Vermont and North Dakota have both decided to improve data breach notification (DBN) laws in their respective states in recent months. To a degree, this is exactly how the American system of government is designed to work.
Flesh out an idea at the state level, implement it, go back a little while later and close the loopholes and reiterate. Eventually a solid methodology becomes a general consensus across the 50 states and a Federal law can supersede them with some uniformity.
Vermont’s original bill, Security Breach Notice Act, 9 V.S.A. § 2435 (rolls off the tongue, doesn’t it?), had a bizarre exclusion for financial institutions. It is not unusual for loopholes to make it into early revisions of law, which seems to be the case here.
On May 13th Governor Peter Shumlin signed the revision into law. It now states:
"A data collector or other entity regulated by the Department of Financial Regulation under Title 8 or this title shall provide notice of a breach to the Department. All other data collectors or other entities subject to this subchapter shall provide notice of a breach to the Attorney General."
North Dakota has taken a second look at its DBN law, 51-30-01, and amended it effective August 1st in House Bill 1435.
Previously North Dakota considered PII or Personally Identifiable Information to include:
Social Security Number, Driver's license number, state ID card, financial account details (credit card, bank account, etc), date of birth, mother's maiden name, employee ID number or a copy of your signature (digital or otherwise).
The state has added two important items to this list for non-HIPAA covered entities: medical information and health insurance information.
This plugs a federal loophole allowing organizations that are not “covered entities” to ignore the rules under the HIPAA act.
Which brings me to my home state of Michigan. Last week, the Michigan Department of Community Health contacted more than 49,000 individuals to warn them they were at risk of identity theft.
A server belonging to the Michigan Cancer Consortium, containing unencrypted names, Social Security numbers, birthdates and cancer screening results, was hacked.
Nope. Not according to the state of Michigan. The hacked organization isn’t a “covered entity.”
Under HIPAA, the Cancer Prevention and Control Section of the Department of Community Health, which shared the data with the Cancer Center, doesn’t meet the specific definition put forth by Health and Human Services.
According to a Health Data Management article, the state’s spokesperson said the data in question:
"were not medical records and therefore, no notification under HIPAA was sent to individuals. However, because the reports contained Social Security numbers, the Identity Theft Protection Act did apply."
Looks like I did the right thing by moving away. Clearly the letter of the law in Michigan is much more important than the spirit.
While it is likely they are avoiding admitting to a HIPAA violation to avoid fines and an investigation, perhaps that is exactly what is needed here to ensure this type of accident doesn’t occur again.
My name, birthdate and cancer screening results are not considered part of my “medical records?” Perhaps you ought to consult with your cousins Vermont and North Dakota for a peek at their dictionaries.
Lastly, my blog posts are never complete without some unsolicited advice. Here is some for both the state of Michigan and anyone else involved in handling *ANYTHING* related to health records.
It is all important. All of it. Every last scrap. Stop storing it on unprotected web servers. Encrypt everything.
As we have no choice but to entrust you with our information, please start treating it as if it were your own.
Nurse shredding records image courtesy of Creative Commons 3 image from Compliance and Safety