General Assembly Raised Bill No. 5346
February Session, 2016 LCO No. 695
*00695_______PRI*
Referred to Committee on PROGRAM REVIEW AND INVESTIGATIONS
Introduced by:
(PRI)
General Assembly
Raised Bill No. 5346
February Session, 2016
LCO No. 695
*00695_______PRI*
Referred to Committee on PROGRAM REVIEW AND INVESTIGATIONS
Introduced by:
(PRI)
AN ACT CONCERNING STATE AGENCY CONFIDENTIALITY BASED ON A PROGRAM REVIEW AND INVESTIGATIONS COMMITTEE STUDY.
Be it enacted by the Senate and House of Representatives in General Assembly convened:
Section 1. Section 19a-25 of the general statutes is repealed and the following is substituted in lieu thereof (Effective from passage):
(a) For purposes of this section: (1) "Confidential information" has the same meaning as provided in section 4e-70; and (2) "confidential information breach" means an instance where an unauthorized person or entity accesses confidential information in any manner, including, but not limited to, the following occurrences: (A) Any confidential information that is not encrypted or secured by any other method or technology that renders the confidential information unreadable or unusable is misplaced, lost, stolen or subject to unauthorized access; (B) one or more third parties have accessed, or taken control or possession of, without prior written authorization from the state, (i) any confidential information that is not encrypted or protected, or (ii) any encrypted or protected confidential information together with the confidential process or key that is capable of compromising the integrity of the confidential information; or (C) there is a substantial risk of identity theft or fraud.
(b) All information, records of interviews, written reports, statements, notes, memoranda or other data, [including] that includes personal data, [as defined in subdivision (9) of section 4-190,] procured by the Department of Public Health or by staff committees of facilities accredited by the Department of Public Health in connection with studies of morbidity and mortality conducted by the Department of Public Health or such staff committees, or carried on by said department or such staff committees jointly with other persons, agencies or organizations, or procured by the directors of health of towns, cities or boroughs or the Department of Public Health pursuant to section 19a-215, or procured by such other persons, agencies or organizations, for the purpose of reducing the morbidity or mortality from any cause or condition, shall be confidential information and shall be used solely for the purposes of medical or scientific research and, for information obtained pursuant to section 19a-215, disease prevention and control by the local director of health and the Department of Public Health. Such information, records, reports, statements, notes, memoranda or other data shall not be admissible as evidence in any action of any kind in any court or before any other tribunal, board, agency or person, nor shall it be exhibited or its contents disclosed in any way, in whole or in part, by any officer or representative of the Department of Public Health or of any such facility, by any person participating in such a research project or by any other person, except as may be necessary for the purpose of furthering the research project to which it relates. Notwithstanding the provisions of chapter 55, the Department of Public Health may exchange personal data for the purpose of medical or scientific research, with any other governmental agency or private research organization; provided such state, governmental agency or private research organization shall not further disclose such personal data.
(c) The Commissioner of Public Health shall adopt regulations consistent with the purposes of subsection (b) of this section to establish the procedures to ensure the confidentiality of such disclosures. The furnishing of such information to the Department of Public Health or its authorized representative, or to any other agency cooperating in such a research project, shall not subject any person, hospital, sanitarium, rest home, nursing home or other person or agency furnishing such information to any action for damages or other relief because of such disclosure. [This] The provisions of this subsection and subsection (b) of this section shall not be deemed to affect disclosure of regular hospital and medical records made in the course of the regular notation of the care and treatment of any patient, but only records or notations by such staff committees pursuant to their work.
(d) Not later than October 1, 2016, the Commissioner of Public Health shall develop and implement the use of a confidentiality pledge for employees of the Department of Public Health concerning the use and disclosure of confidential information. The confidentiality pledge shall notify each employee of his or her responsibilities concerning the use and disclosure of confidential information and potential consequences for the misuse of such information or data under applicable statutes, regulations and department policies. The commissioner shall ensure that each employee of the department receives and signs the confidentiality pledge on or before January 1, 2017, or, if hired after said date, on the first day of such employee's employment with the department. The commissioner shall review and revise the confidentiality pledge as the commissioner deems necessary. Each employee of the department shall receive and sign any revised confidentiality pledge not later than fifteen days after the date of such revision.
(e) Not later than December 1, 2016, the Commissioner of Public Health, in consultation with the Secretary of the Office of Policy and Management, shall develop and implement internal policies to protect confidential information obtained or generated by the department from a confidential information breach. Such policies shall include, but need not be limited to, processes to: (1) Identify computer system vulnerabilities to a confidential data breach and eliminate or reduce such vulnerabilities; (2) identify the occurrence of any confidential information breach; (3) classify the severity of a confidential information breach; (4) limit or contain the disclosure of confidential information in the event of a confidential information breach; (5) document each incident of a confidential information breach; and (6) notify affected parties in the event of a confidential information breach. Not later than December 31, 2016, the Commissioner of Public Health shall submit a copy of such policies to the joint standing committee of the General Assembly having cognizance of matters relating to public health.
Sec. 2. (NEW) (Effective from passage) (a) For purposes of this section: (1) "Confidential information" has the same meaning as provided in section 4e-70 of the general statutes; and (2) "confidential information breach" means an instance where an unauthorized person or entity accesses confidential information in any manner, including, but not limited to, the following occurrences: (A) Any confidential information that is not encrypted or secured by any other method or technology that renders the confidential information unreadable or unusable is misplaced, lost, stolen or subject to unauthorized access; (B) one or more third parties have accessed, or taken control or possession of, without prior written authorization from the state, (i) any confidential information that is not encrypted or protected, or (ii) any encrypted or protected confidential information together with the confidential process or key that is capable of compromising the integrity of the confidential information; or (C) there is a substantial risk of identity theft or fraud.
(b) Not later than October 1, 2016, the Commissioner of Consumer Protection shall develop and implement the use of a confidentiality pledge for employees of the Department of Consumer Protection concerning the use and disclosure of confidential information. The confidentiality pledge shall notify each employee of his or her responsibilities concerning the use and disclosure of confidential information and potential consequences for the misuse of such information or data under applicable statutes, regulations and department policies. The commissioner shall ensure that each employee of the department receives and signs the confidentiality pledge on or before January 1, 2017, or, if hired after said date, on the first day of such employee's employment with the department. The commissioner shall review and revise the confidentiality pledge as the commissioner deems necessary. Each employee of the department shall receive and sign any revised confidentiality pledge not later than fifteen days after the date of such revision.
(c) Not later than December 1, 2016, the Commissioner of Consumer Protection, in consultation with the Secretary of the Office of Policy and Management, shall develop and implement internal policies to protect confidential information obtained or generated by the department from a confidential information breach. Such policies shall include, but need not be limited to, processes to: (1) Identify computer system vulnerabilities to a confidential data breach and eliminate or reduce such vulnerabilities; (2) identify the occurrence of any confidential information breach; (3) classify the severity of a confidential information breach; (4) limit or contain the disclosure of confidential information in the event of a confidential information breach; (5) document each incident of a confidential information breach; and (6) notify affected parties in the event of a confidential information breach. Not later than December 31, 2016, the Commissioner of Consumer Protection shall submit a copy of such policies to the joint standing committee of the General Assembly having cognizance of matters relating to general law.
This act shall take effect as follows and shall amend the following sections:
Section 1 from passage 19a-25
Sec. 2 from passage New section
This act shall take effect as follows and shall amend the following sections:
Section 1
from passage
19a-25
Sec. 2
from passage
New section
Statement of Purpose:
To implement the recommendations of the Program Review and Investigations Committee concerning the protection of confidential information.
[Proposed deletions are enclosed in brackets. Proposed additions are indicated by underline, except that when the entire text of a bill or resolution or a section of a bill or resolution is new, it is not underlined.]