States add more criteria to breach notification laws
Congress has enacted legislation mandating notice to individuals whose personal information has been compromised
But with opportunity comes risk. In response to these risks, state legislatures and the U.S. Congress have enacted legislation mandating notice to individuals whose personal information has been compromised. Managed care entities must make special efforts to comply because they are responsible for vast amounts of personal information, including protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA).
THE FEDERAL LANDSCAPE
On the federal front, managed care entities should remain mindful of the data breach legislation Congress has passed that is specific to protected health information. The Health Information Technology for Economic and Clinical Health, or HITECH, Act of 2009 modified HIPAA to require notification of data breaches that disclose PHI. HITECH does pre-empt contradictory state laws, but does not pre-empt state laws that afford higher levels of protection to PHI. And state laws also apply to personal information other than PHI. Thus, managed care entities remain subject to both HITECH and state data breach laws.
Since 2003, 46 states (along with the District of Columbia, Puerto Rico and the Virgin Islands) have enacted data breach notification statutes. Alabama, Kentucky, New Mexico and South Dakota are the only remaining exceptions. While state notification laws vary in the details, they are similar in their general contours:
The latest trend at the state level is to make health and healthcare information subject to notification obligation as well. To date, California, Texas, Arkansas, Missouri and Virginia have added health information to their notification laws. This legal trend is likely to continue-one more reason why managed care organizations must continually educate themselves about applicable state data breach notification laws and their impact on the lifeblood of their organizations.
This column is written for informational purposes only and should not be construed as legal advice.
Tim Connors is a partner in the Information Technology and Intellectual Property Practices at Calfee, Halter & Griswold LLP in Cleveland.
In this latest episode of Tuning In to the C-Suite podcast, Briana Contreras, an editor with MHE had the pleasure of meeting Loren McCaghy, director of consulting, health and consumer engagement and product insight at Accenture, to discuss the organization's latest report on U.S. consumers switching healthcare providers and insurance payers.
Listen
In our latest "Meet the Board" podcast episode, Managed Healthcare Executive Editors caught up with editorial advisory board member, Eric Hunter, CEO of CareOregon, to discuss a number of topics, one including the merger that never closed with SCAN Health Plan due to local opposition from Oregonians.
Listen
Positive Pipeline Updates for Friedreich’s Ataxia
October 24th 2024After experiencing setbacks, PTC reported positive results for vatiquinone, its selective inhibitor of 15-Lipoxygenase (15-LO) enzyme, regulator of the energetic and oxidative stress pathways that are disrupted in Friedreich ataxia
Read More
