Mintz Levin has updated the Mintz Matrix, a comprehensive summary of the data breach notification laws that now exist in all 50 states (South Dakota and Alabama finally caved and enacted their own laws). It’s critical that HIPAA-regulated entities monitor these state laws because they apply simultaneously, and often conflict with, HIPAA. In the event of a data breach, regulated entities must fulfill HIPAA’s breach notification requirements and the requirements of applicable state law. Large-scale data breaches, affecting individuals from multiple states, require the rapid analysis of multiple state laws along with HIPAA requirements. But don’t wait for a crisis to review the Matrix. HIPAA covered entities and business associates should use it to familiarize themselves with the breach notification requirements of the states in which they do business, and use the Matrix to inform incident response planning activities. The Matrix is also useful for monitoring patterns and trends among state laws in this area. For example, state data breach notification laws have historically been implicated by the loss of information that could be used for identity theft, such as name coupled with social security, debit or credit card numbers. However, many states now require breach notification when health care information is used or disclosed without authorization, even if it is not associated with a social security number and even if HIPAA does not apply. You can learn more about the Matrix and download a copy on our Privacy and Security Matters blog.
Dianne J. Bourque advises health care clients on licensure, regulatory, contractual, risk management, and patient care matters for Mintz. Dianne counsels researchers and research sponsors on FDA and OHRP regulations. She also counsels clients on data privacy issues, including HIPAA standards.