With the signing of proposed bill No. 949 earlier this week, Connecticut Gov. Dannell Malloy officially changed the way businesses and individuals who contract with the state or conduct business in Connecticut will be required to notify consumers about data breaches. This extends to health data as well.
Here are six things to know about the law.
1. Included in the new legislation is a provision that businesses must notify potential victims of data security breaches within 90 days of the attack.
2. Beginning October 1, healthcare providers and insurers will be compelled by the law to treat personal health information the same as personal information such as addresses, credit card numbers, or Social Security numbers.
3. Any entity dealing in confidential health information must implement and maintain a comprehensive data-security program featuring safeguards that include, but are not limited to, security policies for contracted employees; reasonable restrictions on access to electronically stored records; at least an annual process for reviewing policies and security measures; and an active and ongoing employee awareness program.
4. Maintain all confidential electronic health data in a secure server, on secure hard drives, behind firewall protections monitored by intrusion detection software and in a manner where access is restricted to authorized employees and their agents.
5. Notify the state contracting agency and attorney general as soon as it is practical to do so after the contractor has any reason to believe that confidential information has been breached.
6. Confidential data may not be stored on standalone computers or portable devices.