States add more criteria to breach notification laws

November 1, 2010

Congress has enacted legislation mandating notice to individuals whose personal information has been compromised

But with opportunity comes risk. In response to these risks, state legislatures and the U.S. Congress have enacted legislation mandating notice to individuals whose personal information has been compromised. Managed care entities must make special efforts to comply because they are responsible for vast amounts of personal information, including protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA).

THE FEDERAL LANDSCAPE

On the federal front, managed care entities should remain mindful of the data breach legislation Congress has passed that is specific to protected health information. The Health Information Technology for Economic and Clinical Health, or HITECH, Act of 2009 modified HIPAA to require notification of data breaches that disclose PHI. HITECH does pre-empt contradictory state laws, but does not pre-empt state laws that afford higher levels of protection to PHI. And state laws also apply to personal information other than PHI. Thus, managed care entities remain subject to both HITECH and state data breach laws.

Since 2003, 46 states (along with the District of Columbia, Puerto Rico and the Virgin Islands) have enacted data breach notification statutes. Alabama, Kentucky, New Mexico and South Dakota are the only remaining exceptions. While state notification laws vary in the details, they are similar in their general contours:

The latest trend at the state level is to make health and healthcare information subject to notification obligation as well. To date, California, Texas, Arkansas, Missouri and Virginia have added health information to their notification laws. This legal trend is likely to continue-one more reason why managed care organizations must continually educate themselves about applicable state data breach notification laws and their impact on the lifeblood of their organizations.

This column is written for informational purposes only and should not be construed as legal advice.

Tim Connors is a partner in the Information Technology and Intellectual Property Practices at Calfee, Halter & Griswold LLP in Cleveland.