News of PHI breaches have been flooding the media of late, and protecting your patients’ PHI and other personal information is imperative. Millions of individuals of have been affected in just a couple of high profile data breaches. A draft bill, “Data Security and Breach Notification Act” (the “Act”) was recently introduced in the US Senate. Its purpose is “To protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a breach of security.” This Act would require all organizations subject to the Federal Trade Commission’s jurisdiction, which includes health care providers, to notify each individual whose personal information whose personal information is involved in a data breach, and also notify credit reporting agencies if more than 5,000 individuals are affected. Notification is to occur within 30 days of the date the breach of security is discovered. Under the Act’s regulations, policies and procedures are required to include the following:

• A security policy with respect to the collection, use, sale, other dissemination, and maintenance of personal information
• The identification of an officer or other individual as the point of contact with responsibility for the management of information security
• A process for identifying and assessing any reasonably foreseeable vulnerabilities in each system maintained by the covered entity that contains such personal information, including regular monitoring for a breach of security of each such system
• A process for taking preventive and corrective action to mitigate any vulnerabilities identified in the above process, that may include implementing any changes to information security practices and the architecture, installation, or implementation of network or operating software.
• A process for disposing of data in electronic form containing personal information by destroying, permanently erasing, or otherwise modifying the personal information contained in such data to make such personal information permanently unreadable or indecipherable.
• A standard method or methods for the destruction of paper documents and other non-electronic data containing personal information.

These requirements are similar to those under HIPAA, but under the new proposed legislation, anyone who intentionally or willfully conceals a data breach may face up to 5 years in prison. The entity may also be fined $1,000 per individual per day (up to $100,000 per day), for each day the entity is out of compliance with the Act.