Declares that when a covered entity substantially upgrades or replaces their billing or records management system, the resulting system must be capable of verifying and recording which person or persons, internal or external, have had access to customer profile data.

Declares that upon written request by a customer, any covered entity shall release to the customer all customer profile data pertaining to that customer, including the identity of any individual or entity, internal or external, who has had access to the requesting customer's records. The customer may request a copy of their records once per year free of charge. The customer may be charged a nominal fee for subsequent requests. Any customer profile data collected by a covered entity must be retained and remain accessible to the customer for at least two years.

Provides that after reviewing his or her customer profile data, a customer must be given the opportunity to: (1) Contest the accuracy, completeness, timeliness, relevance, or dissemination of his or her customer profile data;

(2) Correct or amend the information contained in his or her customer profile data; and

(3) Request that customer profile data be removed or destroyed from the database, unless removal or destruction of the information would be contrary to applicable state or federal law.

Provides that a covered entity must implement adequate security measures to protect customer profile data and customer records from unauthorized access, loss, or tampering. These security measures should be consistent with industry accepted best standards that are commensurate with the amount and sensitivity of the customer information being stored on the system.