(a) When the department receives any identifiable health information disclosed from any source including any federal or ASG agency, other than the individual (or legal representative) who is the subject of the information, the department shall take appropriate measures to protect the security of such information, including:
(1) Maintaining such information in a physically secure environment, that:
(A) Minimizes the physical places in which such information is used or stored; and
(B) Prohibits the use or storage of such information in places where the security of the information may likely be breached or is otherwise significantly threatened;
(2) Maintaining such information in a technologically secure environment;
(3) Limiting access to such information to those persons who have a demonstrable need to access such information;
(4) Reducing the length of time that such information is used or stored in a personally-identifiable form to that period of time that is necessary for the use of the information;
(5) Eliminating unnecessary physical or electronic transfers of such information;
(6) Expunging duplicate, unnecessary copies of such information;
(7) Developing and distributing written guidelines concerning the preservation of the security of such information;
(8) Assigning personal responsibility to persons who acquire, use, disclose, or store such information for preserving its security;
(9) Providing initial and periodic security training of all persons who acquire, use, disclose, or store such information;
(10) Thoroughly investigating any potential or actual breaches of security concerning such information;
(11) Imposing disciplinary sanctions for any breaches of security when appropriate; and
(12) Undertaking continuous review and assessment of security standards.
(b) Wherever identifiable health information is accessible by the department, there shall be prominently displayed a notice in writing concerning the agency’s disclosure policy, which shall include the following or substantially similar language: “Identifiable health information contains health-related information about individuals which may be highly-sensitive. This information is entitled to significant privacy protections under federal and American Samoa law. The disclosure of this information outside the Department of Public Health in an identifiable form is prohibited without the written consent of the individual who is the subject of the information, unless specifically permitted by federal or American Samoa law. Unauthorized disclosures of this information may result in significant criminal or civil penalties.”
(c) All department personnel or other persons having authority at any time to acquire, use, disclose, or store identifiable health information shall:
(1) Be informed of their personal responsibility for preserving the security of identifiable health information;
(2) Execute a confidentiality statement prior to entering the premises, or as soon thereafter as possible, pursuant to their review of written guidelines consistent with this act concerning the preservation of the security of such information;
(3) Fulfill their personal responsibility for preserving the security of identifiable health information to the degree possible; and
(4) Report to the director, or his designee, any known security breaches or actions that may lead to security breaches. The identity of any person making a report under this subsection shall not be revealed, without the consent of the person making the report, to anyone other than the director, any investigating officials appointed by the director, or law enforcement officers.
(d) The department shall prepare an annual report concerning the status of security protections of identifiable health information, which shall be distributed to department personnel.History: 2007, PL 30-11.