[ Thursday, March 29, 2007 ]
A quilt of laws:
You're probably aware that California started a craze that has caught on in many other states: a law requiring business that use personal information (usually in computer format) to notify customers and others if that data is stolen or if the computer system's security is breached. What's interesting (and somewhat different than HIPAA) is that each state's law is slightly different than the rest, so a particular event in one state may require notice while the same event in another state would not, or the notice must be presented one way for one state's laws and a different way for another state's laws. Of course, as the Oklahoma case I discussed yesterday highlights, HIPAA's preemption of state laws is only partial, so HIPAA-covered entities must still comply with state laws that are more stringent than HIPAA. But with regard to these security breach notification laws, there's not even the national standard.
If you deal with personal information (which may well include information that wouldn't be considered PHI in all instances) in your business, you need to know the laws that apply to you. Here's a good article
with some resources to start you out.
Jeff [10:46 AM]
Blogger: HIPAA Blog - Edit your Template