[ Wednesday, May 11, 2005 ]
State Law Issues:
Always, always keep in mind that the USA is a federal beast; complying with HIPAA is required, but it's not necessarily the last word. States and potentially local laws, rules, ordinances, statutes, regulations, or even customs (which may have the same force as law under the "common law" requirements of some torts) must also be addressed and met. Particularly, note that Washington has recently joined California, Indiana, Arkansas, Montana and North Dakota in actually passing a law requiring any entity that holds personalized information to notify affected individuals if their personal information is stolen or their security is breached. Many other states are considering similar laws.
HIPAA does have a preemption clause, but it is not a complete preemption clause (preemption means that the rules passed by the Federal government supercede and supplant any laws passed by states or local governments, so that there's a single set of "rules of the road" for that issue, such as ERISA). Instead, HIPAA preempts state law only if the state law is less stringent. HIPAA does not require covered entities to notify individuals if their PHI is disclosed, although in many cases that will be proper to ensure that potential damage is mitigated. But if you are in a state that has an independent requirement for notifying individuals when there's a breach of privacy or security, make sure you comply with that law as well, since it will not be preempted by HIPAA.
Jeff [12:41 PM]
Blogger: HIPAA Blog - Edit your Template