consequently, the matter was referred to an Administrative Law Judge.

OCR proposed penalties for HIPAA violations under the tier of ‘reasonable cause’. OCR wrote in its Notice of Proposed Determination, “Reasonable cause is “an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.”

The penalty amounts in such cases are a minimum of $1,000 for each violation up to a maximum of $1.5 million per calendar year.

 

Penalty Structure for HIPAA Violations

OCR determined penalties were appropriate for calendar year 2011 (283 days from March 24 to December 31), calendar year 2012 (366 days from January 1 to December 31) and calendar year 2013 (25 days from January 1 to January 25), and applied the maximum penalty of $1.5 million for each of those calendar years.

Administrative Law Judge Steven T. Kessell granted summary judgement in favor of OCR to remedy MD Anderson’s noncompliance with 45 C.F.R. § 164.312(a) – Technical Safeguards; encryption – and 45 C.F.R. § 164.502(a) – Uses and Disclosure of PHI; impermissible disclosure of ePHI.

“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”

The post OCR Announces $4.3 Million Civil Monetary Penalty for University of Texas MD Anderson Cancer Center appeared first on HIPAA Journal.

More than 90% of Hospitals and Physicians Say Mobile Technology is Improving Patient Safety and Outcomes

Posted by HIPAA Journal

90% of hospitals and 94% of physicians have adopted mobile technology and say it is helping to improve patient safety and outcomes, according to a recent survey conducted by Black Book Research.

The survey was conduced on 770 hospital-based users and 1,279 physician practices between Q4, 2017 and Q1, 2018.

The survey revealed 96% of hospitals are planning on investing in a new clinical communications platform this year or have already adopted a new, comprehensive communications platform.

85% of surveyed hospitals and 83% of physician practices have already adopted a secure communication platform to improve communications between care teams, patients, and their families. Secure text messaging platform are fast becoming the number one choice due to the convenience of text messages, the security offered by the platforms, and the improvements they make to productivity and profitability.

98% of hospitals and 77% of physician practices said they have implemented secure, encrypted email and are using intrusion detection systems to ensure breaches are detected rapidly.

Many providers of secure text messaging solutions have developed their platforms specifically for the healthcare industry. The platforms incorporate all the necessary safeguards to meet HIPAA requirements and ensure PHI can be transmitted safely and securely. Text messaging is familiar to almost all employees who are provided access to the platforms and they make communication quick and easy.

However, 63% of respondents to the survey said they are still facing ongoing challenges with buy-in of general mobile adoption strategies and related enterprise technology execution.

30% of respondents said that even though secure methods of communication have been implemented such as encrypted text messaging platforms and secure email, they are still receiving communications on a daily basis from unsecured sources that contain personally identifiable information such as patients’ names and birthdates.

Part of the study involved an assessment of cybersecurity and privacy software and services, allowing the company to identify the vendors that are most highly regarded by customers. TigerText, the market leading provider of secure text messaging solutions for the healthcare industry, was rated highly across the board, as were Vocera, Spok, Doc Halo, and Imprivata.

Doc Halo was the highest rated secure communications platform provider among physician organizations, with Perfect Serve, Patient Safe Solutions, OnPage, Telemediq, and Voalte also scoring highly. Spok ranked highest among hospital systems and inpatient organizations, with Qlik and Cerner also receiving high marks.

“Stakeholders across the healthcare industry are in the quest of finding solutions to use comprehensive real-time data and connectivity cleverly to advance patient safety, productivity and profitability,” Doug Brown, president of Black Book Market Research. “Organizations are adopting secure text messaging platforms because texts are convenient, as well.”

The post More than 90% of Hospitals and Physicians Say Mobile Technology is Improving Patient Safety and Outcomes appeared first on HIPAA Journal.

12-Month Suspension for Nurse Who Provided Patient Information to New Employer

Posted by HIPAA Journal

The New York State Education Department has suspended the license of a nurse practitioner for violating the privacy of patients by providing their contact information to her new employer.

In April 2015, Martha C. Smith-Lightfoot took a spreadsheet containing the personally identifiable information of approximately 3,000 patients of University of Rochester Medical Center (URMC) and gave that information to her new employer, Greater Rochester Neurology.

The privacy violation was uncovered when several patients complained to URMC about being contacted by Greater Rochester Neurology about switching providers.

Prior to leaving URMC, Smith-Lightfoot requested information on patients she has treated in order to ensure continuity of care.  URMC provider her with a spreadsheet that contained names, addresses, dates of birth, and diagnoses. URMC did not authorize Smith-Lightfoot to take the spreadsheet with her when she left employment.

The provision of the patient list to Greater Rochester Neurology was an impermissible disclosure of PHI and a violation of the HIPAA Privacy Rule. When it became apparent what had happened, URMC contacted Greater Rochester Neurology and the list was returned.

The privacy breach was reported to the Department of Health and Human Services’ Office for Civil Rights, as required by HIPAA, and the New York attorney general. OCR investigated but closed the case without issuing any financial penalties, although then attorney general Eric Schneiderman fined URMC $15,000 for the HIPAA violation.

Criminal penalties were not pursued against Smith-Lightfoot, although the matter was investigated by the New York State Education Department which issues licenses for the professions.

Smith-Lightfoot admitted disclosing personally identifiable patient information to her new employer and, in November 2017, signed a consent-order with the state nursing board Office for Professional Discipline. That consent order was accepted by the Board of Regents in February.

In addition to the 12-month suspension of her license, Smith-Lightfoot received a 12-month stayed suspension and faces 2 years of probation when she returns to practice.

The post 12-Month Suspension for Nurse Who Provided Patient Information to New Employer appeared first on HIPAA Journal.

Healthcare Employees Accused of Taking PHI to New Employers

Posted by HIPAA Journal

Two HIPAA-covered entities are notifying patients that former employees have accessed databases and stolen protected health information to take to new employers.

Former Hair Free Forever Employee Contacts Patients to Solicit Customers

Hair Free Forever, a Ventura, CA-based provider of permanent hair removal treatments, has announced that a former employee has stolen patient information and has been contacting its patients in an attempt to solicit customers.

The company uses Thermolysis to permanently remove hair. Since the technique is classed as a medical procedure, Hair Free Forever and its employees are required to comply with HIPAA Rules.

In a data breach notice provided to the California attorney general, Hair Free Forever’s Cheryl Conway informs patients that the former employee accessed patient files and the company’s database and stole patients’ protected health information, in clear violation of HIPAA Rules. The data theft came to light when complaints were received from customers who had been contacted and told about the former employee’s new practice.

An investigation into the security breach revealed the former employee took information such as names and contact information, dates of birth, medical histories, details of mental and physical condition, diagnoses and treatment information, physicians’ names, details of medications taken, and intimate personal photographs. Hair Free Forever reports that attempts have been made to secure patients’ PHI.

It is currently unclear exactly how many patients have been affected as the incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal, although a breach report has been submitted.

Cheryl Conway wrote “Aside from the moral and ethical disregard of privacy issues… this criminal behavior carries significant fines, penalties and legal ramifications.” A compliant has been filed with OCR over the HIPAA violation.

Former Muir Medical Group Employee Takes PHI to New Employer

A similar incident occurred at the Walnut Creek, CA-based independent physicians’ association Muir Medical Group IPA. Information on the breach was released in late May, although at the time it was unclear how many patients were affected. The incident has now appeared on the OCR breach portal, which reveals the information of 5,485 patients was taken by a former employee and was provided to her new employer.

The data leak was detected by Muir Medical Group on March 7. A third-party computer forensics firm was hired to investigate the breach, which revealed the following information had been taken by the former employee: Names, addresses, phone numbers, diagnoses, test results, treatment information, medications, and Social Security numbers. Affected patients had received treatment between November 2013 and February 2017.

All patients whose PHI was taken by the former employee have been offered complimentary credit monitoring services for 12 months.

The post Healthcare Employees Accused of Taking PHI to New Employers appeared first on HIPAA Journal.

Colorado Governor Signs Data Protection Bill into Law

Posted by HIPAA Journal

Colorado Governor John Hickenlooper has signed a bill – HB 1128 – into law that strengthens protections for consumer data in the state of Colorado. The bipartisan bill, sponsored by Reps. Cole Wist (R) and Jeff Bridges (D) and Sens. Kent Lambert (R) and Lois Court (D), was unanimously passed by the Legislature. The bill will take effect from September 1, 2018.

The bill requires organizations operating in the state of Colorado to implement reasonable security measures and practices to ensure the personal identifying information (PII) of state residents is protected. The bill also reduces the time for notifying the state attorney general about breaches of PII and introduces new rules for disposing of PII when it is no longer required.

Personal information is classed as first name and last name or first initial and last name in combination with any of the following data elements (when not encrypted, redacted, or secured by another means that renders the information unreadable):

  • Social Security number
  • Student ID number
  • Military ID number
  • Passport number
  • Driver’s license number or ID card number
  • Medical information
  • Health insurance ID number
  • Biometric data
  • Email addresses in combination with passwords or security Q&As
  • Financial account numbers, and credit cards and debit cards with associated security codes that would permit access/use

Reasonable Security Measures Must be Implemented

Covered entities will be required to implement and maintain “Reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.” Those measures should protect PII from unauthorized access, modification, disclosure, and destruction. In cases where PII is passed to a third party, the covered entity must ensure the third party also has reasonable security measures in place.

A written policy must be developed by all businesses that maintain the personal information of Colorado residents covering the disposal of that information when it is no longer required. Electronic data and physical documents containing PII must be disposed of securely. The bill suggests “Shredding, erasing, or otherwise modifying the personal identifying information in the paper or electronic documents to make the personal identifying information unreadable or indecipherable through any means.”

30-Day Maximum Time Limit for Issuing Breach Notifications

When the bill was first introduced, it required the state attorney general to be notified of a breach of PII within 7 days of discovery. Such a short time frame for issuing notifications can help to ensure prompt action is taken to prevent harm or loss, although such a short time frame means notifications would need to be issued before it would be possible, in many cases, to determine whether there had been any misuse of data. This requirement of the bill attracted considerable criticism from large businesses operating in Colorado.

After careful consideration, this requirement was amended and the time limit for issuing notifications has been extended to 30 days following the discovery of the breach. Even so, this makes the notification requirements the strictest of any state.  The state attorney general only needs to be notified of the breach if it has impacted more than 500 Colorado residents. Regardless of the scale of the breach, affected individuals must be notified within 30 days.

HIPAA-covered entities should note that the 30-day time limit will apply even though HIPAA allows up to 60 days to issue notifications. HIPAA-covered entities and entities covered by the Gramm-Leach-Bliley Act are not exempt.

Breach notices are required for any security breach that exposes personal information, except a good faith acquisition of personal information by an employee or agent of a covered entity if the information is not used for a purpose unrelated to the lawful operation of the business and if that information is not subject to further unauthorized disclosure.

A notice must also be placed on the website of the breached entity and a notification issued to statewide media.

The post Colorado Governor Signs Data Protection Bill into Law appeared first on HIPAA Journal.