HIPAA Compliance Strategies

State Security Breach Notification Laws Are Catching On Quickly

Reprinted from the September 2005 issue of REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

The protection of patient information is second nature at covered entities (CEs), but now they face a new compliance dimension: mandatory patient notification. Though HIPAA does not require CEs to inform patients when their PHI is improperly disclosed, mandatory patient notification is coming from the states.

As of early August, 19 states — including California, New York, Florida, Illinois and Washington — have enacted security breach notification laws that require entities to tell their customers when their personal information has been compromised, according to the Public Interest Research Group. Bills in two more states made it through the legislature and await the governors’ signatures, and other states are moving in this direction as well. There’s also a good chance that Congress will pass a security breach notification bill that would pre-empt the state laws.

Notification laws are rooted in the war on identity theft, which has become a major national crusade. But they mesh with HIPAA compliance mandates, and Maryland attorney Leslie Bender advises privacy officers to find out whether their state has a security breach notification law, and (if so) integrate its requirements into their HIPAA compliance programs.

“This puts even more teeth in your compliance program,” Bender says. For example, these state laws impose penalties for privacy and security violations. Many of the laws are enforced by state attorneys general, so CEs have a new partner in their efforts to “prevent and deter people from improperly accessing and using information they are not entitled to,” she says.

Security breach notification laws are a departure from the U.S.’s prior emphasis on privacy and security protections. “There was no history of laws in this country requiring notice for information security breaches. The [emphasis was on] protecting information. But because of the panic of identity theft, state legislatures in California and elsewhere passed these laws,” says Charlotte, N.C., attorney Theodore Claypoole, who is with the law firm of Womble Carlyle Sandridge & Rice.

California led the way, as is its wont, passing a security breach notification law that became effective in 2003. The California law requires state agencies, people and businesses that own or license computerized data with personal information to disclose “any breach of the security of the data…to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” Notification is triggered if the offender accessed two pieces of data: name plus either a Social Security number or account number driver’s license/California ID number. In health care, that means patients must be notified if the PHI improperly accessed included the patient’s name and Social Security number, according to Claypoole.

But it’s not a blanket requirement. Typically under these states laws, organizations such as CEs don’t have to give notice unless they believe personal data has actually been compromised through a breach of security, says Claypoole. In other words, not every unauthorized access will trigger notification mandates under the law, he says. For example, a laptop with encrypted data stolen from a coffee shop may not trigger mandatory notification under a state security breach notification laws, but if a hacker breaks into an electronic medical records system replete with Social Security numbers, then notification may be mandatory.

Claypoole says it’s important not to err on the side of extreme caution and rush to notify patients of every little mistake. “There is a negative to giving notice. People get numb to warnings after a while and it might backfire,” he says.

Three Practical Steps You Can Take

How should privacy officers adapt to security breach notification laws? Here are Bender’s tips:

(1) Integrate state security breach notification laws into your thinking. “As soon as you know someone possesses consumer-based information they should not have, that is a problem,” Bender says.

(2) Establish a formal process to evaluate whether breaches require patient notification under a state law. Typically, under these new laws CEs don’t have to report breaches to patients if no harm resulted (or is likely to result) from the breach (e.g., a back-up computer tape is missing, but it’s believed a clerk simply mislabeled it). It would be time-consuming to evaluate this on a case-by-case basis, so Bender advises establishing a matrix to help decide whether a breach triggers the notification law. This is similar to the decision-making process for role-based access under the HIPAA minimum necessary standard. To get started, Bender suggests, “look at your log for security incidents or privacy breaches so far and determine which, under your new state law, would have required you to notify your patients and which would not have required notification. Then come up with circumstances to create guidance for yourself.”

(3) Meet with the human resources department to think through employee discipline — perhaps revisiting your HIPAA “sanctions” policies and procedures. An offense that merely earns a written reprimand internally may be a violation of the state security breach notification law and punishable by a civil fine. A disparity like that could make a hospital appear insensitive to patient privacy and be very embarrassing, Bender says.

For a list of state security breach notification laws, see www.pirg.org.

Advertise With AIS

Privacy

Site Map