Yesterday, (June 30, 2015), Connecticut Governor Dannel Malloy signed into law Substitute Senate Bill 949, “An Act Improving Data Security and Agency Effectiveness” which requires state government contractors to implement extensive data security measures when receiving personal and/or health information from a state agency, and health care centers or other entities licensed to do health insurance business in the state, pharmacy benefits managers, third-party administrators and utilization review companies to implement a comprehensive information security program (CISP), as well as amendments to Connecticut’s data breach notification law. The law is considered one of the most stringent data security laws in the country.
The new law is quite extensive and requires specific compliance by government contractors, health insurers, health care centers, any entity licensed to do health insurance business in Connecticut, pharmacy benefits managers, third-party administrators, utilization review companies and “any person who conducts business” in the state of Connecticut and applies to all residents of the State of Connecticut, no matter where the information is held.
The requirements and deadlines for compliance with the law are outlined here.