Fall 2022

HIPAA Challenges: State AGs Crack Down on Data Privacy
By Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB
For The Record
Vol. 34 No. 4 P. 28

Is It Time to Think Beyond HIPAA?

State attorneys general have been increasingly ramping up investigations and cracking down on data breaches at health care organizations.

Although hospitals and health systems are well-versed in reporting data breaches to the Office for Civil Rights because of HIPAA, the privacy scope of state attorneys general is more far-reaching. While HIPAA applies only to health-related information, state attorneys general can also focus on data breaches involving personally identifiable information (PII).

The Department of Homeland Security defines PII as “any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual.” It can include data such as names, addresses, Social Security numbers, e-mail addresses, and credit card numbers, and, on occasion, even biometric data, all of which health care organizations collect daily from patients.

State attorneys general are the top legal officers in each state. They counsel state government agencies and legislatures and represent the public interest. They also intervene in legal proceedings on behalf of the public and conduct litigation and appeals on behalf of the state or territory. Their authority and scope vary by state, so it’s important for health care organizations to understand the laws and rules in the state, states, or territories in which they operate.

Data Privacy Protection Takes Center Stage
While the European Union has a tough data privacy law called the General Data Protection Regulation, the United States doesn’t have a similar version at the federal level. As a result, many states have taken it upon themselves to enact data privacy laws that draw from rules like the General Data Protection Regulation.

In 2021, 23 states introduced some form of comprehensive data privacy legislation, and two—Colorado and Virginia—signed them into law. In 2022, Utah and Connecticut followed suit. California’s data privacy legislation has been in place since 2018 and was amended and expanded in 2020.

Each state’s law has different requirements, with some stricter than others. For instance:

• Under the California Consumer Privacy Act, personal information could include everything from a person’s name, Social Security number, and e-mail address to their internet browsing history and fingerprints. It also applies to organizations that “buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices,” but doesn’t apply to nonprofits or government agencies. In addition, it exempts protected health information, which is already protected by HIPAA.

• The Colorado Privacy Act exempts protected health information but does not exempt nonprofits.

• Covered entities that are already subject to HIPAA and the HITECH Act are exempt from the Virginia Consumer Data Protection Act.

• Connecticut’s law, most of which goes into effect July 1, 2023, doesn’t have a minimum revenue threshold for it to apply to an organization and excludes any deidentified data or publicly available information.

• The Utah Consumer Privacy Act, which goes into effect December 31, 2023, is narrower in scope than other similar laws and doesn’t apply to entities with annual revenues of less than $25 million.

Health care organizations that operate in multiple states should follow the reporting requirements for the state with the strictest rules and apply those requirements across facilities, regardless of location.

The Who and What of Ramping Up
Privacy officers and HIM leaders need to know what information must be reported to their specific state attorney general, as well as the timeline requirements for doing so. For example, Connecticut requires reporting no later than 60 days after the discovery of a breach.

Although privacy officers and HIM employees are the primary people within an organization who need to be aware of state privacy laws governing PII, other departments that handle PII, such as addresses and credit card information, should also be in the loop. These include patient financial services, revenue cycle, and security officers. Health care organizations should also be aware of handling PII between themselves and their third-party vendors and/or those acting on behalf of the organization.

In addition to reporting PII breaches to the state attorney general, privacy, security, and HIM leaders should report within their own organizations, including to the compliance officer and the board of directors.

In fact, many liability and cyberinsurance policies include stipulations for making consistent reports to its board of directors or other governing authority. Otherwise, its coverage may not be paid in total or may be void altogether.

An Ever-Shifting Landscape
State differences in PII reporting could prove tricky moving forward as new and possibly ambiguous scenarios arise.

For example, the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization that overturned Roe v. Wade raises questions about law enforcement requesting patient information such as “data collected by period-tracking apps, patients’ self-reported symptoms, or diagnostic-testing results” from health care providers in states that have prohibited abortion and whether those requests would violate a patient’s privacy, according to a paper by the international law firm McDermott Will & Emery.

Considerations like these should be front and center for privacy officers and HIM professionals. It will be imperative to keep up with new laws and developments, understand how and when they apply, and take appropriate reporting steps to stay compliant.

— Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, is the vice president of privacy, compliance, and HIM policy for MRO Corporation.