What Are HIPAA Laws in Virginia?

HIPAA Laws in Virginia

Virginia is one of those states that provide greater patient data privacy and security protection than HIPAA through a state data privacy law. Virginia HIPAA laws include a legal right of patients to medical record privacy, amendment of protected health information (PHI), and subpoenas laws. HIPAA laws in Virginia also include the Virginia Consumer Data Protection Act (Virginia’s breach notification law).

HIPAA Laws in Virginia Are About Privacy

Virginia HIPAA laws explicitly recognize a patient’s right of privacy in the content of their medical records. To further this privacy interest, HIPAA laws in Virginia state that patient health records are the property of the healthcare entity maintaining them. To further protect privacy, Virginia HIPAA laws state that no healthcare entity, or other person working in a healthcare setting, may disclose an individual’s health records, except when permitted or required by other state law.  HIPAA laws in Virginia differ from federal HIPAA in that federal HIPAA law does not explicitly state that patients have a right of privacy in the content of their medical records. 

Do you have an effective HIPAA compliance program? Find out now by completing the HIPAA compliance checklist.

Virginia HIPAA Laws: Make Amends

Virginia HIPAA laws differ from federal HIPAA in several other aspects. Under HIPAA, if a covered entity accepts an individual’s request for amendment or correction of PHI, it must make the appropriate amendment. The covered entity must identify the records in the patient’s designated record set and either append or otherwise provide a link to the location of the amendment. 

However, providers are not required to delete any PHI. They may do so if they choose to. For example, suppose an inaccurate diagnosis is listed in a patient record. In that case, a provider may, under HIPAA, make a note that the diagnosis is not accurate, but the diagnosis need not be deleted.

Virginia HIPAA laws provide greater protection to patients. HIPAA laws in Virginia require providers to disclose patient health records to the patient at their request. Suppose the patient specifically requests an audit trail of any additions, deletions, or revisions to their health record. In that case, the provider must comply with the request if the information the patient wants deleted is not accurate.  

This Virginia-provided extra layer of protection to patient privacy may seem trivial on paper. In practice, the “right to deletion” can matter a great deal to a patient. A patient whose record mistakenly listed the patient as “angry” or as having an illness the patient does not have, is saved, what might be considerable embarrassment or stress by having the right to delete.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

Easiest To Do Business With 2024

What is the Virginia Breach Notification Law?

The Virginia breach notification law is known as the Virginia Consumer Data Protection Act, or the Virginia CDPA. The Virginia CDPA protects the personal data of Virginia residents. Under the Virginia Consumer Data Protection Act, personal data is  “any information that is linked or reasonably linkable to an identified or identifiable natural person.” 

Under the law, there is a subset of personal data, called “sensitive data,” which includes:

  • Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status
  • The processing of genetic or biometric data to uniquely identify a natural person
  • The personal data collected from a known child
  • Precise geolocation data

Under the Virginia CDPA, a “breach” is the unauthorized access and acquisition of unencrypted and unredacted electronic data. The unauthorized access and acquisition of unencrypted and unredacted data, if it compromises the security or confidentiality of personal information, is a breach and must be reported.

Under the Virginia breach notification law, notification of a breach must be made to affected individuals. The notification must be made without unreasonable delay, as consistent with any measures necessary to determine the scope of the breach and restore the system’s reasonable integrity.

The notification must include a description of the following: 

  • What the breach consists of, in general terms 
  • The types of personal information that were subject to unauthorized access and acquisition
  • The acts taken to protect personal information from further unauthorized access
  • A telephone number that the person may call for further information and assistance, if one exists
  • Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports

Breach notification must be made in writing a person’s last known address, by telephone, or electronically. 

The Virginia Attorney General may bring enforcement actions for violations of the statute, and may impose a civil penalty not to exceed $150,000 per breach of the security of the system or a series of breaches of a similar nature that are discovered in a single investigation.

General HIPAA Laws Also Applicable in Virginia

To meet the requirements of the HIPAA regulations, healthcare organizations must implement a HIPAA compliance program. 

Security Risk Assessments, Gap Identification, and Remediation

To be HIPAA compliant, it is crucial to identify where your deficiencies lie. To do so, healthcare organizations must conduct six self-audits annually. These self-audits uncover weaknesses and vulnerabilities in your security practices. To ensure that your organization meets HIPAA safeguard requirements, you must create remediation plans. Remediation plans list your identified deficiencies and how you plan to address them, including actions and a timeline.

HIPAA Policies and Procedures

To ensure that you meet HIPAA Privacy, Security, and Breach Notification requirements, you must implement written policies and procedures. These policies and procedures must be customized for your practice’s specific needs, applying directly to how your business operates. To account for any changes in your business practices, you must review your policies and procedures annually and make amendments where appropriate.

HIPAA Training

HIPAA imposes employee training requirements that are the same regardless of the state the healthcare organization operates in. HIPAA training must be provided to each employee that has the potential to access PHI. HIPAA training must be provided annually, in which employees must legally attest that they understand and agree to adhere to the training material. 

Business Associate Agreements

Business associate agreements must be signed with each of your business associate vendors. HIPAA defines a business associate as any entity that performs a service for your practice that gives them the potential to access PHI. Common examples of business associates include electronic health records platforms, email service providers, online appointment scheduling software, and cloud storage providers. 

You cannot use any vendor and be HIPAA compliant. They need to be willing and able to sign a business associate agreement (BAA). A BAA is a legal contract that requires each signing party to be HIPAA compliant and be responsible for maintaining their compliance. When a vendor doesn’t sign a BAA, it cannot be used for business associate services.

Incident Management

To comply with the HIPAA Breach Notification Rule, you must have a system to detect, respond to, and report breaches. Employees must also have the means to report incidents anonymously and be aware of what to do if they suspect a breach has occurred.

HIPAA Authorization Form Virginia

A HIPAA authorization form in Virginia is required under certain circumstances. HIPAA regulations outline the uses and disclosures of PHI that require authorization to be obtained from a patient/plan member before that person’s PHI can be shared or used. 

A HIPAA authorization form in Virginia is required before:

  • The covered entity can use or disclose PHI whose use or disclosure is otherwise not permitted by the HIPAA Privacy Rule
  • The covered entity can use or disclose PHI for marketing purposes. If the marketing communication involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved.

The law requires that a HIPAA release contain specific “core elements” to be valid. 

These elements include:

  • A description of the specific information to be used or disclosed.
  • The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
  • The name or other specific identification of any third parties (persons or classes of persons) to whom the covered entity may make the requested use or disclosure.
  • A description of each purpose of the requested use or disclosure. 
  • An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. 
  • The signature of the individual, and the date. 

HIPAA Violation Virginia

What is a HIPAA violation in Virginia? While many HIPAA violations occur due to breaches, it is not the breach itself that would conclude that a healthcare organization violated HIPAA. Most HIPAA violations occur when healthcare organizations fail to conduct accurate and thorough risk assessments, provide patients timely access to their medical records, have signed business associate agreements, or report breaches promptly.

Meet All Your HIPAA Requirements

Our software provides everything you need to satisfy state and federal HIPAA laws.

Global CTAs Image