Incident Response 101: Where Notification Requirements May Differ from HIPAA

Where State Law May Differ from HIPAAIn our recent series of articles answering the key questions about what notifications steps HIPAA regulated organizations must take after a security breach, we have looked at:

To wrap up this topic, we will take a very quick overview of some caveats to consider regarding “where.” It is important to understand that where your company and your patients are located may affect how you are required to report and data breach.

Disclaimer, we’re not a law firm and I don’t provide legal advice. The nuances of regulatory language and of each organization’s unique considerations depending on the type and severity of a potential breach can be extremely complex. Considering State privacy regulations alongside HIPAA can be complex and decisions should only be made with the assistance of legal counsel familiar with regulations within your state.

Notification of Breach Under HIPAA and State Regulations

State Legislatures in all but three states have enacted their own privacy statutes with varying requirements for breach notification. In general, where state law contradicts HIPAA, the Federal regulation is considered superior. However, where the State’s requirements are more stringent or detailed than HIPAA, state law provides the standard. This is a very general rule of thumb and legal advice specific to each organization’s unique situation is necessary to formulate a solid compliance strategy.

Notification of Breach Requirements in Florida

If you do an online search for “state privacy statutes chart” you will find information published by law firms in an attempt to simply outline differences in State and Federal regulations. These differences, however, are not simple or straightforward and do require expert legal advice to understand depending on the state(s) in which your company operates.
Florida Statute 501.171 spells out the state’s expectations for the security of confidential personal information. In Florida, for example:

  • Third party recipients of data (vendors and Business Associates) are required to notify the covered entity they are working with of a breach within ten days of the determination of the breach.
  • Written notice needs to be provided to Florida residents within 30 days of the determination of breach.
  • The Florida Department of Legal Affairs must also be notified within 30 days if more than 500 individuals were affected.
  • If the breach involves more than 1,000 Florida residents, notification must also be made to consumer reporting agencies.
  • Florida statutes do provide “safe harbor” (encryption) and “good faith” exemption for access to protected personal information.

Notification of Breach Across State Lines

Understanding the difference and applicability of State and Federal regulations can be tricky and, as stated, requires expert legal counsel. When your business or healthcare organization operates across state lines, the implications for your breach response and notification strategy are compounded. From state to state, requirements can differ significantly in key provisions such as:

  • Contents of Notification Letters to affected individuals – some states may require that the individuals be informed of the cause and remediation steps being taken, another state may actually forbid some of that information from being included in the notification.
  • Triggers for notification – the exposure and/or loss of certain types of information determines whether notification to individuals and regulators is required; states may define and prioritize such information and circumstances very differently.
  • Time limits for notification – this is where varying regulations may be most problematic. If your organization primarily functions in a state with more time allowed before notification must be made but also operates in a state with more stringent requirements – you should consider the more stringent requirement to be preeminent in your strategy. The same holds true for HIPAA versus state regulations – if the state requires a faster notification (as in Florida), that more aggressive requirement is most assuredly the one you should be most concerned with.

These and other nuances in State and Federal statutes make complex and potentially fraught with challenges. As stated multiple times, you should not try to really understand all the requirements your organization may be liable to meet without legal advice. We work hand in hand with many different organizations to plan for and sometimes deal with data breaches from the technical considerations and we are very comfortable with the requirements of HIPAA – to a point. That is the legal point. Attempting to answer the fundamental questions of HIPAA breach notification as we have in this series of articles sometimes only leads to further questions. If your organization needs more help or specific direction regarding these issues, our experts would be happy to assist, help you find and work with legal counsel as necessary, or to work with your existing/in-house legal counsel to make sure all the critical pieces of the puzzle come together correctly