Invite a Friend

Sitemap

Home

Finance
e-Newsletter

Intelligence Unit

Special Reports

Special Events

Subscribe/Buy

Sponsored

Departments

Follow Us

Home > Finance > Home - More Daily News & Analysis

Data Security Breach Bill Calls for Strict Notification Requirements

Comment

RSS

News Widget

Dom Nicastro, for HealthLeaders Media, August 17, 2010

Such security and compliance requirements include:

Security policy with respect to the collection, use, sale, other dissemination, and maintenance of such personal information
Identification of an officer or other individual as the point of contact with responsibility for the management of information security
Process for identifying and assessing any reasonably foreseeable vulnerabilities and regular monitoring for a breach of security
Process for taking preventive and corrective action to mitigate against any vulnerabilities

Process for disposing of data in electronic form containing personal information by shredding, permanently erasing, or otherwise modifying the personal information to make permanently unreadable or indecipherable

The bill's breach notification requirements include:

Nationwide notification. Following the discovery of a breach of security, the covered entity must:

Notify each individual who is a citizen or resident of the United States whose personal information was acquired or accessed as a result of such a breach of security
Notify the FTC

Third-party/service provider notification requirements. Much like a BA of a healthcare covered entity, a third-party or service provider handling sensitive information must notify the covered entity of the breach of security.

Reports to credit agencies. If a breach involves more than 5,000 individuals, the covered entity must notify the major credit reporting agencies that compile and maintain files on consumers on a nationwide basis.

60-day requirement. Notification must be made not later than 60 days following the discovery of a breach of security, unless the covered entity providing notice can show that providing notice within such a timeframe is not feasible due to circumstances necessary to accurately identify affected consumers, or to prevent further breach or unauthorized disclosures, and reasonably restore the integrity of the data system.

The bill is in the hands of the Committee on Commerce, Science and Technology.

Dom Nicastro is a senior managing editor at HCPro, Inc. in Danvers, MA. He edits the Briefings on HIPAA newsletter and manages the HIPAA Update Blog. E-mail him at dnicastro@hcpro.com.

1 | 2

RSS

Archive

Be the first to make a comment

Comments are moderated. Please be patient.

AAMI: Meaningful use rewards early interoperability adopters

Evaluating hospital networks, data, drivers and device types should be completed before embarking on an interoperability strategy, said Bridget A. Moorman of BMoorman Consulting at the Association for the...

Moffitt Cancer Center discovers patient consent was falsified for study

The H. Lee Moffitt Cancer Center on Wednesday revealed that it is investigating whether hundreds of patient signatures were falsified on documents enrolling them in the hospital's largest cancer research...

Electronic surveillance is key to HAI investigation

Electronic surveillance is becoming a critical tool in an infection preventionist's arsenal of tools with which to fight healthcare-acquired infections. Infection Control Today has detailed several case...

Audioconference: Medicare Compliance and Risk Management

Under The Patient Protection and Affordable Care Act (PPACA), long-term care facilities are expected to establish a credible, effective compliance program by 2013. Now is the time to...

go to complete list