Mintz Levin has updated the Mintz Matrix, a comprehensive summary of the data breach notification laws that now exist in all 50 states (South Dakota and Alabama finally caved and enacted their own laws).  It’s critical that HIPAA-regulated entities monitor these state laws because they apply simultaneously, and often conflict with, HIPAA.  In the event of a data breach, regulated entities must fulfill HIPAA’s breach notification requirements and the requirements of applicable state law.  Large-scale data breaches, affecting individuals from multiple states, require the rapid analysis of multiple state laws along with HIPAA requirements.  But don’t wait for a crisis to review the Matrix.   HIPAA covered entities and business associates should use it to familiarize themselves with the breach notification requirements of the states in which they do business, and use the Matrix to inform incident response planning activities.  The Matrix is also useful for monitoring patterns and trends among state laws in this area.  For example, state data breach notification laws have historically been implicated by the loss of information that could be used for identity theft, such as name coupled with social security, debit or credit card numbers.  However, many states now require breach notification when health care information is used or disclosed without authorization, even if it is not associated with a social security number and even if HIPAA does not apply. You can learn more about the Matrix and download a copy on our Privacy and Security Matters blog.

Earlier this week, the Mintz Levin privacy team  updated the “Mintz Matrix,” a summary of the U.S. state data breach notification laws, with updates from New Mexico, Tennessee, and Virginia.  As the privacy team reports, with New Mexico enacting a data breach notification law, only Alabama and South Dakota remain the only states without data breach notification laws.  Their full blog post on the updates is available here.

In addition to complying with HIPAA, health care organizations must remain aware of the separate state notification obligations and other privacy and security laws when responding to data breaches.  These states laws are often broader than HIPAA and apply may apply to personally identifiable information that is not protected health information.

Our quick disclaimer: The Mintz Matrix is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.

As reported on the Privacy and Security Matters blog last week, the Mintz Levin privacy team recently updated the “Mintz Matrix,” a summary of the U.S. state data breach notification laws that we update on a quarterly basis, or more frequently as needed.  In addition to HIPAA, health care organizations must remain aware of the separate state notification obligations and other privacy and security laws when responding to data breaches. The Mintz Matrix is available here.

Continue Reading Mintz Matrix Updated with Amended State Data Breach Notification Laws in Five States

Although National Cyber Security Month isn’t until October, September has brought plenty of privacy and security updates that health care companies need to be aware of.  In this post, we review guidance from the Office for Civil Rights (OCR) on cyberattacks, describe new state breach notification laws, and highlight the upcoming NIST/OCR security conference. Continue Reading September Privacy and Security Updates

My colleagues in the Privacy and Security Group recently updated the Mintz Matrix, a summary of U.S. state data breach notification laws. While we often discuss HIPAA on Health Law and Policy Matters, health care organizations must be aware of separate state notification requirements and other privacy and security laws that may apply in the event of a data breach. We update the Mintz Matrix on a quarterly basis, or more frequently if necessary.

The updated Mintz Matrix is available here. The Privacy and Security Matters Blog recapped the main updates, including Tennessee’s amendments to its breach notification requirements, which impose a stricter time frame for notification and remove the safe harbor for encrypted data.

We hope this chart is helpful to you, but we must note that it is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.

As reported in a recent Privacy and Security Matters post, we have updated the “Mintz Matrix,” a summary of the U.S. state data breach notification laws. The Mintz Matrix is an invaluable tool for reviewing state breach notification requirements, which may apply in addition to HIPAA in the event of a data breach. We update the Mintz Matrix on a quarterly basis, or more frequently if necessary. Continue Reading New Year, New Breach Notification Laws

As reported in a Privacy and Security Matters post last week, we maintain a summary of the U.S. state data breach notification laws, which we refer to as the “Mintz Matrix.”   We update the Mintz Matrix on a quarterly basis, or more frequently if necessary.  The Mintz Matrix is available here.  This update includes new information about Kentucky and Iowa laws.

We hope this chart is helpful to you, but we must note that it is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.