The Connecticut Insurance Department issued a bulletin last month that calls for state insurers to notify affected individuals and the state's insurance commissioner of a breach of patient information no later than five calendar days after its discovery.
This makes the requirement even more strict than California, whose five "business days" requirement is known to be one of the toughest in the country.
Connecticut's insurance officials made the move "in order to assure that Connecticut consumers are fully protected and informed in the event of any information security incident ... that could pose a potential risk to the privacy of an individual's personal health and/or financial information," according to the bulletin.
Dawn McDaniel, a spokesperson for the Connecticut Insurance Department, told HealthLeaders Media in an e-mail the bulletin is in response to “some recent data breaches which were not reported in what we believe to be a timely manner.”
Though McDaniel did not cite it specifically, Connecticut’s state attorney general office July 6 announced it had reached a settlement with Health Net and its affiliates over the failure last year to secure the private medical records of 1.5 million policyholders and for the insurers' delay in reporting the breach.
The settlement imposed a $250,000 fine on the company for HIPAA and HITECH violations, and requires the insurers to adopt rigorous security and notification measures.
The settlement involved Health Net of the Northeast, Inc., Health Net of Connecticut Inc., and parent companies UnitedHealth Group Inc. and Oxford Health Plans.
On May 14, 2009, the loss or theft of a portable computer disk drive at the company's Shelton, CT office impacted about 446,000 Connecticut policy and 1 million other policy holders across the nation. The breached data included personal health records, bank account numbers, and social security numbers. Health Net waited until Nov. 30 to provide notice of the breach.
E-mails to the Office for Civil Rights (OCR), the HIPAA privacy and security enforcer, and the Connecticut Attorney General's office were not immediately returned Thursday afternoon.
"There will be at times information security incidents which are beyond the control of the best management practices," according to the Connecticut Insurance Department bulletin. "The Department's concern is to make certain that in addition to minimizing these incidents, licensees and registrants react quickly and affirmatively to let affected Connecticut consumers know that they may be at risk and what is being done to protect sensitive and confidential information. The department also wants to make sure that there is an opportunity for the department to actively monitor the situation and guarantee those consumer protections throughout the process."
Insurers have accounted for the largest breaches on the OCR breach notification website.
A report from the Health Information Trust Alliance in Frisco, Texas, last month found that when looking at the number of individuals affected by the breaches on the website, insurance plans accounted for 58% or 2.8 million records.
Of the top 10 largest breaches reported on the OCR list based on the number of individuals affected, insurance plans were responsible for four.
The website list is required by HITECH and includes entities who report breaches of unsecured PHI affecting 500 or more individuals.
The largest of the 157 breaches reported since February 2010 is still AvMed, Inc., a Florida insure provider whose stolen laptop case from December 10, 2009, affected 1.22 million individuals.
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.