Ann's Compliance Corner
Welcome back to Ann's Compliance Corner! (Dan Orenstein is now athenahealth's Deputy General Counsel, so Ann Chaglassian is the sole Chairperson of the Compliance Corner.) Here, you'll find updates on compliance issues you want to know about. This month, we discuss complying with Data Breach Disclosure Laws. Missed last month's column on our new Code of Conduct and tips on implementing your own Code? Click here.
What do you need to know about compliance with Data Breach Disclosure Laws? Every practice has some amount of information stored on computer systems. While this can increase efficiency and privacy, there is a dark side: the growing frequency of breaches of computerized data. In response to this mounting problem, many states have enacted laws which require businesses to notify individuals when the security of their personal information stored in an unencrypted data system has been compromised (the "State Disclosure Laws").
Even HIPAA doesn't preempt the State Disclosure Laws, because these laws are even more privacy protective than HIPAA privacy standards. In 2003, following several widely publicized data breach incidents, California enacted the California Security Breach Information Act (the "California Law"). The California Law served as a catalyst for other states to address the problem of identity theft. In 2005 alone, State Disclosure Laws were enacted in 22 states. During this time, 35 states considered (but did not ultimately approve) data breach notification legislation. To date in 2006, State Disclosure Laws were enacted in 10 states, and legislation has been proposed in 28 states.
State Disclosure laws vary from state to state. Because of these inconsistencies, businesses called for a uniform federal data breach notification law. Although it is unclear whether and when such legislation would be enacted, a number of data breach notification bills were introduced in the House and Senate in 2005, with more expected in 2006.
Here's how you can effectively manage risk under the State Disclosure Laws. A good starting point is an audit of existing computer systems and electronic files to determine the nature and amount of personal information collected and maintained, and an audit of existing security measures. Among specific measures to consider are:
- Encrypting computerized data when feasible to take advantage of the encryption exceptions
- Limiting employee access to sensitive information to those who have a "need to know"
- Using computer applications which track data transfer and access to enhance the practice's security "perimeter"
- Monitoring vendors whose services involve the use or disclosure of personal information
Until a federal measure is approved, it's up to you to monitor your state's laws and develop effective response and notification strategies. Pay particular attention to your security incident response procedures, since failure to take the appropriate steps and to notify individuals when required could lead to potential liability under the State Disclosure Laws.
For more information, see our article in the Boston Bar Association's Health Law Reporter.
Disclaimer: The content of Compliance Corner is for general informational purposes only, and should not be interpreted as compliance guidance or advice. Consult your compliance advisor or attorney for compliance or legal advice on specific issues related to your practice or compliance program.
