A new law in Florida is the latest effort by an individual state to fill the void left by ambiguous federal law regarding breach notification. In Florida, the new law fundamentally changes what information is protected and who is responsible for complying with the law. And for covered entities and business associates, it creates expectations that are separate and in addition to HIPAA regulations.

Growing trend emerges for double compliance laws

Florida isn’t the first state to take matters into their own hands, and they are not alone in compounding compliance headaches by adding state laws on to federal legislation. In total, more than 40 states have developed their own versions of a breach notification law. This trend is placing an increasingly complicated burden on healthcare organizations that operate in multiple states. Which law do they follow? Do they apply the most stringent, or adjust to each data breach on a case-by-case basis?

Of course, the best way to respond to the situation is to prevent breaches in the first place, or to at least have a substantial, robust risk analysis and risk management effort in place to prove your organization was acting in good faith to avoid a breach.

Lay good foundations

Having a proactive approach to managing risks associated with protected health information starts with conducting a comprehensive security risk analysis. If your organization is unsure whether your risk analysis efforts go far enough, you should compare and contrast your current process with the framework articulated by the National Institute of Standards and Technology (NIST). The NIST guidance documents are available in our HIPAA-HITECH Resources section.

Register for one of Clearwater’s complimentary webinars on risk analysis and risk management basics and get to grips with these issues and more.

Michelle Caswell

Senior Director, Legal & Compliance at Clearwater Compliance
Michelle Caswell has over 14 years legal and healthcare experience and worked as a HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights where she ensured covered entities were in compliance with HIPAA, conducted complaint investigations and educated entities on HIPAA compliance. Michelle brings that experience to Clearwater Compliance as Senior Director, Legal and Compliance.