[ Wednesday, March 18, 2009 ]
Do the New Data Breach Rules Pre-Empt State Data Breach Laws?
(And if so, partially or completely?) Excellent question and answer from Edward Shay
of Post & Schell
: In an exchange on the AHLA's HIT listserv this morning, hipaacrat Shay had the following to say (HITECH is the HIPAA portion of ARRA):
"Yesterday on the HITECH Part I conference call, Dan Orenstein asked me if I thought that HITECH preempted state breach notification laws. I answered with great conviction that it did not and that I thought that was a missed opportunity. Later yesterday, Vadim Schick, one of the bright tech lawyers at Post & Schell, politely pointed out to me that section 13421(a) seemed to do just what I told Dan that HITECH did not do; that is, preempt breach notification laws.
"So, for the record, I spoke in haste and all are directed to 13421(a) and the Conference Report for further consideration. Having read, and re-read 13421, I am now revising my view to say that I simply don’t know. Here’s why.
"Section 13421 appears to carry forward to the provisions of subtitle D of HITECH the preemption methodologies of section 1178 “in the same manner” as it applies to:
"A provision or requirement under part C of title IX, or
"A standard or implementation specification adopted under 1172 through 1174.
"For those who remember the fun of 1178, you will recall that it provides two methods of preemption. The first applies to “contrary state laws” subject to certain exceptions. The “contrary state law” methodology applies only to section 1172 through 1174 and standards thereunder, including the Security Rule. The second method is the more convoluted floor preemption of methodology of section 264(c)(2) that saves more stringent state privacy laws. Section 13421(a) of HITECH would seem to keep both methods of preemption in place and simply carry them forward respectively to security and privacy under HITECH.
"Here’s the sticking spot. Part C of title XI had nothing on breach notification and neither did subsequent security or privacy regulations. I could not tell you if “breach notification” is a security provision (e.g., encryption strength) that would preempt contrary state laws or a privacy standard (e.g. duty to mitigate unauthorized disclosure through notification) that would preempt only more stringent state laws (e.g., allowing states to require notice within 10 days versus HITECH “without unreasonable delay”).
"Having set the record straight, I invite all to listen to HITECH II when better minds
than mine will doubtless resolve this question."
As we wait for regulations, the safe bet is to ensure your healthcare business complies with the data breach notification provisions in ARRA as well as
any data breach notification provisions in your state law.
Jeff [11:37 AM]
Blogger: HIPAA Blog - Edit your Template