Virginia Is For Lovers (Of Data Privacy)

Editor’s Note: This is part of a shared blog series between Trifecta General Counsel and Moxe,  chronicling the journey to research and understand the interactions between state-based privacy laws and HIPAA. See the first in the series here.

Trifecta General Counsel provides next-gen legal services for tech-focused companies, with customer service at the center. Moxe facilitates bidirectional sharing of medical records between health plans and health systems, enabling faster claims data and more comprehensive population health insights.


We’re diving in to state #2 in our comparison of state-based data privacy laws and HIPAA. As a refresher, HIPAA applies at the federal level to the following events in the life cycle of protected health information:

  • Use of PHI (data privacy – who is accessing PHI)
  • Protection of PHI (data security – how PHI is safeguarded)
  • Planning for the loss of PHI (breach notification – how an uh-oh moment is communicated)

So, what do the Virginia laws say?

VA Data Privacy

Virginia law specifically defines allowed uses and disclosures of health care information by health care entities. A “health care entity” includes providers, payers, and business associates. These allowed uses for disclosure includes connection to health care operations, treatments, or payments.

The Virginia data privacy laws are similar to those of Ohio, in that operations, treatment, and payment activities are included in the allowed uses and disclosures language. Ohio does specify that, if the disclosure is to a Health Information Exchange (HIE), patient has more rights to limit the information than with other health care entities.

VA Data Security

Virginia doesn’t have state laws that specify data security requirements, regarding personal health information or any other personal information. As with Ohio, the HIPAA Security Rule applies to PHI collected from state residents.

VA Breach Notification

In the event of a breach of personal information (such as PHI governed under HIPAA) that includes residents of Virginia, you are required to:

  • Notify the VA resident(s) with lost information in writing to the last known address or by phone
    • A substitute notice of email, posting on website, and notice to statewide media is allowed if breach is widespread or sufficient information isn’t available for direct notices
  • Notify the Attorney General’s office
    • Notices must occur without unreasonable delay and must include:
      • A description of the incident, the type(s) of information lost
      • Steps the individual may take to prevent further unauthorized access
      • A contact phone number
      • A reminder to the individual to watch accounting statements and credit reports with vigilance

Unlike Ohio’s notification law, Virginia does not require notification of credit bureaus.

If a breach of health care information occurs to an entity not defined as a Covered Entity or a Business Associate under HIPAA, Virginia law details other breach notification steps.

At both Trifecta and Moxe, we are passionate about data privacy. Even if HIPAA isn’t in your daily vocabulary, it can be a great excuse to learn more about laws designed to protect your PHI. Let us know if you have questions about HIPAA and stay tuned for our next state-based analysis of data privacy, security, and breach management!

Tripp Stroud