Mega-Breaches: Notification Lessons

Attorney Warns Against Focusing Solely on HIPAA Compliance

By Marianne Kolbasuk McGee, March 5, 2015.

                                                                                               

When preparing their data breach notification strategies, healthcare organizations must guard against focusing solely on HIPAA compliance and neglecting to consider various state laws, says privacy and security attorney Brad Rostolsky.
"State laws are often not something that folks think about immediately ... but it should be right up there with HIPAA in terms of what we're thinking about," he says in an interview with Information Security Media Group.

For instance, less than a week after health insurer Anthem Inc. publicly disclosed on Feb. 4 that it had suffered a breach affecting millions of former and current health plan members in numerous states, 10 state attorneys general wrote a letter to the insurance company expressing "alarm" that Anthem hadn't yet communicated with those affected.

Under federal HIPAA regulations, the U.S. Department of Health and Human Services and victims must be notified about a breach affecting 500 or more individuals within 60 days of the discovery of the breach. But that breach notification timeline is much shorter in many states. And the definition of what constitutes a health data breach in some states also differs from what HIPAA says, Rostolsky explains.
"If you know you are only dealing with patients or individuals in two to five states, it's probably worthwhile to get a sense of what the obligations are under those states' laws," he says. "But it's the larger institutions and larger businesses that deal with folks across the country that have a bigger challenge. The last thing any client wants to hear is '50 state survey,' but generally speaking, it's not a bad idea to make sure the folks you're turning to for advice [about breaches] are aware of what all the states require."
The bottom line, Rostolksy says, is: "Anytime you're dealing with an incident that could be a breach under state or federal law, it's really important that you're reacting quickly."
In the interview, he also discusses:

• The impact of the HIPAA Omnibus Rule on how breaches are analyzed for notification under federal law - and how breach determination guidelines may differ in the states;
• The differences between encryption requirements in the HIPAA Security Rule, versus regulations and proposed legislation in certain states;
• Tips for healthcare entities and business associates in sorting out their privacy and security policies and practices when dealing with patients and clients in multiple states.

Rostolsky is a partner in the life sciences health industry group at the law firm Reed Smith's Philadelphia office. With a focus on healthcare regulatory and transactional law, he leads that group's HIPAA and health privacy and security practice. He's also a member of the firm's recently launched global Ebola task force. Rostolsky has extensive experience advising clients on all aspects of health information privacy and security compliance.

Follow Marianne Kolbasuk McGee on Twitter: @HealthInfoSec