Q&A: PHI breaches involving out-of-state patients
Q: We’ve had a breach of unsecured PHI regarding an out-of-state patient. What is your recommended first step in terms of which breach notification laws—state vs. federal—we need to comply with?
A: You are governed by the laws of the state you are licensed to practice in. That means you are paying attention to your state laws and not the laws of the state where the out-of-state patient resides. As far as which laws to pay attention to—federal or state—you need to pay attention to both. If your state law is more stringent than HIPAA, you need to adhere to the requirements of the state in which you are licensed to practice. As an example, if your state requires notification within 45 days, you need to follow the notification requirements of your state.
A number of states defer to HIPAA. If you are regulated by HIPAA, you are required to adhere to the HIPAA Breach Notification Rule and not your state breach law. The exception, as noted above, would be the notification time frame. It’s a good idea to check your state law to find out if, in addition to notifying OCR, you need to notify your state attorney general’s office.
If you are with a business associate (BA), you need to pay attention to state law because you may be required to notify individuals and your state attorney general’s office in addition to notifying your covered entity (CE) customer. It’s a good idea to talk to your CE customers to make sure any notifications are coordinated.
Editor’s note: Apgar is president of Apgar & Associates LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.