What Are HIPAA Laws in Virginia?

HIPAA Laws in Virginia

Virginia is one of those states that provide greater patient data privacy and security protection than HIPAA through a state data privacy law. Virginia HIPAA laws include a legal right of patients to medical record privacy, amendment of protected health information (PHI), and subpoenas laws. HIPAA laws in Virginia also include the Virginia Consumer Data Protection Act (Virginia’s breach notification law).

HIPAA Laws in Virginia Are About Privacy

Virginia HIPAA laws explicitly recognize a patient’s right of privacy in the content of their medical records. To further this privacy interest, HIPAA laws in Virginia state that patient health records are the property of the healthcare entity maintaining them. To further protect privacy, Virginia HIPAA laws state that no healthcare entity, or other person working in a healthcare setting, may disclose an individual’s health records, except when permitted or required by other state law.  HIPAA laws in Virginia differ from federal HIPAA in that federal HIPAA law does not explicitly state that patients have a right of privacy in the content of their medical records. 

Do you have an effective HIPAA compliance program? Find out now by completing the HIPAA compliance checklist.

Virginia HIPAA Laws: Make Amends

Virginia HIPAA laws differ from federal HIPAA in several other aspects. Under HIPAA, if a covered entity accepts an individual’s request for amendment or correction of PHI, it must make the appropriate amendment. The covered entity must identify the records in the patient’s designated record set and either append or otherwise provide a link to the location of the amendment. 

However, providers are not required to delete any PHI. They may do so if they choose to. For example, suppose an inaccurate diagnosis is listed in a patient record. In that case, a provider may, under HIPAA, make a note that the diagnosis is not accurate, but the diagnosis need not be deleted.

Virginia HIPAA laws provide greater protection to patients. HIPAA laws in Virginia require providers to disclose patient health records to the patient at their request. Suppose the patient specifically requests an audit trail of any additions, deletions, or revisions to their health record. In that case, the provider must comply with the request if the information the patient wants deleted is not accurate.  

This Virginia-provided extra layer of protection to patient privacy may seem trivial on paper. In practice, the “right to deletion” can matter a great deal to a patient. A patient whose record mistakenly listed the patient as “angry” or as having an illness the patient does not have, is saved, what might be considerable embarrassment or stress by having the right to delete.

Let’s Simplify Compliance

Do you need help meeting Virginia HIPAA law requirements? We can help!

Learn More!
HIPAA Seal of Compliance

What is the Virginia Breach Notification Law?

The Virginia breach notification law is known as the Virginia Consumer Data Protection Act, or the Virginia CDPA. The Virginia CDPA protects the personal data of Virginia residents. Under the Virginia Consumer Data Protection Act, personal data is  “any information that is linked or reasonably linkable to an identified or identifiable natural person.” 

Under the law, there is a subset of personal data, called “sensitive data,” which includes:

  • Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status
  • The processing of genetic or biometric data to uniquely identify a natural person
  • The personal data collected from a known child
  • Precise geolocation data

Under the Virginia CDPA, a “breach” is the unauthorized access and acquisition of unencrypted and unredacted electronic data. The unauthorized access and acquisition of unencrypted and unredacted data, if it compromises the security or confidentiality of personal information, is a breach and must be reported.

Under the Virginia breach notification law, notification of a breach must be made to affected individuals. The notification must be made without unreasonable delay, as consistent with any measures necessary to determine the scope of the breach and restore the system’s reasonable integrity.

The notification must include a description of the following: 

  • What the breach consists of, in general terms 
  • The types of personal information that were subject to unauthorized access and acquisition
  • The acts taken to protect personal information from further unauthorized access
  • A telephone number that the person may call for further information and assistance, if one exists