§ 24-4.9-3-3.5 — Duties of a data base owner; exceptions; health records; enforcement powers

Indiana § 24-4.9-3-3.5

• Jurisdiction: Indiana
• Art. 4.9: DISCLOSURE OF SECURITY BREACH
• Ch. 3: Disclosure and Notification Requirements

Text

5. (a) Except as provided in subsection (b),
this section does not apply to a data base owner that maintains its own
data security procedures as part of an information privacy, security
policy, or compliance plan under:
(1) the federal USA PATRIOT Act (P.L. 107-56);
(2) Executive Order 13224;
(3) the federal Driver's Privacy Protection Act (18 U.S.C. 2721 et
seq.);
(4) the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(5) the federal Financial Modernization Act of 1999 (15 U.S.C.
6801 et seq.); or
(6) the federal Health Insurance Portability and Accountability
Act (HIPAA) (P.L. 104-191);
if the data base owner's information privacy, security policy, or
compliance plan requires the data base owner to maintain reasonable
procedures to protect and safeguard from unlawful use or disclosure
personal information of Indiana residents that is collected or
maintained by the data base owner and the data base owner complies
with the data base owner's information privacy, security policy, or
compliance plan.
(b) This section applies to a current or former health care provider
(as defined by IC 4-6-14-2) who is a data base owner or former data
base owner:
(1) to which an exemption under subsection (a)(6) applies or
applied; and
(2) whose information privacy, security policy, or compliance
plan:
(A) does not require the data base owner or former data base
owner to maintain and implement reasonable procedures; or
(B) is not implemented by the data base owner or former data
base owner;
to ensure that the personal information described in subsection
(a), including health records (as defined by IC 4-6-14-2.5), is
protected and safeguarded from unlawful use or disclosure after
the data base owner or former data base owner ceases to be a
covered entity under the federal Health Insurance Portability and
Accountability Act (P.L. 104-191).
(c) A data base owner shall implement and maintain reasonable
procedures, including taking any appropriate corrective action, to
protect and safeguard from unlawful use or disclosure any personal
information of Indiana residents collected or maintained by the data
base owner.
(d) A data base owner shall not dispose of or abandon records or
documents containing unencrypted and unredacted personal
information of Indiana residents without shredding, incinerating,
mutilating, erasing, or otherwise rendering the personal information
illegible or unusable.
(e) A person that knowingly or intentionally fails to comply with any
provision of this section commits a deceptive act that is actionable only
by the attorney general under this section.
(f) The attorney general may bring an action under this section to
obtain any or all of the following:
(1) An injunction to enjoin further violations of this section.
(2) A civil penalty of not more than five thousand dollars ($5,000)
per deceptive act.
(3) The attorney general's reasonable costs in:
(A) the investigation of the deceptive act; and
(B) maintaining the action.
(g) A failure to comply with subsection (c) or (d) in connection with
related acts or omissions constitutes one (1) deceptive act.

Legislative History

As added by P.L.137-2009, SEC.5. Amended by P.L.76-2017, SEC.4.