Federal Health Insurance Portability and Accountability Act (HIPAA) requirements remain a top concern of covered entities that are grappling with breach notification issues, but several states are in the process of updating their data breach laws. Tennessee and Oregon are two states that recently enacted updates to ensure that their residents have greater protections. As cybersecurity threats and healthcare data breaches increase, more state officials are looking their legislative and regulatory options.
Recent research suggests that less than half of states include healthcare data or medical information in their data breach notification standards. The HIPPA breach notification rule requires that covered entities and their business associates provide notification following a breach of unsecured protected healthcare information (PHI). Healthcare organizations are required under HIPAA to notify patients, the Department of Health and Human Services (HHS) and potentially the media.
Tennessee recently enacted a change to its data breach notification laws. The new law removes the word “unencrypted” from describing the type of compromised information that would necessitate notification. In addition, the state is now requiring that disclosure of a breach has to be made immediately, at least within 14 days following the discovery of a breach. This amended law will become effective July 1, 2016, and will apply to data breaches that occur after that date.Read More On www.himss.org