The OCR has been quite active, particularly since 2011. Recent settlements include:
1) UCLA Health System $865,500 Workers were found snooping on celebrity patients
2) Alaska Dept. of HHS $1.7M Unencrypted portable media device was stolen from care of employee
3) Affinity Health Plan $1,215,780 Returned copiers to a leasing agent without erasing the copies hard drives
Who has obligations? Regulated businesses include healthcare and financial services.
Nonregulated businesses also have obligations. This includes the (FTC) Federal Trade Commission. They work for consumers to prevent fraudulent, deceptive and unfair business practices. They have the authority to pursue any company that has engaged in unfair or deceptive acts or practices in or affecting commerce. The FTC will take action against individual owners.
The Florida Information Protection Act (SB 1524) broadens Florida’s existing data breach law. It requires that each covered entity, governmental entity, or third party agent shall take reasonable measures to protect and secure data in electronic form containing personal information.
What is personal information? An individual’s first name or first initial and last name in combination with any one or more of the following data elements for that individual: SSN; driver’s license or ID card number; credit or debit card no. (with security code, access code, password); healthcare information; individual’s health insurance policy number, etc.)
What does it mean to take reasonable measures to protect and secure data in electronic form containing personal information? Businesses must address administrative, physical and technical safeguards.
Find us on Facebook and LinkedIn