RD128 - Notification for Breaches of Personal Health Records

  • Published: 2012
  • Author: Joint Commission on Health Care
  • Enabling Authority: Letter Request (2012)

Executive Summary:

Senate Bill 1229, introduced by Senator George L. Barker during the 2009 General Assembly Session, sought to provide additional protections for medical information by requiring that individuals be notified of security breaches involving databases containing their health information. SB 1229 was referred by the Senate Committee for Courts of Justice to the Joint Commission on Technology and Science (JCOTS) and the Joint Commission on Health Care (JCHC) for study.

Individually-identifiable health information is collected or retained by numerous public and private entities. When the Health Insurance Portability and Accountability Act (HIPAA) was enacted, stringent standards were established to protect the privacy of health information maintained by health care providers, health insurers, and health care clearinghouses. Recently, new entities called personal health record vendors have emerged. These personal health record vendors are not subject to HIPAA requirements even though the vendors maintain sensitive identifiable health information that has been provided by consumers. SB 1229 sought to add personal health record vendors within the definition of health care providers that are subject to Virginia’s privacy provisions in Code of Virginia § 32.1-127.1:03 and to create within Code § 18.2-186.6 a notification requirement for breaches of individually-identifiable health information.

Since the time that SB 1229 was referred to JCOTS and JCHC, additional federal notification requirements were enacted pursuant to the privacy provisions contained within the Health Information Technology for Economic and Clinical Health Act (of the American Recovery and Reinvestment Act of 2009). Although these notification requirements addressed the objectives of SB 1229, the JCOTS/JCHC study determined that some collections of individually-identifiable health information maintained by State government entities were not covered by the new federal requirements. Consequently during the 2010 General Assembly Session, three bills (HB 525, HB 1039, and SB 224) were introduced to create breach notification requirements for State and local governmental entities; HB 1039 was enacted (2010 Acts of Assembly, Chapter 852).

On behalf of the Joint Commission and staff, I would like to thank representatives of the Health Law Section of the Virginia State Bar, the Joint Commission on Technology and Science, and the Office of the Attorney General for their participation and assistance in this study.

Kim Snead
Executive Director
April 2012