There are a lot of variations state to state as far as what information is covered and how people are supposed to respond when there is a problem, what are the various limits for when you notify other authorities and things like that. They’re all very different state to state even though you might think a lot of stuff is the same. Of course, at least to a lot of problems for anybody who has customers in multiple states, you have to deal with all these HIPPA rules and regulations if you have a breach.
But generally, the state laws don't have anything to do with health information. They're more just financial information stuff. Some exceptions are, of course, California is one that's well known. They have some health information laws that are pretty strict about breach notification, more strict than the HIPAA rules and laws in some ways.
Generally, they don't cover health information. So, finally, there's some U.S. law that's now contained in stimulus bill in ARRA. Part of that included information handling breach notification laws. And so, they want to specifically cover health information and payment information. So, that's in the U.S. law. And generally, for most states it isn't in the state law.
Now, one of the examples of a state law and one of the ones that's sort of one of the bigger ones is the New York State Information Security Breach and Notification Act. This is generally the way mostly they were put together it requires notification of a resident if their information is reasonably believed to have been acquired without authorization.
And it doesn't include publicly available information, as per HIPAA rules. One of the things in New York law does include that most state laws don't - is fines for these breaches. Most of the law you have notify people. But the New York law also includes fines. So, check and make sure your state law does or doesn't include fines. It can get pretty expensive.
In New York law that calls for notice to be given in most expedient time possible without unreasonable delay. But also they do have an allowance there for the law enforcement folks that say, “Hold on. Don't notify it yet. We need to keep this under wraps.” They're always sort of who are the bad guys and that sort of thing. And that's a typical thing as well.
New York also says that, you know, you have to notify the individual directly or you could do massive notification if have more than – in the New York's case, 5000 people or $200 to $3,000 in notification cost. And so, that's really a certain thing if it gets expensive enough. And these thresholds are different in most states. They're usually lower than 5000 people or $250,000 in cost.
But they say if you want to, instead of telling everybody individually, you can just, , have plenty of notification on the evening news and local newspapers and things like that, which surely is not exactly what you're looking for to doing as far as the notification goes.
You probably have a lesser impact by notifying individuals and just taking out all these, you're getting the media and website (all square to ASA) “Yes, we had a big breach here where we've lost the information of all these people. And we're just going to tell everybody about it.” So, it's not really a good thing for your public image of your organization and it is also anti HIPAA compliance.
And also then if you have – which is kind of unusual. Not certainly also, it's kind of a clause in there. But then if you have more than 5000 state residents impacted, you also have to notify the credits the agencies, consumer reporting agency. So there's Equifax and all those guys that keeping all your information for you.
So, that's your basic New York state. New York state is a basic kind of state breach notification law. And again it is basically Social Security Numbers or driver's license numbers, things like that. It's what they're talking about.
Stick to the HIPPA Rules: And there are some new kinds of breach notification. Minnesota went so far as to say that if there's breaches then the people who lost information if there's a credit card information that's been violated, that's been compromised, then that information, then you need, the (emergence) involved need to be paying the cost and loss in relation to those breaches as well. So, there wasn't really a specific requirement for the organizations who may have lost information to pay all the costs involved with issuing new credit cards and things like that, if it's credit card information.
But the Minnesota law, and there are probably other states (required) well by now do require that the people who have lost the information pay the cost of helping the other breaches.
For expert training sessions on HIPAA, Privacy Rule, HIPAA Security Rule, HIPAA Business Associates Rule, HIPAA Audits & Enforcement and others; visit HIPAA Rules and Compliance page.