News

Possible Health Information Trend in State Data Protection Statutes

20 August 2009
Image
Image

With the compliance date for the federal health data breach notifications in the HITECH Act looming, more states are amending their data breach notification statutes to cover health information. The possible trend is evident in the newly-enacted laws of three states – Missouri, New Hampshire and Texas – all of which have been enacted since June 2009.

  • Missouri – Within the key definition of “Personal Information,” Missouri’s new data breach notification law includes both “medical information” and “health insurance information,” which if disclosed in combination with an individual’s name, may trigger notification rights. 

  • New Hampshire– In a separate provision from its general data breach notification law, disclosure of HIPAA protected health information by health care providers and business associates may trigger notice requirements even if the disclosure is permitted under federal law or does not create a risk of harm.

  • TexasExpanding its existing data breach notification statute, Texas specifically amended the definition of “sensitive personal information” to include types of health information not previously covered.

These states join California, Arkansas and Puerto Rico as the only jurisdictions to protect health data under their data breach notification statutes. Still, compliance with these statutes may be costly and burdensome.  Businesses must carefully monitor access, acquisition and disclosure of health and medical information in addition to other types of sensitive information – social security number numbers, financial account numbers, etc. – routinely protected under these statutes. Definitions of health and medical information vary, but can be quite broad to cover, among other things, information relating to:

physical or mental health or conditions and medical histories; 

  •  provision of health care;

  •  treatment and diagnosis; 

  •  payments for health care; and 

  •  insurance policy numbers and subscriber IDs.

Although the interaction of these state laws with the federal data breach notification regulations under the HITECH Act is unsettled, state laws must continue to be monitored and analyzed closely, especially if the number of states protecting health information continues to grow and their notification obligations are consistent with, but extend beyond, the federal requirements.

 

Authored by Scott Loughlin

Contacts

bio-image

Scott T. Loughlin

Partner

location Washington, D.C.

View more

Additional Resources

Related topics

Related countries

Load more

Related keywords

Load more

Articles you may be interested in

image_1
News

The Data Chronicles | The future of health privacy policy in the U.S.

24 April 2025
image_1
News

The Data Chronicles | Data protection in the Asia Pacific region | Trends, enforcement, and what’s ahead

17 April 2025
image_1
News

NIST finalizes cybersecurity incident response framework profile aligned with CSF 2.0

14 April 2025
image_1
News

The Data Chronicles | AI issue spotting | AI's growing impact on U.S. antitrust regulation

10 April 2025
image_1
News

The Data Chronicles | AI issue spotting | AI agents' data privacy and governance considerations

03 April 2025
image_1
News

The Data Chronicles | Unlocking the EU Data Act | What it means for connected products and related services

27 March 2025
image_1
News

The Data Chronicles | Unlocking the EU Data Act | Impact on cloud providers and cloud users

20 March 2025
image_1
News

The Data Chronicles | Unlocking the EU Data Act | What you need to know

13 March 2025
image_1
News

The Data Chronicles | The AI dilemma | Balancing GDPR and innovation in the EU

06 March 2025
left_arrow
right_arrow

Search

arrow
arrow

Register now to receive personalized content and more!

 

Register
close
See benefits
Register