The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Connecticut Breach Notification Laws Updated

Posted By on Jul 3, 2015

Connecticut breach notification laws have been updated and are now in effect. Substitute Senate Bill No. 949, Public Act No. 15-142 introduced a number of changes to improve data security and agency effectiveness to better protect state residents.

Updates affect all who do business in the state, with specific changes that affect contractors (Business Associates/BAs) and health insurers.

One of the major changes concerns damage and risk mitigation after a data breach. All companies and individuals doing business in the state must now provide credit monitoring services to breach victims, without charge, for a minimum period of one year if confidential information is exposed.

The definition of “confidential information” varies from state to state. It broadly follows the definitions in HIPAA/HITECH, although in Connecticut it specifically refers to:

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

  • Name
  • Date of birth
  • Mother’s maiden name
  • Motor vehicle operator’s license number
  • Social Security number
  • Employee identification number
  • Employer or taxpayer identification number
  • Alien registration number
  • Government passport number
  • Health insurance ID number
  • Demand deposit account number
  • Savings account number
  • Credit/Debit card number
  • Unique biometric data (fingerprints, voice prints, retina or iris images, or other unique physical representation)

 

Connecticut Breach Notification Law Changes

 

Credit monitoring services must be provided after a “Confidential information breach,” which is described as “an unauthorized person or entity accesses confidential information that is subject to or otherwise used in conjunction with any part of a written agreement with a state contracting agency in any manner.”

Notice must be provided to the state attorney general and patients within 90 days, although healthcare providers are required to issue breach reports within 60 days under HIPAA Rules.

Credit monitoring services typically start at $10-$30 per breach victim which adds up to a considerable cost for a large-scale data breach. With a data breach inevitable, and the cost of the breach response becoming more and more expensive, healthcare providers should revisit the topic of data encryption.

If data can be rendered unreadable or unusable if a device is lost or stolen, such a loss or theft would not result in a data breach under Connecticut data breach laws and HIPAA.

 

Updates Concerning Health Insurers

 

Any health insurance business taking place in Connecticut, including business conducted by providers of services related to health insurance – pharmacy benefits managers, third-party administrators responsible for administering health benefits, and utilization review companies for example – must now develop and maintain a “comprehensive information security program,” to protect the data they hold.

There is no single security solution, so insurance companies must implement safeguards which are appropriate to their business and the level of risk they face. However, one stipulation is the encryption of data in transit. If personal information is sent wirelessly, or transmitted over a network accessible to the public, all data must be encrypted.

Connecticut laws also state that anti-virus and anti-malware software must be used, and Firewalls put in place to protect networks from external attacks.

The state law follows HIPAA to a certain extent and requires controls be put in place to limit access to confidential and personal information. As with HIPAA, insurers are responsible for the actions of their Business Associates. It is up to the insurer to make sure that their BAs comply with state and federal laws.

Updates Concerning State Contractors

 

State contractors provided with access to confidential information – defined in the above list – must also implement controls to protect information. Protections must also be put in place to safeguard any information a state contracting agency stipulates as being confidential to a contractor.

In contrast to HIPAA, where contractors are allowed a degree of flexibility as to how they safeguard data, the new Connecticut law stipulates that Firewalls must be used, data must be saved on secure servers and intrusion monitoring systems must be put in place to detect attacks.

Contractors must “implement and maintain a comprehensive data security plan for the protection of that information,” meeting the minimum requirements stated in the bill.

If you conduct any business in Connecticut, and store, access or transmit confidential or personal information, you can familiarize yourself with full details of Senate Bill 949 here.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist