Posted on September 6, 2011 by Timothy Tobin

California Amends its Data Breach Notification Law

A new amendment to California’s security breach notification statute establishes specific content requirements for data breach notifications and imposes a new Attorney General notification requirement for breaches affecting more than 500 California residents. Senate Bill 24 (“SB 24”) was signed on August 31, 2011 by California governor Jerry Brown and will take effect January 1, 2012.  Since 2003, following California's enactment of the first of its kind data breach notification laws (Cal. Civ. Code §§ 1798.29 & 1798.82) California law has required any person, business or state agency that owns or licenses computerized data that includes certain personal information to notify individuals when there has been a breach of personal information, but did not specify the type of information that should be contained in the notification.  California now joins the ranks of several other states whose data breach notification laws contain breach notification content mandates. 

SB 24 requires all breach notifications to include the name and contact information of the notifying person or entity and a list of the types of personal information compromised, or reasonably believed to have been compromised. The notifying person or entity must also provide the toll-free telephone numbers and addresses of the three major credit reporting agencies – TransUnion, Equifax and Experian – if the breach exposed a Social Security number, driver’s license, or California card identification number.   Notifications must also be written in “plain language” and provide a general description of the breach if this information has been determined.

If it is possible to determine at the time of the breach, the notification must provide the date of the breach, an estimated date of the breach, or a date range within which the breach occurred. Each notice should include the date of the notice. The notification must also state whether the notification was delayed because of a law enforcement investigation.  The law allows, but does not require, the person or business to provide information regarding what the person or business has done to protect individuals whose information has been breached and recommendations on how individuals can protect themselves.

Special requirements also apply to larger-scale breaches. The law requires any agency, person or business that notifies more than 500 California residents to submit a single sample copy of the notification - excluding any personally identifiable information - to the Attorney General. 

In addition, SB 24 provides that HIPAA covered entities following the HITECH Act breach notice requirements will be deemed in compliance with the SB 24 content requirements, but such entities will still have to comply with the Attorney General notice provision.

SB 24 follows recent proposals at the federal level to implement a nationwide data breach notification requirement. See our recent post here for more information.    
Tags: , , , , , , , , , , , , , ,
Posted on May 10, 2010 by Mark Paulding

OCR Issues Guidance on Risk Analysis for HIPAA Security Compliance

On Friday, May 7, 2010, the Office for Civil Rights (“OCR”) issued guidance related to the HIPAA Security Rule’s risk analysis requirement.  Under HITECH, OCR is responsible for issuing annual guidance on provisions of the HIPAA Security Rule.  This guidance is the first in a series of documents aimed at helping covered entities and business associates implement effective and appropriate administrative, physical, and technical security safeguards. 

This guidance document is generally consistent with the materials provided by the Centers for Medicare and Medicaid Services (“CMS”) prior to the introduction of HITECH.  For example, like the recently released OCR guidance, CMS historically directed covered entities to refer to the National Institute of Standards and Technology’s Special Publication 800-66 Rev.1, An Introductory Resource Guide for Implementing the HIPAA Security Rule (October 2008) (“NIST 800-66”).  NIST 800-66 frequently directs readers to consult NIST SP 800-30, Risk Management Guide for Information Technology Systems (July 2002), which is also quoted extensively in the recently released OCR guidance.  Moreover, the OCR guidance is quite similar to the HIPAA Security Series, Paper 6: Basics of Risk Analysis and Risk Management which was most recently revised by CMS in March 2007. 

OCR encourages the public to offer feedback on the risk analysis guidance. Comments can be submitted to OCR at OCRPrivacy@hhs.gov

Tags: , ,
Posted on September 16, 2009 by Christopher Wolf

Hogan & Hartson's Marcy Wilder to Present on HITECH's Impact on Business Associate Agreements with Healthcare Providers

Hogan & Hartson's Marcy Wilder will be presenting on "HITECH's Impact on Business Associate Agreements with Healthcare Providers: Complying With New HIPAA Requirements and Preparing for Touger Enforcement" in a CLE Teleconference on Thursday, September 24, 2009, at 1pm EDT.

The Health Information Technology for Economic and Clinical Health Act (HITECH) dramatically expands the scope and application of the HIPAA Privacy and Security Rules. These changes have the greatest impact on business associates and on agreements that providers reach with them. For the first time, business associates will be directly subject to many of the HIPAA rules. To ensure compliance with the new requirements, counsel to healthcare providers and business associates must examine the implications of HITECH for all existing and future agreements. This program will examine the new HITECH requirements as they relate to business associates and business associate agreements, discusses evaluating existing agreements, and offers best practices for developing and negotiating new agreements.

Tags: , , ,