- State healthcare data breach notification laws are not always thought of first in covered entities’ approaches to their data security plans, as HIPAA regulations are likely top concerns. However, organizations will also be held to state regulation standards, and also understand federal requirements when it comes to keep health data secure.
Less than half of states account for healthcare data or medical information in their data breach notification standards.
Even so, several states in the last few years have made changes to tighten their regulations and ensure that residents have greater protections. This is essential as cybersecurity threats increase, and healthcare data breaches also continue to take place.
For example, Tennessee recently amended its data breach notification process. Tennessee SB 2005 removed the word “unencrypted” from describing the type of compromised information that would necessitate notification. This is important because now even encrypted data would require an organization to notify potentially affected individuals.
Another key change was in the notification timeline. Previously, Tennessee required notice be “made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.” The amendment calls for disclosure to now be made immediately, and no later than 14 days following the discovery of a breach.
“The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation,” the amendment states. “The notification required by this section shall be made no later than fourteen (14) days after the law enforcement agency determines that it will not compromise the investigation.”
It is also important to note that the updated law includes employees in the definition of “unauthorized person.” Essentially, should an organization’s employee access information for unlawful means, he or she can be held accountable.
The amended Tennessee law will go into effect July 1, 2016, and will apply to data breaches that occur after that date.
Earlier this year, Oregon also updated its data breach notification process, requiring businesses and government agencies to notify the state attorney general of a data breach affecting more than 250 state residents.
However, the Oregon Consumer Identity Theft Protection Act also did not account for medical information or health insurance data.
Encryption was addressed in the amended Oregon law, stating that only unencrypted information is applicable. The compromised information would also need to “be sufficient to permit a person to commit identity theft against the consumer whose information was compromised.”
Even with states altering their data breach laws, the debate has been underway for some time whether states should be able to continue to enact and enforce the necessary protections when the need arises.
Last year, the National Association of Attorneys General (NAAG) wrote a letter to Congress saying that federal law should not preempt state law when it comes to data breach notification.
“In recent years, a number of states have reexamined and updated their data breach notification laws to ensure they continue to protect the sensitive information about consumers being collected,” the letter explained. “Some states now include notification requirements for compromised biometric data, login credentials for online accounts, and medical information.”
States are also “better equipped to quickly adjust to the challenges presented by a data-driven economy,” according to NAAG. Federal law is important for large breaches that affect more than one state, but smaller incidents that are more localized will be better served by state attorneys general being given timely data breach notification.
State notifications can be beneficial for data protection
Regardless of individual state’s requirements, it is essential for covered entities and business associates to be aware of state law. Smaller breaches could still have a huge impact on an organization, especially if the incident results in a court case.
For example, last year a state HIPAA settlement was reached between New York and the University of Rochester Medical Center (URMC). In that case, approximately 3,400 patients’ PHI was compromised when a former URMC nurse practitioner reportedly took patients’ personal information with her when she left to work at Greater Rochester Neurology (GRN).
The settlement required URMC to pay a $15,000 penalty and train its workforce on policies and procedures related to PHI.
“This settlement strengthens protections for patients at URMC, and it puts other health care entities on notice that my office will enforce HIPAA data breach provisions,” said New York Attorney General Eric T. Schneiderman. “My office is committed to protecting patients’ private health information. Other medical centers, hospitals, health care providers, and health care entities should view this settlement as a warning, and take the time now to review and amend, as needed, their own policies and procedures to better protect private patient information.”
HIPAA regulations are designed to protect patient information, but so are state laws. Moreover, state requirements typically account for a wider array of data, and can ensure that various industries will be subject to the requirements. Healthcare organizations must ensure that their policies and procedures account for state and federal legislation.