Welcome to Health Care POV | sign in | join
Privacy for Health Information Executives

New Data-security Laws

Published August 12, 2009 11:10 AM by Andrew Serwin
Share
reddit Newsvine Del.icio.us Digg
Yahoo! Buzz LinkedIn StumbleUpon Google Bookmarks Mixx
Every company and organization must grapple with data security. In the health field, HIPAA has specific data-security requirements, but general data-security restrictions can also be implicated. Over 30 states have data-security or data-destruction laws. Certain states have pushed the envelope further than others and data security, perhaps more than any other issue, could place your company on a regulator's radar screen, as well as a plaintiff's class-action lawyer.

A number of states and local governments have enacted similar laws, including: Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Georgia, Hawaii, Indiana, Kansas, Kentucky, Maryland, Massachusetts, Michigan, Minnesota, Montana, Nevada, New Jersey, New York, New York City, North Carolina, Oregon, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Washington, and Wisconsin. The Massachusetts law has extensive requirements in it, but the compliance date has been pushed off several times. Nevada had a data security law on the books already, but it was recently amended, becomes effective Jan. 1, 2010, and has drawn a significant amount of attention. The amendments to Nevada law require data collectors who accept a payment card in connection with the sale of goods or services to comply with certain standards or to use encryption to protect information that is transmitted electronically or that is moved beyond the control of the data collector. 

The new law requires data collectors who accept a payment card in connection with the sale of goods or services to comply with the Payment Card Industry (PCI) Data Security Standard, as adopted by the PCI Security Standards Council, no later than the date for compliance set forth in the PCI Data Security Standard or the date adopted by the PCI Security Standards Council.

PCI-covered entities are just the beginning of this law. Under the new law, a data collector who is not covered by PCI may not transfer personal information through an electronic non-voice transmission, other than by facsimile, to a person outside of the data collector's secure system unless the data collector uses encryption to ensure the security of the electronic transmission. Data collectors may also not move any data storage devices beyond the logical or physical controls of the data collector or its data storage contractor unless the data collector uses encryption to ensure the security of the information.

In the health field, while HIPAA and state medical privacy laws mandate data security for PHI, these laws can impact your company or organization in that these laws are likely applicable to non-PHI that is collected or processed by you.

posted by Andrew Serwin
tags: , ,

1 comments
add a comment »

This is great information for health professionals. As you noted in your post, it's not only important to keep customers' data safe, it's required by law. And you raise a good point about PCI compliance. In addition to the information presented here, we’d like to suggest a new guide specifically written to help businesses easily understand the steps to become PCI compliant, it's called "Take Charge: Protecting Your Customers’ Credit Card Data." CalBizCentral, a company we work with, just published this book as a resource to help Level 4 merchants (businesses that handle fewer than 1 million total credit and debit card transactions and fewer than 20,000 online transactions annually) become safe and compliant. With small businesses quickly becoming the number one target of online theft, this book can be a powerful tool to help keep a business secure and successful. To learn more, feel free to watch a brief video from the book’s author about steps to becoming PCI compliant: http://www.youtube.com/watch?v=QN9ekjW1-jE

Zsavonne August 12, 2009 4:58 PM
Sacramento CA

leave a comment


To prevent comment spam, please type the code you see below into the code field before submitting your comment. If you cannot read the numbers in the image, reload the page to generate a new one.

Captcha
Enter the security code below: