50 Shades of Privacy: Understanding State-based Data Compliance

Editor’s Note: This is the first of a shared blog series between Trifecta General Counsel and Moxe,  chronicling the journey to research and understand the interactions between state-based privacy laws and HIPAA. Trifecta General Counsel provides next-gen legal services for digital health teams. Moxe facilitates bidirectional sharing of medical records between health plans and health systems, enabling faster claims data and more comprehensive population health insights.

At Trifecta General Counsel, we’re used to hearing HIPAA (Health Insurance Portability and Accountability Act) thrown around. We read and write it in contracts, we discuss it as part of risk mitigation, and we consider it every time we work with our prospective clients or their prospective partners.

We recently talked with the team at Moxe about HIPAA in a way that’s not as common, to explore the question, ‘how does each state deal with protected health information, and how do those laws interact with the Federal HIPAA law?’. After some investigation, we realized that a trustworthy, up-to-date, comprehensive resource to compare HIPAA to data privacy laws for each state was lacking. We also realized how valuable it would be to have this information available to both companies, as we both seek to improve data security and privacy for clients that across the country.

We decided to collaborate on developing such a compendium. We also decided to use our experiences on this journey to help illustrate the complexities of HIPAA compliance, of state-based data privacy compliance, and best practices for both.

So… let’s make sure we’re all on the same page about HIPAA before we dig in to how a state might differ.

What’s covered in HIPAA?

HIPAA covers protected health information (PHI) across a span of events:

  • Use of PHI

This is the Data Privacy piece of HIPAA – Who can access and use PHI?

There are special terms that apply in the interpretation of who can use and access PHI. A covered entity is an organization, such as a hospital system or insurance carrier, that generates PHI. A business associate is an organization that works with a covered entity and may access that PHI. The ins and outs of their relationship are defined in a contract called a Business Associate Agreement (BAA).

There are a number of proper and improper uses of PHI defined in the Privacy Rule. For example, the “minimum necessary” rule falls under Data Privacy, dictating that a consumer of PHI is only allowed to use or disclose the minimum amount of information necessary to perform a given function.

  • Protection of PHI

This is the Data Security piece of HIPAA – Once PHI is in my possession, how do I safeguard it?

There are 18 standards in the Security Rule, each containing one or more implementation specifications that you are required to evaluate (and meet, where applicable) if you are exposed to PHI.

  • The “Uh-oh” moment -  Planning for the loss of PHI

This is the Breach Notification piece of HIPAA – Whoops, we lost or failed to protect PHI in our custody… what’s next?

At the Federal level, HIPAA sets a series of expectations for the notification processes with a breach of PHI, including how quickly to notify the Covered Entity (60 days) and the details of the breached information to share with the CE (e.g., names of the individuals).

How long has HIPAA been around?

HIPAA was signed in 1996. The department of Health and Human Services later published the Privacy Rule (required generally in 2003 and for small health plans in 2004) and the Security Rule (2005 / 2006). With the HITECH Act, HHS strengthened parts of HIPAA through the Breach Notification Rule.

The first state off the presses is… OHIO!

The first state we looked at to contrast with HIPAA was Ohio. We found the following ways that Ohio PHI Privacy and Breach Notification laws are a little different than HIPAA:

1.       Breach notification applies to all personally identifiable information, not just PHI.

2.       In the event of a breach of personally identifiable information, you must notify the resident(s) of Ohio breached within 45 days.

3.       If the breach involves more than 1000 Ohio residents, you must notify major credit bureaus.

4.       If the breach involves more than 500,000 residents, you must post a breach notification on your website and provide notice to the media to cover at least 75% of the state.

We also found overlap:

1.       Ohio incorporated the HIPAA Privacy Rule into their state law, so the HIPAA requirements about proper access and use to PHI apply fully in Ohio.

2.       Ohio does not have its own data security requirements, so the HIPAA Security Rule applies to PHI collected from Ohio residents.

At both Trifecta and Moxe, we are passionate about HIPAA. Even if HIPAA isn’t in your daily vocabulary, it can be a great excuse to learn more about laws designed to protect your PHI. Let us know if you have questions about HIPAA and stay tuned for our next state-based analysis of data privacy, security, and breach management!

Tripp Stroud