Sarah Crotts was quoted extensively in Healthcare Risk Management on the evolving intersection of data privacy and health care. She noted that an increasing number of states have enacted data security laws that can impact protected health information (PHI).

"They define the type of information they protect differently, and their requirements vary," she said. "On top of that, you have the federal layers for information, HIPAA, and Part II for substance abuse and mental health type of records."

"Some of the state laws will exclude at the entity level," she continued, "so if an entity is a covered entity under HIPAA, and you’re already meeting HIPAA requirements, that’s good enough for us. Other states aren’t looking at it at an entity level. They’re looking at it at the data level, and not just PHI — including all the other types of information you have, ranging from just basic employee information to all the different information that gets gathered when people visit their website."

Sarah said that compliance can be challenging for health systems operating in several states.

"Covered entities that are doing the best with this are looking at proposed legislation in states they operate in and saying, 'If this passes, what do we need to do to change?'" she said. "They’re getting a little bit ahead of the ball, which gives them more time to get those changes put into place, train people, and be ready when laws do become effective."

You can read the full article here: State Laws on PHI Require Careful Consideration

Healthcare Risk Management gathers the latest industry news for risk managers and other health care leaders.