Skip to main content

Data Security Breach Bill Calls for Strict Notification Requirements

 |  By dnicastro@hcpro.com  
   August 17, 2010

A data breach bill filed August 5 requires entities that hold consumers' sensitive information to create a robust data compliance protection plan and holds them to strict breach notification requirements.

U.S. Senators Mark Pryor (D-AR) and Jay Rockefeller (D-WV) filed the "Data Security and Breach Notification Act of 2010," which would be regulated by the Federal Trade Commission (FTC).

According to the language in the bill, healthcare entities and their business associates (BAs) would be in the clear so long as they complied with the Health Information Technology for Economic and Clinical Health (HITECH)Act or any other federal laws that satisfy similar or stronger requirements.

It is unclear, however, if compliance with the FTC's Red Flags Rule for identity theft protections would exempt entities from the requirements in the new bill.

E-mails to each Senator's office were not immediately returned.

No matter to whom the bill applies, healthcare entities should watch the bill's progress in light of new privacy and security laws in HITECH that call for greater patient rights to protected health information (PHI) and greater penalties for breaches of unsecured PHI.

The bill extends civil action power to state attorneys general, much like HITECH does. It includes a maximum of $11,000 per day for each day an entity is found not to be in compliance and caps a single violation at:

  • $5 million for each violation of the security and compliance requirements
  • $5 million for all violations of the breach notification requirements

Such security and compliance requirements include:

  • Security policy with respect to the collection, use, sale, other dissemination, and maintenance of such personal information
  • Identification of an officer or other individual as the point of contact with responsibility for the management of information security
  • Process for identifying and assessing any reasonably foreseeable vulnerabilities and regular monitoring for a breach of security
  • Process for taking preventive and corrective action to mitigate against any vulnerabilities
  • Process for disposing of data in electronic form containing personal information by shredding, permanently erasing, or otherwise modifying the personal information to make permanently unreadable or indecipherable

The bill's breach notification requirements include:

Nationwide notification. Following the discovery of a breach of security, the covered entity must:

  • Notify each individual who is a citizen or resident of the United States whose personal information was acquired or accessed as a result of such a breach of security
  • Notify the FTC
  • Third-party/service provider notification requirements. Much like a BA of a healthcare covered entity, a third-party or service provider handling sensitive information must notify the covered entity of the breach of security.

    Reports to credit agencies. If a breach involves more than 5,000 individuals, the covered entity must notify the major credit reporting agencies that compile and maintain files on consumers on a nationwide basis.

    60-day requirement. Notification must be made not later than 60 days following the discovery of a breach of security, unless the covered entity providing notice can show that providing notice within such a timeframe is not feasible due to circumstances necessary to accurately identify affected consumers, or to prevent further breach or unauthorized disclosures, and reasonably restore the integrity of the data system.

    The bill is in the hands of the Committee on Commerce, Science and Technology.

Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.

Tagged Under:


Get the latest on healthcare leadership in your inbox.