New state privacy laws can affect hospital operations but might be overlooked when the focus is on HIPAA compliance. Risk managers and compliance officers should make sure they are complying with both obligations, says Sharon R. Klein, JD, partner with the Blank Rome law firm in Los Angeles.
Enforcement from the Federal Trade Commission is a new issue, since it focuses on tracking of online data that is not necessarily protected health information (PHI).
“When you’re thinking about healthcare, you think about the federal acts like HIPAA. But from a state law perspective, you have these new comprehensive privacy laws that are applying to not-for-profits, and of course a lot of healthcare is not-for-profit,” she says. “New Jersey, Colorado, Delaware, and Oregon have privacy laws that directly affect hospitals, so you have that combination with some of those state privacy laws that do extend to PHI.”
Many of the state laws focus on mobile apps and consumer health, such as health trackers that count daily steps. That is not PHI covered by HIPAA, but it still can create problems for healthcare providers, Klein says.
“So why is that a problem? It’s a problem because HIPAA does not have a private right of action. You’re not going to get a class action under HIPAA,” she explains. “But under the state laws, you have the [attorneys general] who can bring regulatory action, and you have the threat of individual plaintiffs in class actions against healthcare institutions. That’s like a sea change.”
To read the full article, please click here.
"State Laws Affect Privacy Compliance; Data Tracking Also a Concern," was published in Healthcare Risk Management on June 1, 2024.