A new law in Florida is the latest effort by an individual state to fill the void left by ambiguous federal law regarding breach notification. In Florida, the new law fundamentally changes what information is protected and who is responsible for complying with the law. And for covered entities and business associates, it creates expectations that are separate and in addition to HIPAA regulations.
Growing trend emerges for double compliance laws
Florida isn’t the first state to take matters into their own hands, and they are not alone in compounding compliance headaches by adding state laws on to federal legislation. In total, more than 40 states have developed their own versions of a breach notification law. This trend is placing an increasingly complicated burden on healthcare organizations that operate in multiple states. Which law do they follow? Do they apply the most stringent, or adjust to each data breach on a case-by-case basis?
Of course, the best way to respond to the situation is to prevent breaches in the first place, or to at least have a substantial, robust risk analysis and risk management effort in place to prove your organization was acting in good faith to avoid a breach.
Lay good foundations
Having a proactive approach to managing risks associated with protected health information starts with conducting a comprehensive security risk analysis. If your organization is unsure whether your risk analysis efforts go far enough, you should compare and contrast your current process with the framework articulated by the National Institute of Standards and Technology (NIST). The NIST guidance documents are available in our HIPAA-HITECH Resources section.