State Laws on PHI Require Careful Consideration
By Greg Freeman
Complying with HIPAA requirements on patient privacy may be difficult sometimes, but it is not enough. State laws also apply — and they may come with different requirements.
About a half-dozen states have enacted their own version of privacy and data security laws, and more states are working on them, says Sarah B. Crotts, JD, counsel with Parker Poe in Charlotte, NC.
“They define the type of information they protect differently, and their requirements vary. On top of that, you have the federal layers for information, HIPAA, and Part II for substance abuse and mental health type of records,” Crotts explains. “Some of the state laws will exclude at the entity level, so if an entity is a covered entity under HIPAA, and you’re already meeting HIPAA requirements, that’s good enough for us. Other states aren’t looking at it at an entity level. They’re looking at it at the data level, and not just PHI — including all the other types of information you have, ranging from just basic employee information to all the different information that gets gathered when people visit their website.”
Meet the Strictest Requirements
When state and federal requirements vary, the advice often is to find the strictest requirements and meet that standard. With PHI requirements, that does not work well. Entities often need different protocols for different buckets of information, Crotts says. Different protocols increase the chances of people making mistakes.
Compliance can be especially challenging for health systems operating in several states. “Covered entities that are doing the best with this are looking at proposed legislation in states they operate in and saying, ‘If this passes, what do we need to do to change?’” Crotts says. “They’re getting a little bit ahead of the ball, which gives them more time to get those changes put into place, train people, and be ready when laws do become effective.”
SOURCE
- Sarah B. Crotts, JD, Parker Poe, Charlotte, NC. Phone: (704) 335-9865.
Complying with HIPAA requirements on patient privacy may be difficult sometimes, but it is not enough. State laws also apply — and they may come with different requirements.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.