Health organizations, covered entities and their business associates need to be familiar with the HIPAA Breach Notification Rule and must strictly comply. This rule covers the issuance of notifications to patients, plan members and the HHS’ Office for Civil Rights. If your organization is operating in a number of U.S. states, there may be differences in the implemented data breach notification laws. Knowing and following the applicable laws in each state can be a challenge. The answer to this dilemma is the re-proposed bill H.R. 3806 by Congressman Jim Langevin (D-RI). It is called the Personal Data Breach Notification Act. This bill seeks to standardize the data breach protection laws across all U.S. states.
The Personal Data Breach Notification Act will be applicable to all entities and organizations that collect the data of over 10,000 persons within a 12-month period. So, in whatever state a person lives, he or she will receive a data breach notification promptly when such is deemed necessary. It will make life easier for businesses to do what is required following a data breach. At the same time, it will reinforce the obligation of companies to make a report when consumers’ personal information is compromised.
What is the timescale for the issuance of notifications? Currently, this information varies from state to state. But with the Personal Data Breach Notification Act, the proposed maximum time limit is 30 days from the moment of breach discovery. Of course, the bill states that there should be no unreasonable delay when issuing notifications. In some cases, breached entities may request for an extension to issue notifications from the Federal Trade Commission, which is the enforcing government agency. The law enforcement agency can also request to delay issuing of notifications to avoid impeding current investigation. The FBI and United States Secret Service are permitted to authorize up to 30 days of delay. Hence, a maximum of 60 days from the discovery of a breach is the allowed time to issue notifications.
What type of exposed data would call for a breach notification to be issued? Any breached sensitive personally identifiable information will require a notification to be issued. The Personal Data Breach Notification Act will designate a government agency to receive breach notification reports. Notifications may be by mail or telephone. It could be by email if individuals agree to receive electronic notifications. Issuance of media notice may also be required if the breach impacts at least 5,000 individuals.
Compliance to the Personal Data Breach Notification Act is a must. Failure to comply will result in financial penalties. State attorneys general will also take the necessary action against entities that do not comply with the Personal Data Breach Notification Act.