On February 26, Bill No. 1024, titled "An Act Concerning the Security of Consumer Data," was introduced in the Insurance Committee of the Connecticut General Assembly. The bill requires health insurers, healthcare centers (a particular type of health insurer under Connecticut law that is akin to an HMO) and "other entities licensed to do health insurance business in Connecticut," pharmacy benefits managers, third-party administrators that administer health benefits, and utilization review companies to implement data security technology that encrypts the personal information of insureds and enrollees compiled or maintained by the entity. The phrase "other entities licensed to do health insurance business in Connecticut" is undefined in the legislation and has the potential to be construed broadly, thereby effectively expanding the universe of entities to which this legislation could be deemed to apply.
The bill defines "encrypt" as "the transformation of electronic data into a form in which meaning cannot be assigned without the use of a confidential process or key." The term "personal information" is defined to mean an individual's first name or initial and last name in combination with one or more of the following: Social Security number, driver's license number or other state identification number, address, or identifiable health information. The bill requires the Connecticut Commissioner of Insurance to promulgate regulations, in consultation with the Connecticut Commissioner of Consumer Protection, to establish minimum data security standards and to implement the requirements of the bill.
The data security technology requirements must be implemented no later than two years after the effective date of the bill, and entities subject to the law will be required to update their technology as necessary to ensure compliance with the requirements.
Bill No. 1024, which is modeled in part on a similar New Jersey data encryption law passed in January, was introduced by Connecticut State Senate Democrats in the aftermath of the Anthem Health Insurance data breach in early February. According to a release by State Senate Democrats, Anthem is one of Connecticut's largest health insurers and the data breach impacted more than 1.1 million people in the state.
Like the New Jersey law, the Connecticut legislation mandates the use of encryption but is silent as to other measures that insurers can or should take to make it more difficult for attackers to access the systems containing the encrypted information. It remains to be seen how the legislation will evolve as it makes its way through the Connecticut legislative process.
On March 15, Eric Fader will be presenting a live webinar, "Navigating Legal Issues in Neuromonitoring," for The American Society of Neurophysiological Monitoring (ASNM).
On January 30, Jed Davis will speak at The Knowledge Group Webcast, "Best Strategies in Protecting Your Firm Against Hackers: What Hackers Can and Cannot Do?"
Susan Huntington authored a chapter, "Enterprise Risk Approach to Successful Population Management," in the recently published third edition of the "Enterprise Risk Management Handbook for Health Care Entities."
Kathy Lawler, Susan Huntington and Erin Healy wrote an article, "Risks for Employers using Drug Import Companies to Manage Costs," for AHLA Weekly.
Theresa Kelly and Howard Fetner wrote an article, "AARP Lawsuit Puts EEOC In An Awkward Position," for Law360.
Eric Fader was quoted in an article, "Health-Care Provider Pays $31K for Lack of Privacy Contract with Vendor," published in Bloomberg BNA's Health Care Daily Report.
Eric Fader was quoted in an article, "Drug, Device Makers Could Get Hit for Not Reporting Payments to Doctors," published in Bloomberg BNA's Life Sciences Law & Industry Report.
Day Pitney's recently updated HIPAA self-assessment tool was featured in an article published in Clinical Lab Products magazine.
Day Pitney Press Release
Danielle M. Corcione was quoted in an article, "Former Asst. US Attorney Joins Day Pitney's NJ Office," published in Law360.