• Hypertrophic Cardiomyopathy (HCM)
  • Vaccines: 2023 Year in Review
  • Eyecare
  • Urothelial Carcinoma
  • Women's Health
  • Hemophilia
  • Heart Failure
  • Vaccines
  • Neonatal Care
  • Type II Inflammation
  • Substance Use Disorder
  • Gene Therapy
  • Lung Cancer
  • Spinal Muscular Atrophy
  • HIV
  • Post-Acute Care
  • Liver Disease
  • Biologics
  • Asthma
  • Atrial Fibrillation
  • RSV
  • COVID-19
  • Cardiovascular Diseases
  • Prescription Digital Therapeutics
  • Reproductive Health
  • The Improving Patient Access Podcast
  • Blood Cancer
  • Ulcerative Colitis
  • Respiratory Conditions
  • Multiple Sclerosis
  • Digital Health
  • Population Health
  • Sleep Disorders
  • Biosimilars
  • Plaque Psoriasis
  • Leukemia and Lymphoma
  • Oncology
  • Pediatrics
  • Urology
  • Obstetrics-Gynecology & Women's Health
  • Opioids
  • Solid Tumors
  • Autoimmune Diseases
  • Dermatology
  • Diabetes
  • Mental Health

States add more criteria to breach notification laws


Congress has enacted legislation mandating notice to individuals whose personal information has been compromised

But with opportunity comes risk. In response to these risks, state legislatures and the U.S. Congress have enacted legislation mandating notice to individuals whose personal information has been compromised. Managed care entities must make special efforts to comply because they are responsible for vast amounts of personal information, including protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA).


On the federal front, managed care entities should remain mindful of the data breach legislation Congress has passed that is specific to protected health information. The Health Information Technology for Economic and Clinical Health, or HITECH, Act of 2009 modified HIPAA to require notification of data breaches that disclose PHI. HITECH does pre-empt contradictory state laws, but does not pre-empt state laws that afford higher levels of protection to PHI. And state laws also apply to personal information other than PHI. Thus, managed care entities remain subject to both HITECH and state data breach laws.

Since 2003, 46 states (along with the District of Columbia, Puerto Rico and the Virgin Islands) have enacted data breach notification statutes. Alabama, Kentucky, New Mexico and South Dakota are the only remaining exceptions. While state notification laws vary in the details, they are similar in their general contours:

The latest trend at the state level is to make health and healthcare information subject to notification obligation as well. To date, California, Texas, Arkansas, Missouri and Virginia have added health information to their notification laws. This legal trend is likely to continue-one more reason why managed care organizations must continually educate themselves about applicable state data breach notification laws and their impact on the lifeblood of their organizations.

This column is written for informational purposes only and should not be construed as legal advice.

Tim Connors is a partner in the Information Technology and Intellectual Property Practices at Calfee, Halter & Griswold LLP in Cleveland.

Related Videos
Video 11 - "Closing Current Gaps within Fertility Benefits and Care"
Video 10 - "Shaping Fertility Coverage: Access, Costs & Medical Needs"
Video 9 - "Denial of Coverage in Fertility Care"
Video 8 - "Risks of Miscarriage and Multiple Births Associated with Fertility Care"
Video 7 - "Fertility Preservation: Egg Freezing Versus Embryo Freezing"
Video 6 - "Family Building Costs, Barriers, and Dropout Rates Associated with Fertility Care"
Video 5 - "Closing Payer Gaps and Improving Fertility Care Access"
Video 4 - "Increasing Employer Coverage and Maximizing Fertility Benefits "
Video 5 - "Relevance of NUTURE Study Findings for Patients, Payers, Providers"
Video 3 - "Improving IVF Success Rates & Utilizing AI in Fertility Health Care"
Related Content
© 2024 MJH Life Sciences

All rights reserved.