USA LAW AND PRACTICE Contributed by: Nancy Libin, David Rice, Spencer Persson, Michael Borgia, Robert Stankey, Kara Trowell and Alexander Sisto, Davis Wright Tremaine LLP
Health information confidentiality States generally govern the confidentiality of health information through: • general medical privacy laws governing healthcare providers, and potentially other types of entities (eg, health insurers); • confidentiality laws specific to certain condi - tions or treatments; and • broad consumer privacy laws governing health data that falls outside HIPAA (see the discussion above concerning Washington’s MHMD and similar Nevada law). Some states (notably California) also prohibit certain healthcare providers from responding to in-state or out-of-state warrants for data on use of reproductive healthcare services. Data brokers Four states – California, Vermont, Texas and Oregon – require data brokers to register with state agencies. Definitions vary, but generally “data brokers” are businesses that collect and sell or license the personal data of individuals with whom the business does not have a direct relationship. In addition, California’s Delete Act directs the CPPA to develop a mechanism that enables consumers – with one request – to delete personal information held by all data brokers registered with the state. Disposal of records containing personal information Most states have enacted laws that require businesses to securely destroy or dispose of personal information that is no longer needed. Acceptable methods typically include shredding or burning paper records and other media and altering electronic records to make them unread - able.
• individuals’ names in combination with Social Security number, driver’s licence number or other state ID number; and • financial account or payment card numbers in combination with any required information (eg, security code) that permits access to an individual’s account. Some such laws also apply to certain types of medical and health insurance information, cer - tain usernames and passwords, and biometric data. Most of these laws also require notifica - tion to the state attorney general or other state agency. Many states also have enacted data security laws, which generally require entities to protect personal information from unauthorised access, acquisition or other misuse. Generally, these requirements are broadly stated and require enti - ties to maintain “reasonable” security measures. Some of these laws also specifically require contractual obligations to impose reasonable security measures on any third parties to which an entity discloses personal information, and to securely delete personal information when no longer needed. Several states (eg, Massachusetts, New York and Oregon) have more detailed requirements. Those state laws require various administrative, technical and physical safeguards for personal information, such as:
• information security policies; • third-party risk management; • access controls; • incident response procedures; • patch management; • employee training; and • secure deletion.
532 CHAMBERS.COM
Powered by FlippingBook