proper encryption and transmission by State agencies under the
Governor's jurisdiction of data which includes personal
information.
Section 5.2. Commonwealth policy.
(a) Storage policy.-- The Governor's Office of Administration
shall develop a policy to govern the proper storage by State
agencies under the Governor's jurisdiction of data which
includes personal information. The policy shall address
identifying, collecting, maintaining, displaying and
transferring personally identifiable information, using
personally identifiable information in test environments,
remediating personally identifiable information stored on legacy
systems and other relevant issues. A goal of the policy shall be
to reduce the risk of future breaches of security of the system.
(b) Considerations.--In developing the policy, the
Governor's Office of Administration shall consider similar
existing policies in other states, best practices identified by
other states and relevant studies and other sources as
appropriate.
(c) Review and update.--The policy shall be reviewed at
least annually and updated as necessary.
Section 5.3. Entities subject to the Health Insurance
Portability and Accountability Act of 1996.
Any covered entity or business associate that is subject to
and in compliance with the privacy and security standards for
the protection of electronic health information established
under the Health Insurance Portability and Accountability Act of
1996 (Public Law 104-191, 110 Stat. 1936) and the Health
Information Technology for Economic and Clinical Health Act
(Public Law 111-5, 123 Stat. 226-279 and 467-496) shall be
20210SB0696PN0775 - 5 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30