Virginia has passed new legislation regarding the sending of notification letters when medical information is breached. It's very similar to the notification laws regarding the breach of personal information, including the safe harbor provision if data encryption like AlertBoot is used to protect the data. The new medical data breach law goes into effect on January 1, 2011. For my previous post on Virginia's personal information breach notification law, see here.
Virginia has passed new legislation regarding the sending of notification letters when medical information is breached. It's very similar to the notification laws regarding the breach of personal information, including the safe harbor provision if data encryption like AlertBoot is used to protect the data.
The new medical data breach law goes into effect on January 1, 2011. For my previous post on Virginia's personal information breach notification law, see here.
Except for a small number of changes, both the medical and personal information breach laws read the same. For example, in both cases, the notification letter needs to include a description of the incident; what type of information was breached; how an entity will further prevent future similar occurrences; and provide a phone number for more information/assistance. Likewise, rules governing when a substitute notice can be used or when to contact the Attorney General immediately remain the same (when more than 1,000 people are affected in one incident). Plus, just like for the personal information breach notification law, the AG can impose fines of up to $150,000 for any breaches that go unreported.
Except for a small number of changes, both the medical and personal information breach laws read the same.
For example, in both cases, the notification letter needs to include a description of the incident; what type of information was breached; how an entity will further prevent future similar occurrences; and provide a phone number for more information/assistance.
Likewise, rules governing when a substitute notice can be used or when to contact the Attorney General immediately remain the same (when more than 1,000 people are affected in one incident).
Plus, just like for the personal information breach notification law, the AG can impose fines of up to $150,000 for any breaches that go unreported.
In fact, it's easier to point out what's different: the new law is not relevant for entities that fall under HIPAA or HITECH (subsection F). Also, the law focuses on the definition for "medical information," which is not surprising.
Here's a direct quote: "Medical information" means the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of the Commonwealth, when the data elements are neither encrypted nor redacted: 1. Any information regarding an individual's medical or mental health history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or 2. An individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual's application and claims history, including any appeals records. Perhaps one critical aspect of Virginia's medical data breach law is that this new legislation does not seem to cover breaches effected via paper: while stories of medical documents abandoned on street corners, dark alleys, and vacant houses abound, the breach law applies to "unauthorized access and acquisition of unencrypted and unredacted computerized data." On the other hand, I can't discount the possibility that it's covered somewhere else. However, I get the feeling that this latest legislation was meant to shore up any deficiencies under HITECH and HIPAA, more than anything else: these, too, were criticized for focusing on computerized data only, at the expense of "paper breaches." While it's important to ensure that computerized data breaches don't occur--and using encryption software is the least you can do in that effort--if one's serious about an overall secure environment, paper breaches shouldn't be discounted.
Here's a direct quote:
"Medical information" means the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of the Commonwealth, when the data elements are neither encrypted nor redacted: 1. Any information regarding an individual's medical or mental health history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or 2. An individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual's application and claims history, including any appeals records.
"Medical information" means the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of the Commonwealth, when the data elements are neither encrypted nor redacted:
1. Any information regarding an individual's medical or mental health history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or
2. An individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual's application and claims history, including any appeals records.
Perhaps one critical aspect of Virginia's medical data breach law is that this new legislation does not seem to cover breaches effected via paper: while stories of medical documents abandoned on street corners, dark alleys, and vacant houses abound, the breach law applies to "unauthorized access and acquisition of unencrypted and unredacted computerized data." On the other hand, I can't discount the possibility that it's covered somewhere else.
However, I get the feeling that this latest legislation was meant to shore up any deficiencies under HITECH and HIPAA, more than anything else: these, too, were criticized for focusing on computerized data only, at the expense of "paper breaches."
While it's important to ensure that computerized data breaches don't occur--and using encryption software is the least you can do in that effort--if one's serious about an overall secure environment, paper breaches shouldn't be discounted.
Related Articles and Sites:http://leg6.state.va.us/cgi-bin/legp604.exe?101+ful+HB1039ER