New State Law on Personal Information Security Affects UK
LEXINGTON, Ky. (Dec. 11, 2014) — A new state law, the Personal Information Security and Breach Investigation Procedures and Practices Act, goes into effect Jan. 1, 2015, and applies to all state agencies and universities. This act concerns the protection of personal information, which is broadly defined (see definition of personal information below).
The major elements of the law require UK employees to:
- Be aware of personal information (both in paper and electronic form) and secure it accordingly.
- Contact the appropriate offices if there is a suspected breach of personal information and/or protected health information:
o Non-health care areas should contact the Security Breach Reporting Line, by calling 859-218-3904;
o Health care areas should contact UK HealthCare IT Security Help Desk by calling 859-323-8586 or the Office of Corporate Compliance by calling 859-323-8002;
- Preserve all information and data for the incident response team to investigate.
Employees are asked to share this information with colleagues. More information will be coming soon.
Any questions should be directed to the UK HealthCare Office of Corporate Compliance at 859-323-8002; UK Analytics and Technologies Security at 859-218-0306 / e-mail security@uky.edu; or UK Office of Legal Counsel at 859-257-2936.
Personal Information
Personal information is defined as " an individual's first name or first initial and last name; personal mark; or unique biometric or genetic print or image, in combination with one or more of the following data elements:
· An account number, credit card number, or debit card number that, in combination with any required security code, access code, or password, would permit access to an account;
· A Social Security number;
· A taxpayer identification number that incorporates a Social Security number;
· A driver's license number, state identification card number or other individual identification number issued by an agency;
· A passport number or other identification number issued by the United States government; or
· Individually Identifiable Information as defined in 45 C.F.R. sec. 160.013 (of the Health Insurance Portability and Accountability Act), except for education records covered by the Family Educational Rights and Privacy Act, as amended 20 U.S.C. sec 1232g."