Understanding the regulatory requirements that govern the use and disclosure of protected health information (PHI) is essential for healthcare professionals operating across the country. However, federal HIPAA regulation only accounts for a portion of those requirements. State laws and regulations regarding PHI are equally important, especially when it comes to how healthcare professionals are expected to respond in the event of a breach. Fewer than half of states currently include medical information in their data breach notification standards, but several have been making changes over the past few years in order to better protect their residents.
Recently, Tennessee amended its data breach notification protocol. Covered entities (CEs) are now required to notify patients of compromised information, even if that information has been encrypted, and therefore better protected. CEs must also disclose any breach no later than 14 days following the discovery of the breach compared to the 30 days that federal HIPAA regulation allows.
In addition to these changes, employees in Tennessee are now included in the definition of “unauthorized person,” meaning that employees will be held accountable if they access PHI without lawful authorization.
Oregon also amended the Oregon Consumer Identity Theft Protection Act, its data breach notification protocol. For breaches affecting more than 250 state residents, businesses and government agencies must notify the state attorney general. The act does not account for medical information or health insurance data. And in this case, only breaches of unencrypted data are beholden to the rule. Additionally, the PHI must still be linked to individually identifiable information such as date of birth, address, or Social Security number.
Though states are beginning to strengthen their data breach laws, there are still debates as to whether or not states should take action. The National Association of Attorneys General (NAAG) wrote to Congress saying that federal law should not override state laws. Though federal law is important for breaches that affect multiple states, the NAAG argues that states are better equipped to handle smaller, local incidents.
A HIPAA settlement was reached last year between the state of New York and the University of Rochester Medical Center (URMC). Patients’ PHI was comprised after a nurse practitioner reportedly accessed and took PHI with her when she left to work at Greater Rochester Neurology without the proper authorization. URMC’s $15,000 penalty and mandated workforce training regarding PHI privacy and security policies should be viewed as a “warning,” said New York Attorney General Eric T. Schneiderman. It’s becoming clear that healthcare professionals need to take time to review their own policies and procedures, and amend them if necessary, to better protect PHI and reflect state laws regarding breach notification.
Both the federal HIPAA regulation and state laws are designed to protect PHI from use and disclosure by unauthorized parties. Many state laws are actually stricter and account for more data than federal laws do. It’s important for healthcare organizations to ensure that they’re both familiar and fully compliant with the HIPAA regulation and state laws when handling PHI.
