A trend to watch: Last year, two states made significant changes to laws related to personally identifiable information and protected health information.
In 2018, Colorado and California made significant changes to their state laws related to personally identifiable information and protected health information.
Effective Sept. 1, 2018, Colorado House Bill 18-1128 changed the procedures that Colorado businesses must follow. Although the changes to the law are extensive, HIPAA-regulated entities (e.g., covered entities, business associates, and subcontractors) are exempt from several of the changes-with the following caveats and exceptions.
First, the deemed compliance provision should be viewed as the general rule. Specifically, HIPAA-regulated entities that are in compliance with HIPAA’s rules and regulations are also deemed to be in compliance with the Colorado law.
Second, two exceptions to this general rule became effective:
HIPAA also requires that notice be given to the secretary of the United States Department of Health and Human Services. Hence, physicians should be conscience of the parallel requirements under both Colorado law and HIPAA.
Effective Jan. 1, 2020, the California Consumer Privacy Act of 2018, officially called AB-375, grants consumers the right to request a business to disclose the categories and specific pieces of personal information it collects about a consumer. The AB-375 requires entities that meet the following criteria to comply with the law:
Most California physician practices probably do not meet these requirements; however, it is worth noting that under HIPAA patients have the right to request an accounting of who their protected health information was disclosed to.
In terms of breach notification, California Civil Code s. 1798.29(a) [agency] and California Civil Code s. 1798.82(a) [person or business] requires a business or a state agency to notify a California resident of a breach of unencrypted personal information that was acquired, or reasonably believed to have been acquired, by an unauthorized person.
By maintaining a pulse on changes regulations and technology, physicians and their business associates can have reasonable assurances that the technical, administrative, and physical safeguards that they are attesting to in their business associate agreements remain accurate. Physicians who stay current can mitigate their risks of breaches, harm to patients, and legal liability.
Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.