Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

Nevada’s law requires “data collectors,” including government agencies and businesses, that accept payment cards and are “doing business” in Nevada to comply with the Payment Card Industry Data Security Standard (“PCI DSS”).  Although Minnesota has codified the PCI DSS requirement that prohibits businesses from retaining certain credit or debit card data after a transaction, Nevada now becomes the only state to require compliance with PCI DSS in its entirety. 

For businesses that do not accept payment cards, the new Nevada law prohibits  electronically transmitting a customer’s personal information “outside of the secure system of the business” or moving any data storage device containing a customer’s personal information “beyond the logical or physical controls” of the business unless the transmission or data storage device is encrypted.  The statute defines “encryption” to include both (1) encryption technologies to render data indecipherable which have been adopted by an established standard-setting body such as the National Institute of Standards and Technology (“NIST”) and (2) appropriate management and safeguarding of cryptographic keys using guidelines promulgated by an established standard-setting body such as NIST. 

Although several states previously have rejected codifying PCI DSS into law, it remains to be seen whether Nevada’s new law will create a nationwide domino effect similar to that which occurred after California enacted the first information security breach notification statute.  Since California’s breach notification statute became effective in 2003, all but five states have enacted similar statutes.

The new law in New Hampshire requires health care providers and business associates to (1) obtain an authorization from individuals before using or disclosing their protected health information (“PHI”) for marketing, and (2) provide an opportunity for individuals to choose not to receive any fundraising communications that involve their PHI.  New Hampshire’s law also requires health care providers and business associates to notify individuals in writing of any use or disclosure of their PHI that is not permitted by New Hampshire law, even if such use or disclosure is allowed under federal law.  For example, New Hampshire prohibits all marketing communications (including those authorized by individuals) by voicemail, facsimile, or “other methods of communication that are not secure,” while federal law contains no such prohibitions. 

New Hampshire’s new law adds to the list of state and federal laws regulating breaches of health information:  in August 2009, Missouri’s information security breach notification statute, which applies to breaches of “medical information” and “health insurance information,” took effect, and in February 2010, the federal regulations addressing breaches of unsecured PHI will become effective.

The data contained on the stolen laptop included the names, addresses and Taxpayer Identification Numbers of approximately 19,000 health care providers in Connecticut.  The breach also involved thousands of Social Security numbers (“SSNs”), since an estimated 16-22% of individual health care providers use their SSNs as Taxpayer Identification Numbers.  BCBS confirmed that the breach did not involve any medical information or patient information.

Connecticut’s data breach notification law requires any person who “conducts business in” Connecticut and who “owns, licenses or maintains computerized data that includes personal information” to disclose any breach of security to affected Connecticut residents “without unreasonable delay.”  Attorney General Blumenthal is requesting more details from BCBS about the breach, including a list of impacted health care providers, the credit monitoring services and other protections that BCBS is offering those providers, as well as BCBS’s policies and procedures for responding to data breaches.  He noted that failure to comply with Connecticut’s data breach notification law constitutes an unfair trade practice that may subject BCBS to fines of up to $5,000 for each Connecticut resident affected by the breach and require BCBS to provide restitution to those affected residents.

A.B. 211 requires any provider of health care to “establish and implement appropriate administrative, technical, and physical safeguards to protect the privacy of a patient’s medical information” and to “reasonably safeguard confidential medical information from any unauthorized access or unlawful access, use, or disclosure.”  “Unauthorized access” is defined as “the inappropriate review or viewing of patient medical information without a direct need for diagnosis, treatment, or other lawful use” as permitted under California law.  A.B. 211 establishes a new state agency, the Office of Health Information Integrity, to enforce the law and impose fines that can range from $1,000 up to a maximum of $250,000 per violation.

S.B. 541 applies to “any clinic, health facility, home health agency, or hospice” and, much like A.B. 211, requires those facilities to “prevent unlawful or unauthorized access to, and use or disclosure of patient’s medical information.”  S.B. 541 also requires those facilities to report any unlawful or unauthorized access to patient medical information to the California Department of Public Health (“CDPH”) within five days after such unlawful or unauthorized access has been detected and empowers the CDPH to levy fines that range from $25,000 up to a maximum of $250,000 per violation.

Because of the new legal obligations and stiff penalties for noncompliance, health care providers and health facilities in California should carefully review their existing security procedures to (1) ensure that access to patient medical information is strictly controlled, and (2) verify that they are capable of quickly detecting and reporting any security breaches to state officials.