Data breaches reveal the personal information of millions of Americans each year. In healthcare, the trend causes even greater concern due to the nature of the data. The consequences of a data breach are costly to healthcare providers, and more importantly, damaging to the victims.
Here is a sample of developments in this area during the start of 2018
All 50 States Require Breach Notification
On May 1, the Alabama Data Breach Notification Law of 2018 came into effect, making Alabama the final U.S. state to enact such legislation. The law requires notification of breach victims within 45 days of a breach’s discovery, which is 15 days shorter than HIPAA’s 60-day limit. Failure to comply with the notification guidelines can result in a penalty of up to $5,000 per day of the violation.
CT Residents Can Sue for Medical Data Breach
The Connecticut Supreme Court unanimously ruled in January that residents can file lawsuits against healthcare providers seeking damages for negligent disclosure of their medical records resulting in harm. The state joins Massachusetts, Missouri, and New York in allowing such lawsuits, which are not explicitly allowed by HIPAA.
States Looking to Cut Notification Window
A bill to amend Colorado’s data breach notification laws is advancing through the state legislature (not passed as of May 14, 2018). Among other changes, the bill would require organizations to notify individuals affected by a data breach within 30 days of discovery.
Massachusetts Launches Breach Portal
Perhaps following the lead of the OCR’s infamous HIPAA Breach Portal, Massachusetts launched a web portal in February for organizations to submit breach notifications. The portal is later expected to host information on reported breaches, including the organization breached, when the breach occurred, and the number of people affected.