Mega-Breaches: Notification Lessons
Attorney Warns Against Focusing Solely on HIPAA Compliance
By Marianne Kolbasuk McGee, March 5, 2015.
When preparing their data breach notification strategies, healthcare organizations must guard against focusing solely on HIPAA compliance and neglecting to consider various state laws, says privacy and security attorney Brad Rostolsky.
"State laws are often not something that folks think about immediately ... but it should be right up there with HIPAA in terms of what we're thinking about," he says in an interview with Information Security Media Group.
For instance, less than a week after health insurer Anthem Inc. publicly disclosed on Feb. 4 that it had suffered a breach affecting millions of former and current health plan members in numerous states, 10 state attorneys general wrote a letter to the insurance company expressing "alarm" that Anthem hadn't yet communicated with those affected.
"If you know you are only dealing with patients or individuals in two to five states, it's probably worthwhile to get a sense of what the obligations are under those states' laws," he says. "But it's the larger institutions and larger businesses that deal with folks across the country that have a bigger challenge. The last thing any client wants to hear is '50 state survey,' but generally speaking, it's not a bad idea to make sure the folks you're turning to for advice [about breaches] are aware of what all the states require."
The bottom line, Rostolksy says, is: "Anytime you're dealing with an incident that could be a breach under state or federal law, it's really important that you're reacting quickly."
In the interview, he also discusses:
- The impact of the HIPAA Omnibus Rule on how breaches are analyzed for notification under federal law - and how breach determination guidelines may differ in the states;
- The differences between encryption requirements in the HIPAA Security Rule, versus regulations and proposed legislation in certain states;
- Tips for healthcare entities and business associates in sorting out their privacy and security policies and practices when dealing with patients and clients in multiple states.
Follow Marianne Kolbasuk McGee on Twitter: @HealthInfoSec