by Harry Rhodes, MBA, RHIA, CHPS, CPHIMS, FHIMA
Forty-four states, the District of Columbia, Puerto Rico, and the Virgin Islands enacted data breach notification and reporting laws well before the Health Information Technology for Economic and Clinical Health (HITECH) Act of the American Recovery and Reinvestment Act (ARRA) set the first federal data breach notification standards in February 2009. In August the Department of Health and Human Services released regulations supporting the provisions specified in two ARRA sections: 13400(1)(A), “Definition of Breach,” and 13402, “Notification in the Case of Breach.”
The regulations become effective September 23, 2009. They are interim final rules; Health and Human Services may choose to revise them after it receives comments during two periods, the latter ending October 23.
Healthcare entities in each state or territory with existing state provisions will need to compare state law to the new federal law. Like HIPAA, preemption applies to the notification laws.
AHIMA offers the following environmental scan of the state-level security breach notification laws. The common key elements found in all of the laws included:
- Definition of personal information
- Identification of individuals and/or agencies to be notified
- Triggers for reporting and providing consumer notice of security breach
- Process for breach notification
Defining the Personal Information to Be Protected
The majority of state security breach notification statutes adhere to a commonly shared definition of protected personal information, with only slight variation across all state laws. The common elements of the personal information definition generally include the individual’s first name or first initial and last name in combination with one of the following: a Social Security number; a driver’s license or state ID number; or an account number combined with a security code, access code, or password that would permit access to an individual’s financial account.
The majority of these laws have been in effect for a number of years. However, states have begun to refine and expand upon these definitions due to changing technology, business practices, and experience and increased awareness. Recently Arkansas and California added definitions of individually identifiable health information and health insurance information to their existing personal information definitions within their breach notification statutes. In addition the proposed 2008 Kentucky data breach notification law included a definition for medical data.
Beyond individually identifiable health information, health insurance information, and personal information, states have also begun to include biometric and genetic information in their personal information definitions. Currently, only three states include biometric information in their definition of personal information. Nebraska’s and Iowa’s definitions of personal information define biometric data to include fingerprints, voice prints, and iris, retina, and facial recognition. Wisconsin expands upon Nebraska’s and Iowa’s biometric data definitions by including an individual’s unique deoxyribonucleic acid (DNA) profile.
Adding biometric and genetic information to the category of protected personal information presents a new challenge to the information technology system administrators. Compromised access codes, passwords, and PINs would seem to be more readily changed following a breach than fingerprint and iris scans. The best security practice in these cases would be to protect biometric and genetic information from unauthorized access.
Considering the history of emerging breach notification laws, additional states will take steps to expand their current personal information definitions to include individually identifiable health information, health insurance information, and biometric and genetic information.
Establishing Breach Notification Triggers
The environmental scan of the state security breach notification laws revealed two commonly used, unique mandatory breach notification triggers:
- Acquisition-based triggers
- Risk-based triggers
Acquisition-based triggers mandate the notification of affected individuals whenever the database custodian reasonably believes that defined personal information or data has been inappropriately accessed by an unauthorized entity. It is interesting to note that most state breach notification laws do not require the production of forensic evidence to confirm that than an unauthorized individual actually acquired protected data.
The other widely implemented mandatory notification trigger is referred to as a risk-based trigger. Risk-based triggers require the performance of a formal risk assessment, which will become the basis of a risk determination. The resulting risk determination metric is then used to assess the extent of individual harm that has or might result from the data breach. Breach notification is only mandated where potential harm to the individual exists.
Obtaining Consensus on Standard Notification Processes
A review of the state breach notification laws reveals a stark variation in the established breach notification threshold triggers for determining the appropriate method of notice. ARRA and the majority of state laws mandate that the initial notification must be by written notification by first-class mail to the individual (or the next of kin of the individual if the individual is deceased) at the last known address of the individual or the next of kin, respectively, or, if specified as a preference by the individual, by electronic mail. The notification may be provided in one or more mailings as information is available.
A significant number of state breach notification laws allow for telephone notification. Michigan law only allows the entity providing the notification three days to contact the affected individual before implementing and alternative notification method. Vermont law bars the use of telephonic contact through a prerecorded message. One state law would only allow for telephone notification provided the contact is made directly with the affected persons.
The threshold at which alternative means of contacting the individual must be employed varies greatly across the various security breach notification laws. Various disparate triggers mandated which include monetary expense, population size, and difficult experienced successfully contacting affected individuals.
State laws employ monetary expense and/or affected population metrics that are out of alignment with the ARRA recommended trigger thresholds. An attempt to sort state breach notification laws by mandated notification method trigger thresholds identified 35 state breach notification laws/regulations that mandated specific notification models based on clearly defined reporting thresholds ranging between notification costs exceeding $5,000 and affected populations exceeding 1,000 residents and notification costs exceeding $250,000 and affected populations exceeding 500,000 residents. Seventeen states set alternative breach notification threshold levels based on whether notification costs exceeding $250,000 or affected populations exceeding 500,000 residents.
The ARRA legislation section 13402 (e)(1)(B) mandates that in carrying out the breach notification should the covered entity and/or business associate discover that they are unable to reach 10 or more individuals, the entity must provide notice via an alternative media and recommends two alternative forms. home page of its Web site and notice in major print or broadcast media.
Hawaii and Indiana include directives that mandate conspicuous posting of the notice on government agency Web sites. Idaho and Iowa acknowledge the fact that the entity attempting to provide a breach notification may not maintain a public Web site. Michigan law allows public utilities that send monthly billing or account statements to the postal address of its customers to provide notice of a security breach within the mailing. Wyoming law allows for the establishment of a toll free telephone number.
If the current variation between state and federal breach notification methods and reporting thresholds is not harmonized the conflict and confusion between which of the various notification models to comply with will present an administrative challenge to covered entities, business associates, and consumers.
Timeliness of Notification
A review of state breach notification laws/regulations of 32 states did not reveal a requirement of a mandated specific time period for breach notification; instead these states chose to use the less stringent wording; “in the most expeditious time/manner possible without unreasonable delay.”
Only three breach notification laws were found to mandate specific time periods for individual breach notification. California Health and Safety Code section 1280.15 that required that individuals affected by the breach receive notification within 5 days following discovery. Florida State Ann. 817.5681 et seq. requires that notification must be made no later than 45 days following determination of the breach. Puerto Rico mandates the compromised business entity notify the Department of Consumer Affairs within a nonextendable term of 10 days after the violation of the system's security has been detected. The Department of Consumer Affairs shall make a public announcement of the fact within twenty-four (24) hours after having received the information.
The HHS regulation mandates the creation a mechanism to notify the HHS secretary of unsecured PHI breach involving 500 or more individuals immediately and unsecured breach involving less than 500 individuals annually. The legislation further requires that all breach notifications shall be made without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach.
The lack of clearly defined reporting periods will result in administrative confusion, delayed response, inconsistent compliance, and consumer distrust of data stewards. The establishment of reporting periods that are consistent and clearly defined will ensure consumer confidence as well as securing privacy, confidentiality, and property.
Reporting Security Breaches to Proper Authorities
The majority of existing state breach notification laws mandate notification of the state attorney general’s office. In response to a reported security breach the state attorney general is required to post a list of breach notifications issued to a central Internet site, bring legal action, and collect fines. State breach notification laws also allow the state attorney general from a neighboring state to bring legal action on behalf of their affected state residents.
Recent additions to California law expand on enforcement requirements allowing government authorities at multiple levels to enforce state health privacy rules. The state attorney general, a city attorney, county counsel, or district attorney may bring a civil action to enforce the California Confidentiality of Medical Information Act (CMIA).
Only a handful of states require reporting a data security breach to the state police or specified government agency. As noted, the HHS regulation requires that the entity notify the HHS secretary of a breach involving 500 or more individuals immediately and unsecured breach involving less than 500 individuals annually.
The establishment of uniform and standardized reporting requirements and designated enforcement authorities would result in reduced confusion and improved efficiency.
In spite of the many similarities between the state and federal laws, there is enough difference between them that healthcare entities seeking to comply will face frustrating and confusing situations. The interplay of requirements and definitions between state and federal security breach notification laws creates a complex environment where what is required is not always clear.
State and federal consensus on a single uniform data breach notification requirement supported by standardized definitions would raise the security and privacy bar by reducing the public’s uncertain compliance with the noble intent of the law. The initial response to the call to action has resulted in a milieu of contradictory state and federal laws. The differences between state and federal law results in conflicting and wasteful business practice variations based on different interpretations and applications of the requirements.
Although the present reality does provide the individuals with greater data security protections; the privacy and security of personal health information would benefit from harmonized federal and state solutions.
Heitzenrater, Julie, A. “Data Breach Notification Legislation: Recent Developments.” I/S: A Journal of Law and Privacy for the Information Society 4, no. 3 (Winter 2008–2009): 661.
National Conference of State Legislators. “State Security Breach Notification Laws.” Available online at www.ncsl.org/programs/lis/cip/priv/breachlaws.htm.
Harry Rhodes (firstname.lastname@example.org) is director of practice leadership at AHIMA.