Since 2005, Texas law has required that businesses who have computer data breaches have a duty to report to consumers about those breaches, but the Texas Identity Theft Enforcement and Protection Act ("Identity Theft Act") (Texas Business and Commerce Code Sec. 521) has been amended in 2007, 2009, and 2011. Effective Sept. 1, 2012, the applicability of the Identity Theft Act has new burdens and consequences for cyber data security breaches. Show Starting Sept. 1, 2012, if there is a breach of a security system which has sensitive, personal information, a disclosure to the individual affected "shall be made as quickly as possible" with certain exceptions to determine the scope of the breach. How to provide the means of notice is affected if the cost to give notice exceeds $250,000, the number of affected persons exceeds 500,000, or there is insufficient individual contact information. Also, if more than 10,000 persons are affected by a breach, then there is a requirement to notify consumer reporting agencies. New remedies under the Identity Theft Act include a civil penalty of $100 for each individual to whom notification is due, but may not exceed $250,000. This is an increase from the old version of the Identity Theft Act which had a maximum penalty of $50,000. As well, the Texas Attorney General may seek civil remedies in a district court in Travis County, in the county where the violation occurred, or in the county where the victim resides. Under the revised Identity Theft Act, notice of breach of secure computer data applied to any "person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach of system security..." However it is not clear if the computer data must be in Texas and whether the laws apply to businesses in other states that have data of Texas citizens. The duty to protect sensitive personal information includes this requirement: "A business shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business." However, the Identity Theft Act does not apply if the business is covered by the Fair Credit Reporting Act, a financial institution, or is a covered entity under the Insurance Code. "Personal identifying information" is defined to include an individual's: (A) name, social security number, date of birth, or government issued identification number; (B) mother's maiden name; (C) unique biometric data, including the individual's fingerprint, voice print, and retina or iris image; (D) unique electronic identification number, address, or routing code; and (E) telecommunication access device as defined by Sec. 32.51, Penal Code. Also defined in the Identity Theft Act is "sensitive personal information" which is not otherwise publicly available as follows: (A) an individual's first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted: (i) social security number; (ii) driver's license number or government issued identification number; or (iii) account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account; or (B) information that identifies an individual and relates to: (i) the physical or mental health or condition of the individual; (ii) the provision of health care to the individual; or (iii) payment for the provision of health care to the individual. Does Texas HB 300 expand breach notification scope and penalties?Breach Notification and Potential Penalties
The scope of notification of a breach has also expanded under HB300. Any business that operates in Texas and handles PHI must provide notification of information breach to all patients regardless of residency.
What disciplinary actions can a licensing agency take if a covered entity licensed in Texas violates Texas Medical Records Privacy Law?If the court finds that the violations are a "frequent pattern of practice," a covered entity can face up to $1.5 million dollars in fines as well as license revocation, civil action from the Texas Attorney General, and the Attorney General can independently request an audit by the U.S. Department of Health and Human ...
What is Texas House Bill 300?Texas HB 300 expanded the HIPAA definition of covered entity (healthcare providers, health plans, and healthcare clearing houses) to include any entity or individual that possesses, obtains, assembles, collects, analyzes, evaluates, stores, or transmits protected health information in any form.
What is the Texas Health Services Authority THSA quizlet?What is the Texas Health Services Authority (THSA)? A corporation formed to establish standards related to Electronic Health Records.
|
What is the penalty for not taking reasonable action to disclose a security breach of sensitive personal information?
Urheberrechte © © 2024 paraquee Inc.
