Legislation would require Kentucky businesses to notify consumers of data breach

January 29, 2014March 12, 2014 Dan Soldato Electronic Health Records, Federal Law Resources, FTC Enforcement, Health Information Technology, HITECH Law data breach, State Breach Notification Law

by Dan Soldato

Data breaches, particularly of consumer information and other private information, are becoming an increasing public concern and a headline in the daily news. We regularly hear about incidents in which electronically stored customer information is lost by or stolen from businesses, including health care companies, retailers, and telecommunications companies. These risks are exponentially increasing with the increased use of mobile devices in businesses (e.g., laptops, tablets, flash drives, smartphones, etc.) and the increased use of mobile apps by consumers. Electronic data, if not adequately secured, can lead to both physical and electronic thefts (e.g., hacking, malware, etc.). In light of the increase in data breach reports, this week, the Consumer Financial Protection Bureau issued an advisory bulletin to provide guidance to consumers on protecting their personal information following the recent high-profile breaches involving debit cards and other payment data (e.g., Target, Michaels, Neiman Marcus). Notice to consumers about a breach of their data is seen as another way to further protect against a loss.

Data Breach Laws. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Section 5 of the Federal Trade Commission Act are two federal laws under which federal agencies aim to protect the confidentiality of sensitive personal information such as health information, social security numbers and other personally identifiable information. In addition, many states have enacted laws that have a similar aim. One such law that many states have enacted is a breach notification law that requires business entities to notify affected individuals when their personally identifiable information has been breached or compromised.

Kentucky is one of a handful of states that has yet to enact a breach notification law. However, on January 21, 2014, Representative Steve Riggs introduced HB232, which, if passed, would implement new standards and requirements to notify affected individuals in the event of a breach of their personally identifiable information. The Bill is now under consideration by the House Labor and Industry Committee. Continue reading →

Mobile Device Management

September 24, 2013July 12, 2019 Margaret Young Levi Federal Law Resources, Health Information Technology, HITECH Law data breach, laptop, other portable electronic device

More and more, health care providers are employing laptops, tablets, smartphones and other portable electronic devices in their work. And more and more, laptops and other portable electronic devices are involved in breaches of patient data. According to the Office of Civil Rights (OCR) website, 265 (or 39%) of the 674 total data breaches affecting 500 or more individuals reported to date involve either laptops or other portable electronic devices.

In order to better protect the patient information on these devices, the U.S. Department of Health and Human Services (HHS) conducted a Mobile Device Roundtable last year and solicited public comments to gather tips and information HHS considers “would be most useful to health care providers and professionals using mobile devices in their work.” These HHS tips, information and videos may help you protect and secure health information patients entrust to you when using mobile devices. Review these tips and make sure you fully analyze these devices and their movement as part of your risk analysis and risk management plans.

February 29 Data Breach Reporting Deadline Fast Approaching!

February 23, 2012March 12, 2014 Margaret Young Levi Health Information Technology, HITECH Law, Privacy & Security data breach, HITECH Act, linkedin, Privacy & Security, privacy and security of health information exchange

The deadline is quickly approaching for mandatory data breach reporting to the United States Department of Health & Human Services (HHS) under the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Covered entities must report data breaches involving less than 500 individuals to HHS within 60 days following the end of the calendar year in which the breach occurred. Because 2012 is a leap year, covered entities that experienced a data breach involving fewer than 500 individuals in 2011 should submit data breach notification reports to HHS by February 29, 2012.

The reports must be submitted electronically. Please follow these links for the submission form and reporting instructions.