Effective January 1, 2019, South Carolina’s Data Breach Notification Law states:
- Commensurate with the size and complexity of the licensee, the nature and scope of the licensee’s activities, including its use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the licensee’s possession, custody, or control, each licensee shall develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment and that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system.
- The licensee shall designate one or more employees, an affiliate, or an outside vendor designated to act on behalf of the licensee as responsible for the information security program
- A licensee shall exercise due diligence in selecting its third-party service provider; and require a third-party service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to, or held by, the third-party service provider.
- As part of its information security program, a licensee must establish a written incident response plan designed to promptly respond to, and recover from, a cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in its possession, the licensee’s information systems, or the continuing functionality of any aspect of the licensee’s business or operations.
- Annually, each insurer domiciled in this State shall submit to the director, a written statement by February fifteenth, certifying that the insurer is in compliance with the requirements set forth in this section. Each insurer shall maintain for examination by the department all records, schedules, and data supporting this certificate for a period of five years. To the extent an insurer has identified areas, systems, or processes that require material improvement, updating or redesign, the insurer shall document the identification and the remedial efforts planned and underway to address such areas, systems, or processes. Such documentation must be available for inspection by the director.
- If a licensee learns that a cybersecurity event has occurred or may have occurred, the licensee, an outside vendor, or service provider designated to act on behalf of the licensee must conduct a prompt investigation of the event.
- If the licensee learns that a cybersecurity event has occurred or may have occurred in a system maintained by a third-party service provider, the licensee shall complete an investigation pursuant to the requirements of this section or confirm and document that the third-party service provider has completed an investigation pursuant to the requirements of this section.
- The licensee shall maintain records concerning all cybersecurity events for a period of at least five years from the date of the cybersecurity event and produce those records upon demand of the director.
- A licensee shall notify the director no later than seventy-two hours after determining that a cybersecurity event has occurred when either of the following criteria are met: South Carolina is the licensee’s state of domicile in the case of an insurer, or the licensee’s home state in the case of a producer; or the licensee reasonably believes that the nonpublic information involved is of no less than two hundred and fifty consumers residing in this State, and the cybersecurity event: impacts the licensee of which notice is required to be provided to any governmental body, self-regulatory agency, or any other supervisory body pursuant to state or federal law; or has a reasonable likelihood of materially harming a consumer residing in this State or a material part of the normal operations of the licensee.
- The computation of the licensee’s deadlines shall begin on the day after the third-party service provider notifies the licensee of the cybersecurity event or the licensee otherwise has actual knowledge of the cybersecurity event, whichever is sooner.
- In the case of a cybersecurity event involving nonpublic information used by the licensee who is acting as an assuming insurer or in the possession, custody, or control of a licensee who is acting as an assuming insurer and that does not have a direct contractual relationship with the affected consumers, the assuming insurer shall notify its affected ceding insurers and the director of its state of domicile within seventy-two hours of making the determination that a cybersecurity event has occurred.
In general, State laws that are contrary to the Privacy Rule are preempted by the federal requirements, which means that the federal requirements will apply.
- Each covered entity, with certain exceptions, must provide a notice of its privacy practices. The Privacy Rule requires that the notice contain certain elements. The notice must describe the ways in which the covered entity may use and disclose protected health information. The notice must state the covered entity’s duties to protect privacy, provide a notice of privacy practices, and abide by the terms of the current notice. The notice must describe individuals’ rights, including the right to complain to HHS and to the covered entity if they believe their privacy rights have been violated. The notice must include a point of contact for further information and for making complaints to the covered entity. Covered entities must act in accordance with their notices. The Rule also contains specific distribution requirements for direct treatment providers, all other health care providers, and health plans.
- A covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule.
- A covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions. A covered entity must have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or the Privacy Rule.
- OCR may impose a penalty on a covered entity for a failure to comply with a requirement of the Privacy Rule. Penalties will vary significantly depending on factors such as the date of the violation, whether the covered entity knew or should have known of the failure to comply, or whether the covered entity’s failure to comply was due to willful neglect. Penalties may not exceed a calendar year cap for multiple violations of the same requirement.
For violations occurring prior to 2/18/2009
For violations occurring on or after 2/18/2009
Up to $100
$100 to $50,000 or more
Calendar Year Cap
- A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm.
The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.
Specifically, covered entities must:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.
- The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.
- A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
If you believe that a HIPAA-covered entity or its business associate violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules, you may file a complaint with the Office for Civil Rights (OCR).