

111 HR 3795 IH: One Hour Notification Act of 2013
U.S. House of Representatives
2013-12-19
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.



I113th CONGRESS1st SessionH. R. 3795IN THE HOUSE OF REPRESENTATIVESDecember 19, 2013Mr. Bilirakis introduced the following bill; which was referred to the Committee on Energy and CommerceA BILLTo require notifications by the Secretary of Health and Human Services to Congress and to individuals of breaches of personally identifiable information of such individuals maintained, submitted to, or submitted by a system maintained by Exchanges under the Patient Protection and Affordable Care Act, and for other purposes.1.Short titleThis Act may be cited as the One Hour Notification Act of 2013 and as the OH No Act of 2013.2.Notification and annual report relating to breaches of personally identifiable information by PPACA Exchanges(a)Notification of data breachesThe Secretary of Health and Human Services, following the discovery of a breach of the personally identifiable information of an individual that is maintained, submitted to, or submitted by a system maintained by an Exchange established under title I of the Patient Protection and Affordable Care Act (Public Law 111–148), shall—(1)not more than one hour after the time at which the Secretary is notified of such breach, notify the individual that such information has been so breached; and(2)in a timely manner, notify the Committees on Energy and Commerce, Ways and Means, and Education and Workforce of the House of Representatives and the Committees on Finance and Health, Education, Labor, and Pensions of the Senate that such information has been so breached.(b)Annual reportNot later than January 1, 2015, and each year thereafter, the Secretary of Health and Human Services shall submit to Congress an annual report that identifies, with respect to the breaches of security described in subsection (a)—(1)all such breaches that occurred within the past year; and(2)the security rules, standards, and risk mitigation strategies implemented by the Secretary, as of the date of the submission of such report, for the purpose of preventing such breaches.