Virginia enacts limited-scope medical information breach notification law

Last month, the Virginia General Assembly passed a new law, to take effect on January 1, 2011, that will implement new disclosure notification rules for breaches of medical information about Virginia residents. The new law appears intended to fill a fairly narrow perceived gap in information breach disclosure requirements already in place at both the state and federal level, including coverage for medical information specifically as well as personal information generally. The specific attention to medical information makes the new law complementary to several measures passed during the 2008 legislative session that strengthened existing statutes covering crimes involving fraud to add protection against identity theft (§18.2-186.3) and require notification for breaches of personal information (§18.2-186-6). Many of the definitions and notification procedures included in the recently passed bill are the same as those found in the earlier code on breach of personal information notification, including the definitions for a “breach of the security of the system,” what constitutes “notice,” and the applicability of the notification rules even when breached information is encrypted, if the disclosure involves anyone who might have access to the encryption key.

One area where the medical information breach notification definitions differ from current statutory language is in what is considered an “entity” subject to the requirements in question. The rules for breach of personal information notification define an entity quite broadly as “corporations, business trusts, estates, partnerships, limited partnerships, limited liability partnerships, limited liability companies, associations, organizations, joint ventures, governments, governmental subdivisions, agencies, or instrumentalities or any other legal entity, whether for profit or not for profit.” (§18.2-186-6, section A) In contrast, the breach of medical information notification says an entity is “any authority, board, bureau, commission, district or agency of the Commonwealth or of any political subdivision of the Commonwealth, including cities, towns and counties, municipal councils, governing bodies of counties, school boards and planning commissions; boards of visitors of public institutions of higher education; and other organizations, corporations, or agencies in the Commonwealth supported wholly or principally by public funds.” (§32.1-127.1:05, emphasis added) This appears to limit the coverage of the new law to public sector organizations, and to private organizations receiving significant public funding. It is not at all clear that a private sector company operating independently of Virginia funding would be subject to the new rules.

In terms of applicability in the health space, the Virginia law makes no attempt to preempt or augment federal health information breach disclosure requirements under HIPAA or HITECH. Instead, it specifically excludes from coverage any HIPAA-covered entities (defined under the law as health care plans, health care providers, or health care clearinghouses) or business associates of those entities (individuals or organizations that perform functions involving the use or disclosure of protected health information on behalf of a covered entity), and also excepts non-HIPAA covered entities that are subject to the FTC’s health data breach notification rules established under authority of the HITECH Act. Since we’re talking about health data, presumably a large proportion of the wholly private organizations that seem to operate outside the coverage of the new Virginia law would already be subject to federal heath data breach notification laws, but there appears to be a gap in coverage for third-party data stewards, handlers, or transmitters that do not process or transform the data, and therefore do not fall under the definition of health care clearinghouses.As state, regional, and national efforts to facilitate health information exchange continue to develop — whether to satisfy information sharing requirements under meaningful use or to facilitate local or wider scale interoperability among data sources — the Virginia General Assembly might want to consider how medical information breach notification rules can be extended to cover potential new market entrants in health information exchange.