Conn. Gets Tough on Insurance BreachesInsurers Must Report Incidents Within 5 Days
The tough policy which applies to paper and electronic records, was contained in a bulletin (Bulletin IC-25) that the state insurance department issued earlier this month. For health insurers, the state requirements go far beyond the federal requirements included in the HITECH Act interim final breach notification rule. That rule requires that major breaches must be reported to federal authorities within 60 days, and it does not require reporting breaches of encrypted information.
The state's action was "in response to some recent data breaches which were not reported in what we believe to be a timely manner," says a spokesman for the Connecticut Insurance Department.
The new policy for insurers is just the latest in aggressive actions to crack down on healthcare breaches in the state. Connecticut Attorney General Richard Blumenthal made headlines earlier this year when he became the first attorney general to sue an organization for HIPAA violations, as authorized under the HITECH Act. He sued Health Net, which eventually agreed to pay $250,000 in damages and offer stronger consumer protections to settle the suit over a breach in 2009.
Insurers TargetedThe new state insurance breach reporting policy applies to health maintenance organizations, preferred provider organizations, and other health insurers, as well as property and casualty insurers, pharmacy benefit managers and medical discount plans. It does not apply to hospitals and physicians.
Under a separate data breach notification statute, all businesses in the state must report breaches of computerized personal information "without reasonable delay."
"We think the five days is reasonable when dealing with confidential medical and financial information," the insurance department spokesman says. "We believe we need to be involved in reviewing communications and in remediation discussions."
The new notification policy includes security incidents involving encrypted data, the spokesman says, "because we have learned that encryption does not always prohibit people from getting into the file data."
The bulletin also notes that insurers' business associates must promptly report security incidents to the insurance firms with which they do business. "We would expect that regulated entities are managing their business relationships to require that their business associates take action in a timely manner permitting regulated entities to comply with the notification requirements," the spokesman says.
No 'Harm Threshold'Unlike the interim final version of the HITECH Act breach notification rule, which includes a controversial "harm standard," the Connecticut notice leaves virtually no wiggle room for interpreting whether an incident presents enough risk of harm to merit reporting. It offers a detailed, broad definition of a "security incident" that must be reported, referring to "any unauthorized acquisition or transfer of, or access to, personal, health, financial or personal information."
Federal authorities recently announced they were reworking the pending final version of the breach notification rule, leading to speculation that the harm standard may be altered or removed. That provision allows health care organizations and their business associates to conduct a risk assessment to determine whether a particular breach presents "significant risk" and thus needs to be reported to those affected. Opponents say this provision should be dropped so that all breaches are reported.