Data Breaches Hit All Time High
There has been a dramatic increase in new data security and privacy laws and regulations as data breaches reach an all time high. Just a few years ago there were only a handful of states that had data breach notification laws. Today, 44 states and the District of Columbia have passed privacy laws and federal legislation is well on its way. It is difficult for business owners and chief information officers (CIO) to navigate data breach privacy laws. Understanding laws like HIPAA, Gramm-Leach-Bliley and the Fair Credit Reporting Act, is difficlt enough, but now businesses have to decipher Hi Tech Acts and a slew of state notification laws. These laws require businesses to timely notify any customer or patient that may be affected by a data breach. Every state has their own unique requirements concerning the form of notification, and the time frame with which to notify. In many cases, failure to notify may lead to fines and penalties.
In November 2007, Federal Banking Agencies and the Federal Trade Commission (FTC) created an addition to the Fair Credit Reporting Act called the “Red Flags Rule”. The Red Flags Rule applies to “financial institutions” and “creditors” with “covered accounts.” The law is not perfectly clear and has a number of businesses concerned about their requirement to comply with the regulation. For example, it has been debated if a health care provider, such as a physician or dentist, is considered a “creditor” under the rule. A “creditor” is defined as any entity that regularly extends, renews or continues credit or any entity that regularly arranges for the extension, renewal or continuation of credit. Under this description, many businesses may be required to comply with the Red Flags Rule.
In September 2008 the Massachusetts Office of Consumer Affairs & Business Regulation issued a regulation intended to protect the unauthorized disclosure of personal information of Massachusetts residents. The regulation establishes very strict requirements for any “persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts.” This regulation mandates sweeping changes in the development of data security protection. In addition to the expanded data protection requirements, the new law also includes penalties for non-compliance (violators may be subject to a $5,000 civil penalty for each violation of each affected person). Compliance with the new regulation takes effect Jan. 1, 2010.
The Hi-Tech Act Part of the 2009 American Recovery and Reinvestment Act, otherwise known as the Stimulus package, provides incentives for physicians who implement “meaningful use” of an Electronic Health Record system. While the exact criteria are still being defined, such systems must be able to electronically e-Prescribe, exchange information, and submit clinical quality measures. In short, the federal government is making it mandatory for health care providers to disclose and disperse reams of personal data electronically. What this act also does is create a federal notification requirement for the breach of Protected Health Information. So in addition to the 44 state notification requirements, health care professionals will have to comply with a federal mandate to notify patients if their records have been compromised.
More laws are on the way with no end in sight.
