On February 26, Bill No. 1024, titled "An Act Concerning the Security of Consumer Data," was introduced in the Insurance Committee of the Connecticut General Assembly. The bill requires health insurers, healthcare centers (a particular type of health insurer under Connecticut law that is akin to an HMO) and "other entities licensed to do health insurance business in Connecticut," pharmacy benefits managers, third-party administrators that administer health benefits, and utilization review companies to implement data security technology that encrypts the personal information of insureds and enrollees compiled or maintained by the entity. The phrase "other entities licensed to do health insurance business in Connecticut" is undefined in the legislation and has the potential to be construed broadly, thereby effectively expanding the universe of entities to which this legislation could be deemed to apply.
The bill defines "encrypt" as "the transformation of electronic data into a form in which meaning cannot be assigned without the use of a confidential process or key." The term "personal information" is defined to mean an individual's first name or initial and last name in combination with one or more of the following: Social Security number, driver's license number or other state identification number, address, or identifiable health information. The bill requires the Connecticut Commissioner of Insurance to promulgate regulations, in consultation with the Connecticut Commissioner of Consumer Protection, to establish minimum data security standards and to implement the requirements of the bill.
The data security technology requirements must be implemented no later than two years after the effective date of the bill, and entities subject to the law will be required to update their technology as necessary to ensure compliance with the requirements.
Bill No. 1024, which is modeled in part on a similar New Jersey data encryption law passed in January, was introduced by Connecticut State Senate Democrats in the aftermath of the Anthem Health Insurance data breach in early February. According to a release by State Senate Democrats, Anthem is one of Connecticut's largest health insurers and the data breach impacted more than 1.1 million people in the state.
Like the New Jersey law, the Connecticut legislation mandates the use of encryption but is silent as to other measures that insurers can or should take to make it more difficult for attackers to access the systems containing the encrypted information. It remains to be seen how the legislation will evolve as it makes its way through the Connecticut legislative process.
Last Thursday, Senate Republicans unveiled the Better Care Reconciliation Act of 2017, a bill that, if enacted, would make sweeping changes to the current system of federal healthcare taxes and subsidies under the Affordable Care Act (ACA).
Eric Fader authored a chapter in the 2017 edition of Westlaw's "Data Security and Privacy Law" treatise, published by Thomson Reuters.
Steven A. Cash, Benjamin H. Nissim and David Forscey, policy analyst for the Homeland Security & Public Safety Division of the National Governors Association, co-authored an article, "Cybersecurity Is The Next Frontier Of State Regulation," for Law360.
On March 15, Eric Fader will be presenting a live webinar, "Navigating Legal Issues in Neuromonitoring," for The American Society of Neurophysiological Monitoring (ASNM).
On January 30, Jed Davis will speak at The Knowledge Group Webcast, "Best Strategies in Protecting Your Firm Against Hackers: What Hackers Can and Cannot Do?"
Eric Fader was quoted in an article, "Wellmark's Iowa ACA Exchange Exit Prompts Civil Rights Complaint," published in Bloomberg BNA's Privacy Law Watch.
Eric Fader was quoted in an article, "Federal Advisers Likely to Push for Better Health Data Exchange," published in Bloomberg BNA's Health IT Law & Industry Report.
Eric Fader was quoted in an article, "DNA Testing Company Shakes Alaska Privacy Claims," in Bloomberg BNA's Privacy Law Watch.
Eric Fader was quoted in an article, "Nurses Hit Hardest by Medicare and Medicaid Exclusions," published in Bloomberg BNA's Health Care Fraud Report.
Eric Fader was quoted in an article, "Health-Care Watchdog to Review Medicaid Opioid Claims," published in Bloomberg BNA's Health Care Daily Report.