ARRA HITECH Act 13407

Results for ARRA HITECH Act 13407

ARRA HITECH Act 13407 (d) and (g); FTC regulations 16 at CFR 318.4

Timeliness of notification : All breach notifications shall be sent no case later than 60 calendar days after the discovery of a breach of security. If a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security, the notification shall be delayed.

ARRA HITECH Act 13407(a) and (b); FTC regulations at 16 CFR 318.3

Breach notification requirement for vendors of personal health records and other non-HIPAA covered entities : After discovering a breach of security of unsecured PHR identifiable health information, the vendor of personal health records must notify affected individuals and the FTC. Third party service providers must similarly notify the vendors of security breaches.

Civil Code 1798.29(a)-(c) (2002; amended by SB 24, 2011)

Summary:

Any agency that owns or licenses computerized data shall disclose any security breach to any California resident whose unencrypted personal information (including medical information) was acquired by an unauthorized person. Any agency that maintains computerized data that includes personal information that the agency does not own shall notify the owner or licensee of the information of any security breach immediately following discovery that the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

Keywords:
agency, electronic health records, notice of records breach, law enforcement
Associated Federal Law(s): 
ARRA HITECH Act 13407(a) and (b); FTC regulations at 16 CFR 318.3
ARRA HITECH Act 13407 (d) and (g); FTC regulations 16 at CFR 318.4
Syndicate content