The Washington state Senate unanimously passed the proposed data breach notification law last week by a 47-0 vote.
HB 1078 is designed to “strengthen the data breach notification requirements to better safeguard personal information, prevent identity theft, and ensure that the attorney general receives notification when breaches occur so that appropriate action may be taken to protect consumers.”
In the new legislation, Washington’s attorney general must be notified within 45 days of the breach’s discovery, along with consumers who are potentially affected. Both “computerized data” and hard copy information are now covered by the notification law, and there is a “safe harbor” aspect for information that is deemed “secure.”
This included data that is “encrypted in a manner that meets or exceeds the National Institute of Standards and Technology (NIST) standard or is otherwise modified so that the personal information is rendered unreadable, unusable, or undecipherable by an unauthorized person.”
While HB 1078 does not include medical information or health data under its definition of “personal information,” the legislation does state that HIPAA covered entities are compliant as long as they adhere to “section 13402 of the federal health information technology for economic and clinical health act.”
“Covered entities shall notify the attorney general pursuant to subsection (15) of this section in compliance with the timeliness of notification requirements of section 13402 of the federal health information technology for economic and clinical health act, Public Law 111-5 as it existed on the effective date of this section, notwithstanding the notification requirement in subsection (16) of this section.”
Earlier this month, Washington Attorney General Bob Ferguson, Sen. John Braun, and Rep. Zack Hudgins wrote an opinion piece that pushed for passing of HB 1078. The trio explained that the previous state data breach notification law was obsolete, and that a more meaningful and timely notification process is needed.
“In the present statute, there are too many loopholes about when notification must be provided, leaving consumer’s vulnerable to financial fraud and identity theft,” the three wrote. “The current law is alarmingly vague on the timeline to notify consumers when data has been compromised. And unlike other states, our current statute does not require notification to the Attorney General when a data breach puts state residents at risk.”
Data breach notification laws have come under scrutiny over the last few months, due in large part to the Anthem and Premera incidents, where approximately 90 million patient records were potentially exposed by cyber attacks.
For example, Senate health committee Chairman Lamar Alexander and Ranking Member Patty Murraywrote to Anthem President and CEO Joseph Swedish about letters being sent out to individuals potentially affected by the Anthem data breach.
“While we understand the logistical challenges associated with contacting millions of people, the highly sensitive nature of this information makes early notification essential, and we are concerned with your slow pace of notification and outreach thus far,” the duo wrote. “We are writing to formally request that you speed up the pace of notifications, and share with our committee what steps you plan to take in the next few days, to dramatically increase the pace of notification.”
Alexander and Murray added that Anthem should explain in detail how its notification efforts comply with federal and state laws and guidelines about the data breach notification process.
Source: http://ift.tt/1OBVsX9
from health IT caucus http://ift.tt/1yO0UEG
via IFTTT
No comments:
Post a Comment