Written in collaboration with Nathaly Tamayo, JD.
On October 1, 2021, major changes to Connecticut’s electronic data breach statute take effect. Those changes will affect health care providers’ reporting obligations for HIPAA breaches involving electronic information (e.g., a misdirected email or fax). This is because the definition of personal information in the state data breach statute will include “medical information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional” as well as health insurance policy or identification numbers. As a result, more HIPAA breaches will also trigger state data breach law reporting.
Notably, the Legislature also added a wide variety of government IDs, biometric data, and online account information to the definition of personal information.
How does this impact HIPAA-related breach reporting?
The Health Insurance Portability and Accountability Act of 1996 and its related regulations (HIPAA) govern, in part, the privacy and security of protected health information (PHI). Almost all identifiable information that health care providers have about patients qualifies as PHI. Subject to some exceptions, when paper or electronic PHI are acquired, accessed, used, or disclosed in a manner inconsistent with HIPAA rules, there is a breach that requires notice to the affected individual and to the Department of Health and Human Services (DHHS).
Based on the revised “personal information” definition under the CT data breach statute, which now includes medical and insurance information, seemingly all HIPAA breaches involving electronic information (ePHI) will trigger obligations under the state law as well as HIPAA. This means that, in addition to notifying the affected individual and DHHS, health care providers must also report the incident to the Connecticut Attorney General (CT AG) when the affect individual is a Connecticut resident.
Reporting to the CT AG should not be a new concept for health care providers. The current statute already requires such reporting when a breach involves an electronically maintained Social Security number, driver’s license number, credit or debit card number, or financial account number. The addition of electronic medical and health insurance information to the state data breach statutes means that more HIPAA breaches will also trigger the state data breach statute.
There are notable changes to timing too. The revised CT data breach statute requires notification to the individual and the CT AG within 60 days, which shortens the previous reporting period by 30 days. This should not be difficult for health care providers to navigate, however, as providers always had to comply with the HIPAA timeframe of 60 days for individual notification.
There is one important distinction between the timing requirements under HIPAA and the revised CT data breach statute. For all breaches of ePHI involving fewer than 500 individuals, the health care provider must notify the CT AG within 60 days even though notification to DHHS is not required until 60 days after the end of the calendar year under HIPAA. This may require changes to internal breach notification processes to ensure compliance.
What internal changes are necessary to ensure compliance?
Again, under the revised CT data breach statute, most (if not all) ePHI will also qualify as “personal information.” Therefore, health care providers must include a determination of whether the information at issue is electronic. If so, the provider will likely also need to report the incident to the CT AG. Below are suggested steps for reviewing/revising current processes:
- Review your process for investigating potential breaches.
- Add an assessment for whether the information at issue is electronic or not.
- Ensure that data flagged as electronic is considered for state data breach reporting purposes.
- Add a procedure for ensuring timely reporting to the CT AG.
- Currently, CT AG reporting can be done by mail or to firstname.lastname@example.org, but I fully expect the AG’s office to announce an on-line reporting option similar to the HHS reporting portal.
- The CT AG requests that the following information be part of the report:
- Name and contact information of person reporting the breach.
- Name and address of business that experienced the breach, and the type of business.
- A general description of the breach, including the date(s) of the breach, when and how the breach was discovered, and any remedial steps taken in response to the breach.
- The number of Connecticut residents affected by the breach.
- A detailed list of the categories of personal information subject of the breach.
- The date(s) that notification was/ will be sent to the affected Connecticut residents.
- A template copy of the notification sent to the affected Connecticut residents.
- Whether credit monitoring or identity theft protection services has been or will be offered to affected Connecticut residents, as well as a description and length of such services (the CT data breach statute requires 24 months of identity theft protection services when Social Security of Tax Identification numbers are involved).
- Whether the notification was delayed due to a law enforcement investigation (if applicable).
- The CT AG and HHS reports should be similar. For tips on writing an effective breach HHS report see the post on Drafting an Effective HIPAA Breach Report, which also apply generally to CT AG reporting.
- Ensure that you send the CT AG report at the same time that you send the individual’s notice.
- If you typically file HHS reports at the end of the year, considering filing rolling HHS reports throughout the year instead of waiting to streamline the process of reporting to HHS and the CT AG.
- If the information at issue involved an individual’s Social Security or taxpayer identification number, be sure to provide at least 24 months of identity theft protection services free of charge.
Connecticut is one of many states that have enhanced its privacy and security laws. The CT data breach statute’s expanded definition of personal information and resulting notification obligations will require health care providers to think more broadly about the protection of patient information; HIPAA isn’t the only law that applies. In fact, the laws of other states may apply as well depending on the state of residence of patients. Health care providers and, in particular, the staff responsible for the privacy and security of patient information, must carefully examine policies and procedures to ensure that they are capturing the growing patchwork of privacy requirements. And because an ounce of prevention is worth a pound of cure, all health care providers should improve security protocols to reduce the likelihood of a breach of ePHI in the first place.