On February 26, Bill No. 1024, titled "An Act Concerning the Security of Consumer Data," was introduced in the Insurance Committee of the Connecticut General Assembly. The bill requires health insurers, healthcare centers (a particular type of health insurer under Connecticut law that is akin to an HMO) and "other entities licensed to do health insurance business in Connecticut," pharmacy benefits managers, third-party administrators that administer health benefits, and utilization review companies to implement data security technology that encrypts the personal information of insureds and enrollees compiled or maintained by the entity. The phrase "other entities licensed to do health insurance business in Connecticut" is undefined in the legislation and has the potential to be construed broadly, thereby effectively expanding the universe of entities to which this legislation could be deemed to apply.
The bill defines "encrypt" as "the transformation of electronic data into a form in which meaning cannot be assigned without the use of a confidential process or key." The term "personal information" is defined to mean an individual's first name or initial and last name in combination with one or more of the following: Social Security number, driver's license number or other state identification number, address, or identifiable health information. The bill requires the Connecticut Commissioner of Insurance to promulgate regulations, in consultation with the Connecticut Commissioner of Consumer Protection, to establish minimum data security standards and to implement the requirements of the bill.
The data security technology requirements must be implemented no later than two years after the effective date of the bill, and entities subject to the law will be required to update their technology as necessary to ensure compliance with the requirements.
Bill No. 1024, which is modeled in part on a similar New Jersey data encryption law passed in January, was introduced by Connecticut State Senate Democrats in the aftermath of the Anthem Health Insurance data breach in early February. According to a release by State Senate Democrats, Anthem is one of Connecticut's largest health insurers and the data breach impacted more than 1.1 million people in the state.
Like the New Jersey law, the Connecticut legislation mandates the use of encryption but is silent as to other measures that insurers can or should take to make it more difficult for attackers to access the systems containing the encrypted information. It remains to be seen how the legislation will evolve as it makes its way through the Connecticut legislative process.
On January 30, Jed Davis will speak at The Knowledge Group Webcast, "Best Strategies in Protecting Your Firm Against Hackers: What Hackers Can and Cannot Do?"
Theresa Kelly and Howard Fetner wrote an article, "AARP Lawsuit Puts EEOC In An Awkward Position," for Law360.
Jed Davis authored the article, "Cybersecurity for the Under-Resourced" for Bloomberg BNA.
On November 2, Susan Huntington and Eric Fader will be speaking at a webinar jointly sponsored by Day Pitney and Wolf & Co. "Business Associates Are Under a Microscope - Are You Prepared?"
On August 30, Susan Huntington was a speaker in the webcast "Medical Devices in Hospital Networks: Mitigating Risk in 2016" hosted by the Knowledge Group.
Eric Fader was quoted in an article, "Trump may maintain support for health IT, cut funds for HIPAA audits," in McKnight's Long Term Care News.
Eric Fader was quoted in an article, "Incoming Trump Administration May Mean Less Funding for HIPAA Audits," in Bloomberg BNA’s Health Care Fraud Report.
Eric Fader was quoted in an article, "Prior Defects Could Sink Auvi-Q Even As EpiPen Prices Soar," in Law360. In the article, Fader points out that with lawmakers and consumers calling for a competitor to challenge Mylan NV in the aftermath of the drugmaker's EpiPen price increases, potential competitor Kaléo Pharma has a "golden opportunity" with its updated version of the Auvi-Q epinephrine injector.
Eric Fader was quoted in an article, "Omnicare to Pay $28M to Settle Kickback Allegations," in Bloomberg BNA's Pharmaceutical Law & Industry Report. The article discusses the $28 million settlement that Omnicare reached with the U.S. Department of Justice to resolve claims that it accepted kickbacks from Abbott Laboratories to induce Omnicare to order one of Abbott's drugs.
Eric Fader was quoted in an article, "Medicare Still Making Improper Payments on Behalf of Prisoners," in Bloomberg BNA's Health Care Daily Report. In the article, Fader discusses a government report that says that Medicare made about $34 million in improper payments to providers on behalf of prisoners in 2013 and 2014.