Healthcare Information Security


State Data Breach Notification Laws Critical to Healthcare Orgs

Covered entities already recognize the importance of the HIPAA Data Breach Notification Rule, but they must also contend with state data breach notification laws and their own implications.

Source: Thinkstock

The HIPAA Privacy, Security, and Data Breach Notification Rules require covered entities and business associates to take great care with how PHI is handled, stored, and transferred. Should patient data become compromised, healthcare organizations need to adhere to a strict notification process as well —co and may even find themselves liable to hefty fines.

While federal regulations are often a key consideration in the data breach notification process, requirements at the state level cannot be overlooked.

By taking note of all potentially applicable laws — federal and state — covered entities can develop a more thorough notification process and ensure that they are not overlooking a key area that might lead to further data security issues.

Each state has some form of a data breach notification process, requiring businesses that collect or use personal information to provide notice should a data breach take place. There might be some commonalities between these state requirements, but healthcare organizations need to take the time to review how the state in which they are based requires notification to be given in the instance of a potential breach.

A firm grasp of federal notification requirements, basic HIPAA compliance, and how to adhere to the state notification process can assist providers organize the increasingly complex ways of keeping patient data secure.

What is the HIPAA Data Breach Notification Rule?

Simply put, the HIPAA Breach Notification Rule requires covered entities and their business associates to notify necessary parties after unsecured PHI is compromised.

If a healthcare organization leaves an unencrypted laptop in a room that is not properly secured and that device is stolen, patient PHI could fall into the wrong hands. That entity is required under HIPAA to notify the patients, the Department of Health & Human Services (HHS), and potentially the media.

However, the notification rule only applies to unsecured PHI — that is, PHI “that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance,” according to HHS. 

ONC defines secured PHI and unsecured PHI
ONC defines secured PHI and unsecured PHI

Source: ONC

Covered entities could also show that there is a small chance that PHI was compromised based on a risk assessment of a minimum set of factors:

  • The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification
  • The unauthorized person who used the protected health information or to whom the disclosure was made
  • Whether the protected health information was actually acquired or viewed
  • The extent to which the risk to the protected health information has been mitigated.

The parties that must be notified will vary depending on how many individuals are potentially affected. If more than 500 individuals may have had their data exposed, then the organization must notify prominent media outlets serving the state or jurisdiction.

This notice must be given “without unreasonable delay” and in no case later than 60 days following the discovery of a health data breach. The same information that was on individual notifications must be included in the media notice.

The head of HHS must also receive notification within the same time frame for health data breaches affecting over 500 people. When fewer than 500 people are affected, covered entities just need to make an annual report, which are due to the Secretary “no later than 60 days after the end of the calendar year in which the breaches are discovered.”

HHS also requires covered entities show that all required notifications are provided following a data breach or prove that a use or disclosure of unsecured PHI did not constitute a breach. Covered entities should document that all required notifications were made or document that notification was not necessary.

Dig Deeper:

The debate whether state notification laws are necessary

Several pieces of legislation have made their way before Congress over the last few years to potentially federalize data breach notification and security.

The Federation of American Scientists (FAS) summarized the legislation and explained its potential effects on healthcare data breaches.

If passed, federal data breach legislation would clearly define a data breach and specific actions covered entities must take if a data breach occurs.

“Each bill defines the required form of notification, which may include written notice by mail or notice by email, when certain conditions are met,” FAS stated. “In certain circumstances, substitute notification through a posting on a website or publication may be an acceptable replacement for individual notification.”

Some of the proposed legislation would supersede HIPAA mandates and state laws, which has raised concerns.

“Many of the current proposals would leave existing federal requirements in place and exempt institutions and/or data covered by those federal laws from a new regulatory scheme,” FAS said. “However, some bills would also propose to supersede existing state laws and prevent states from acting in this area, thereby creating a uniform federal standard throughout the country.”

In 2015, the National Association of Attorneys General (NAAG) wrote to Congress arguing that states need to have the ability to enact and enforce state breach notification because many current state data breach notification laws have more protections than proposed federal legislation.

"We still frequently encounter situations in which companies do not comply with their own security policies, ignore security warnings, neglect to apply critical software patches, and fail to take other measures to safeguard consumers’ information."

At the time, NAAG wrote that 47 states had passed laws requiring consumers receive notification when their personal information is compromised by a security breach. The group’s members argued that states have also enacted laws that require companies to adopt “reasonable security practices.”

“Some states now include notification requirements for compromised biometric data, login credentials for online accounts, and medical information,” the letter stated. “These categories reflect the significant increase in data collection that has occurred over the past ten years and respond to consumers’ concerns about that increase.”

Many states also require attorney general offices to be notified if a large-scale data breach happens, the association added. There are also 47 states participating in the Privacy Working Group which “discusses and jointly investigates data breaches and other privacy matters,” NAAG noted.

“While many companies have become more sophisticated over time in their security practices, we still frequently encounter situations in which companies do not comply with their own security policies, ignore security warnings, neglect to apply critical software patches, and fail to take other measures to safeguard consumers’ information,” the letter explained.

Overall, the group maintained that federal law effectiveness with regard to data breach notification and data security measures would be hampered if the federal government were given full enforcement authority and regulatory authority.

Dig Deeper:

Accounting for health information in the breach notification process

Even though the majority of states have data breach notification laws, not all of them account for medical information or health insurance data in the notification requirements.

Over the past couple of years, more states have started to adjust their notification process, and beginning to add PHI into the definition of “personal information.”

In June 2016, Illinois Governor Bruce Rauner signed several amendments to a data breach notification law, impacting healthcare data security regulations 2017.

The state’s Personal Information Privacy Act was revised and now includes health insurance and medical information under the umbrella of protected personal information. As a result, organizations are required to report data breaches if they involve an individual’s first name or initial and last name in combination with specific healthcare data.

“The intent of this legislation is to set standards and to protect that vital information from those who wish to do harm or profit from the most personal details of our lives.”

New York also proposed legislation in 2016 that would include individuals’ medical information under its definition of personal information.

“New York's data breach notification law needs to be updated to keep pace with current technology,” a memo on the legislation explained. “This bill broadens the scope of information covered under the notification law and updates the notification requirements when there has been a breach of data.”

Rhode Island had its Identity Theft Protection Act go into effect in June 2016, which requires businesses and organizations of all sizes to implement and maintain a risk-based information security program.

Medical information, health insurance information, and email addresses are also now considered “personal information.”

“We live in a world where so much, if not all, of our personal information floats around in cyberspace, often with completely inadequate protections. This is the reality of our times,” bill sponsor Senator Louis DiPalma said in a statement. “The intent of this legislation is to set standards and to protect that vital information from those who wish to do harm or profit from the most personal details of our lives.”

Regardless of each state’s notification process, healthcare organizations need to ensure that they remain HIPAA compliant, and adhere to all aspects of the Privacy, Security, and Notification Rules. A state’s laws may be more stringent in certain areas, such as length of time to provide notice to potentially affected individuals, or requiring the attorney general to be notified, but HIPAA rules cannot be overlooked.

Covered entities and business associates should keep themselves current on all state and federal laws, and work toward consistent and comprehensive data security measures.

Dig Deeper:


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...