Congress has enacted legislation mandating notice to individuals whose personal information has been compromised
But with opportunity comes risk. In response to these risks, state legislatures and the U.S. Congress have enacted legislation mandating notice to individuals whose personal information has been compromised. Managed care entities must make special efforts to comply because they are responsible for vast amounts of personal information, including protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA).
THE FEDERAL LANDSCAPE
On the federal front, managed care entities should remain mindful of the data breach legislation Congress has passed that is specific to protected health information. The Health Information Technology for Economic and Clinical Health, or HITECH, Act of 2009 modified HIPAA to require notification of data breaches that disclose PHI. HITECH does pre-empt contradictory state laws, but does not pre-empt state laws that afford higher levels of protection to PHI. And state laws also apply to personal information other than PHI. Thus, managed care entities remain subject to both HITECH and state data breach laws.
Since 2003, 46 states (along with the District of Columbia, Puerto Rico and the Virgin Islands) have enacted data breach notification statutes. Alabama, Kentucky, New Mexico and South Dakota are the only remaining exceptions. While state notification laws vary in the details, they are similar in their general contours:
The latest trend at the state level is to make health and healthcare information subject to notification obligation as well. To date, California, Texas, Arkansas, Missouri and Virginia have added health information to their notification laws. This legal trend is likely to continue-one more reason why managed care organizations must continually educate themselves about applicable state data breach notification laws and their impact on the lifeblood of their organizations.
This column is written for informational purposes only and should not be construed as legal advice.
Tim Connors is a partner in the Information Technology and Intellectual Property Practices at Calfee, Halter & Griswold LLP in Cleveland.
DC Roundtable: Patrick Cooney of The Federal Group Drops the Latest on PBM Legislation in Washington
April 11th 2024In this episode of "DC Roundtable," Peter Wehrwein, managing editor of Managed Healthcare Executive, spoke with Patrick Cooney, president of The Federal Group, a lobbying and strategic planning firm in Washington, D.C., about recent developments in Washington concerning PBMs.
Listen
2024 Emerging Leaders in Healthcare — Submit For a Chance to Be Featured in MHE's August Issue
April 22nd 2024MHE Editors are seeking diverse healthcare professionals from different backgrounds and healthcare sectors, with individual interests. Eligible candidates are early or mid-career leaders with less than 10 years of experience. Award winners will enjoy complimentary passes to the PBMI Annual National Meeting in Orlando, Florida, from Sept. 4-6. Additional perks include a feature in our August issue, a subscription to MHE and more!
Read More