- It seems as though 2015 was the year of the data breach, especially in the healthcare industry.
As a means to regulate these data breaches and ensure adequate notification to individuals whose information had been compromised, several pieces of legislation have been introduced to Congress to federalize data breach notification and security.
A recent report out of the Federation of American Scientists (FAS) summarizes this legislation and explains its potential effects on healthcare data breaches.
If passed, federal data breach legislation would clearly define a data breach, and also spell out specific actions covered entities must take if one should experience a data breach.
“Each bill defines the required form of notification, which may include written notice by mail or notice by email, when certain conditions are met,” FAS explained. “In certain circumstances, substitute notification through a posting on a website or publication may be an acceptable replacement for individual notification.”
Additionally, each bill explains what kind of information must be disclosed in a data breach notification, including the kind of personal information that had been breached, contact information for further explanation, and, if applicable, information regarding free credit monitoring.
Most of these legislative proposals would exist alongside prevailing federal security mandates, such as HIPAA, or a statewide data security law. For example, if a healthcare organization experienced a healthcare data breach, they would be exempt from some of the federal breach notification mandates because they would take other measures to comply with HIPAA.
However, it should be noted that some of the proposed legislation would supercede HIPAA mandates and state laws.
“Many of the current proposals would leave existing federal requirements in place and exempt institutions and/or data covered by those federal laws from a new regulatory scheme,” FAS wrote. “However, some bills would also propose to supersede existing state laws and prevent states from acting in this area, thereby creating a uniform federal standard throughout the country.”
The latter kind of legislation has created concern amongst those who prefer state data security mandates.
In July of 2015, the National Association of Attorneys General (NAAG) wrote a letter to Congress explaining the importance of state data breach regulations, making sure they trump any federal laws. One reason for this is a state’s ability to serve its own people better than the federal government.
“As we have seen over the past decade, states are better equipped to quickly adjust to the challenges presented by a data-driven economy,” the group explained in its letter. “States have been able to amend their laws and focus their enforcement efforts on those areas most affecting consumers.”
According to FAS, nearly 47 states, as well as the District of Columbia, have created state data breach notification laws, and 12 others have enacted data security laws.
This past October, California became one of those states that created statewide regulations for data breach notification. These laws came after a year filled with large-scale healthcare data breaches, such as those at UCLA Health.
California’s laws come as a three-part bill, creating standards for data encryption, the language with which an entity delivers a data breach notification, and standards for defining personal information.
Although there are some bills that would call for federal data security mandates to supercede other laws, it should be underscored that most of them would not. For example, in May of 2015, the Consumer Privacy Protection Act was introduced to Congress. This is just one example of a data security bill that would create blanket federal mandates for data breach notification and data security, while still preserving the laws included in HIPAA and statewide laws.