New State Security Breach Notification Laws

Beyond the HIPAA Privacy Rule and the HIPAA Security Rule, health care entities now face potential compliance obligations under an increasing number of state laws requiring notification of security breaches. Following in the footsteps of the California legislature, nineteen other states have now passed security breach notification laws, and there are similar laws pending in eight states whose legislatures are still in session: New Jersey, Massachusetts, Michigan, North Carolina, Ohio, Oregon, Pennsylvania, and Wisconsin.

Each of the recently enacted laws, like the California law, generally require entities to notify promptly the residents of that state if the security, confidentiality or integrity of their personal information – defined similarly by most states with some notable exceptions – has been compromised.

Failure to comply may result not only in enforcement by state officials, but could also result in civil lawsuits – some of the new state laws incorporate a private right of action.

As an additional requirement, some states require businesses to take security measures to prevent the occurrence of breaches. Depending on which health care market your business serves, you could be required by state law, e.g., to utilize encryption for transmission of personal information or to implement compliant document destruction policies.

If your organization loses personal data, do you know how to respond?

The best way to avoid disclosure under the new laws is to avoid the breach in the first place. Therefore, we recommend that as a supplement to existing HIPAA Security measures, health care entities adopt and implement any necessary state-specific procedures for handling the security of personal information generally. Health care entities should also prepare a response plan which includes an established method for notifying individuals when and if their personal information is compromised. Furthermore, most states will accept an existing information security policy if it contains notification provisions that meet the timing requirements of the new laws. If you already have an information security policy, you may wish to review it to ensure it comports with new applicable state law.