Proposed legislation designed to crack down on breaches of consumers' personal information could have implications for the health care industry, HealthLeaders Media reports.
Earlier this month, Sens. Mark Pryor (D-Ark.) and Jay Rockefeller (D-W.Va.) introduced a bill (S 3742) that would require businesses and not-for-profit organizations that handle sensitive consumer information to establish comprehensive data compliance protection plans and follow strict breach notification requirements. The Federal Trade Commission would oversee compliance with the measure.
Health care entities and their business associates would not be considered in violation of the proposed legislation if they comply with the privacy and security requirements of the HITECH Act or similar federal laws.
However, it remains unclear whether the bill also would exempt entities that comply with FTC's "Red Flags" rule (Nicastro, HealthLeaders Media, 8/17). The red flags rule designates physician offices and certain other businesses as creditors, thus requiring them to submit written identity theft mitigation and prevention strategies (iHealthBeat, 6/29).
Legislation Details
The proposed legislation includes several provisions that are similar to the requirements of the HITECH Act. The measure includes provisions that would:
- Allow state attorneys general to enforce the new data breach notification requirements;
- Mandate certain procedures to help ensure the security of consumers' personal information; and
- Require entities to follow certain protocol after uncovering a data breach.
The bill is before the Senate Commerce, Science and Technology Committee (HealthLeaders Media, 8/17).