Breach notification: HIPAA is not the only law to worry about

Marti Arvin (marti.arvin@comcast.net) is VP, Chief Compliance Officer, at Erlanger Health System in Chattanooga, TN.

Most healthcare compliance and privacy professionals have become familiar with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule. When a data compromise of protected health information (PHI) occurs, healthcare organizations have a process to evaluate the situation to determine whether notification to patients is required. However, it may be less common to have a process to evaluate obligations under state laws. Most states have some form of breach notification requirements when the personal individually identifiable information about an individual who is also a resident of the state is compromised. This may include both patient and nonpatient information. The increase of employees working remotely and more frequently living in a state that is different from the place they work may mean there are more instances where an organization holds information of residents from multiple states than in the past.

If an organization has a significant data compromise, it will likely be necessary to evaluate whether there are any obligations under state breach notification laws. This evaluation could get quite complex. State laws often apply when the data about a resident of the state is compromised, but many states exempt organizations or data covered by HIPAA. The state law could have requirements in addition to HIPAA. States may have varying definitions of what constitutes individually identifiable information. To fully evaluate the application of state breach notification laws, several steps must be taken.

This document is only available to members. Please log in or become a member.
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field