The legislature in Washington State recently passed a bill decreasing the amount of time providers have to notify victims and the state attorney general about health information breaches to just 30 days after the breach—half the time required by HIPAA regulations. The legislation also broadened what is considered breached information, and organizations are now required to tell people in the notification letter what information was involved in the breach.
Washington is not the first state to tighten their breach reporting requirements. In fact, a host of state legislatures—often via consumer protection laws—are redefining what is considered a breach and how providers will need to handle reporting.
“I see it as a trend; everyone is trying to keep up with each other,” said Chris Apgar, president and CEO of Apgar & Associates, based in Portland, Oregon. “California started it and other states copied it and now everyone is trying to be different.”
Unfortunately for health care providers, state regulations can vary substantially from state to state, and they can change annually as new laws pass with each new legislative session. This requires health care providers to create an incidence response plan to comply not only with HIPAA regulations, but the state in which they practice and sometimes surrounding states as well.
Minding the gaps
There are a few spaces in health care where HIPAA does not necessarily reach, said Dianne Bourque, a partner at Boston’s Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, PC. One is prescription drug plans that sometimes help patients get access to cost-effective medications. These plans are similar to insurance coverage, but do not fall under HIPAA.
Providers who do not bill a third-party payer also do not have to comply with HIPAA. Some businesses have on-site health clinics that are paid a flat rate to treat patients, and these may fall outside of HIPAA boundaries as well.
Finally, some apps and devices that upload personal health information and link to things like personal health records likely do not fall under HIPAA.
“States have figured out that there are gaps in HIPAA applicability,” Bourque said. “Every day we see scenarios where organizations have enormous amounts of health information and consumers think they are protected because the organizations comply with HIPAA. But there are circumstances where HIPAA doesn’t apply, and it can result in consumer exposure, and [states] are trying to fill those gaps.”
But even if state legislation is attempting to fill cover non-healthcare providers, the legislation will naturally impact physicians and hospitals as well.
What to know
Most of the state laws tend to cover a handful of breach aspects. They typically are tougher than HIPAA. For instance, in Washington, legislation broadens identifiers included for a breach to things like a student ID, passport, biometrics, and electronic signatures.
Other state changes include shorter breach reporting periods, a reduction in the number of victims needed to report a breach, and a requirement that organizations offer credit reporting to breach victims. Regulations differ slightly from state to state. “State law is all over the place,” Bourque said.
Another caveat to state laws is that they apply based on where patients live, not by where the provider is located. So any provider who treats patients from a different state has to understand the laws there as well.
“You have to do a state analysis in parallel with a HIPAA analysis if you have a breach,” Bourque said. “And what often happens in a large-scale breach is that HIPAA and state law may conflict in terms of notification. And you don’t want to send multiple notification letters for one breach.”
In some states, though, compliance will be simple. Some have safe harbor laws, meaning if a provider is covered under HIPAA, compliance with the federal law satisfies any state requirements. If providers in those states are not covered under HIPAA, state law kicks in.
In reality, no provider is going to be tracking state information security legislation. But Apgar said someone in a practice should have an idea of the regulations. State medical and specialty associations often have people specifically hired to lobby or track legislation. The National Council of State Legislators has a compilation of state breach notification laws as do some law firms like Bourque’s.
Tracking state laws is something a small provider can do in-house, Bourque said. State law requirements need to be made part of each organization’s incident response plan. A provider or office manager does not have to know how to do everything after a breach, but they should know whom to call that would and ensure everyone in the office is given that information.
“If everyone flips on their computers and they are locked up because of malware or a laptop gets left on a bus and travels away, people should know what to do,” she said.
An organization does not want to spend time in the midst of a breach trying to figure out what the different state and federal obligations are. The clock for mitigating a breach and reporting it starts as soon as a group knows one has occurred. Waiting until then to figure out what to do will only “waste staggering amounts of time,” Bourque said.
Health care providers who know whom to call for forensic, legal or IT help will go a long way to speeding up the response and ensuring timely reporting. “They should just think in advance about things that might otherwise trip them up,” she said. “More often than I care to think about, I’ve been involved in incidents where the first time IT security folks are meeting with the business folks is over the table after a breach.”