The Rheumatologist
COVID-19 News
  • Connect with us:
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Feed
  • Home
  • Conditions
    • Rheumatoid Arthritis
    • SLE (Lupus)
    • Crystal Arthritis
      • Gout Resource Center
    • Spondyloarthritis
    • Osteoarthritis
    • Soft Tissue Pain
    • Scleroderma
    • Vasculitis
    • Systemic Inflammatory Syndromes
    • Guidelines
  • Resource Centers
    • Axial Spondyloarthritis Resource Center
    • Gout Resource Center
    • Psoriatic Arthritis Resource Center
    • Rheumatoid Arthritis Resource Center
    • Systemic Lupus Erythematosus Resource Center
  • Drug Updates
    • Biologics & Biosimilars
    • DMARDs & Immunosuppressives
    • Topical Drugs
    • Analgesics
    • Safety
    • Pharma Co. News
  • Professional Topics
    • Ethics
    • Legal
    • Legislation & Advocacy
    • Career Development
      • Certification
      • Education & Training
    • Awards
    • Profiles
    • President’s Perspective
    • Rheuminations
    • Interprofessional Perspective
  • Practice Management
    • Billing/Coding
    • Quality Assurance/Improvement
    • Workforce
    • Facility
    • Patient Perspective
    • Electronic Health Records
    • Apps
    • Information Technology
    • From the College
    • Multimedia
      • Audio
      • Video
  • Resources
    • Issue Archives
    • ACR Convergence
      • Systemic Lupus Erythematosus Resource Center
      • Rheumatoid Arthritis Resource Center
      • Gout Resource Center
      • Abstracts
      • Meeting Reports
      • ACR Convergence Home
    • American College of Rheumatology
    • ACR ExamRheum
    • Research Reviews
    • ACR Journals
      • Arthritis & Rheumatology
      • Arthritis Care & Research
      • ACR Open Rheumatology
    • Rheumatology Image Library
    • Treatment Guidelines
    • Rheumatology Research Foundation
    • Events
  • About Us
    • Mission/Vision
    • Meet the Authors
    • Meet the Editors
    • Contribute to The Rheumatologist
    • Subscription
    • Contact
  • Advertise
  • Search
You are here: Home / Articles / Legal Updates: Tips for Protecting Your Patients’ Health Information

Legal Updates: Tips for Protecting Your Patients’ Health Information

December 18, 2019 • By Steven M. Harris, Esq.

  • Tweet
  • Email
Print-Friendly Version / Save PDF

Other Privacy Laws to Consider

1. State Laws

You Might Also Like
  • Legal Updates: Healthcare Data Privacy and Security under HIPAA
  • Avoid Data Breaches, HIPAA Violations When Posting Patients’ Protected Health Information Online
  • Department of Health and Human Services’ Final Rule Expands HIPAA Obligations, Violation Penalties
Explore This Issue
December 2019
Also By This Author
  • How to Retire from Your Medical Practice

Many states now include medical information in their definitions of personal information. Thus, when analyzing a security incident involving patient information, state law must also be considered to ensure that notification, if necessary, to affected individuals and state regulators is provided in compliance with applicable laws. The laws and regulations of the affected individual’s state of residence control when determining notification obligations.

ad goes here:advert-1
ADVERTISEMENT
SCROLL TO CONTINUE

2. California Consumer Protection Act

California enacted the Consumer Privacy Act of 2018 (CCPA), in part as a response to revelations that Facebook data were shared with the political data firm Cambridge Analytica without users’ knowledge or permission. The law, which will be effective starting Jan. 1, 2020, imposes obligations on businesses that collect and process personal information on California consumers to give those consumers rights to access, delete and restrict certain uses of personal information, among other rights.

ad goes here:advert-2
ADVERTISEMENT
SCROLL TO CONTINUE

Many of the rights afforded to Cali­fornia residents parallel data subject rights found in the European Union’s (EU’s) General Data Privacy Regulation (GDPR). Like the GDPR, CCPA has a delayed enforcement date to allow affected businesses more time to come into compliance. Under CCPA, businesses must determine whether they are subject to the law, and take all necessary steps to come into compliance. The law does not authorize the attorney general to bring enforcement action until July 1, 2020, or until six months after the publication of final regulations pertaining to the law, whichever occurs first.

3. General Data Privacy Regulation

The GDPR is an omnibus data protection regulation that replaced the European Data Protection Directive 95/46/EC. The GDPR relates to the processing of personal data. Personal data means any information related to a natural person (a “data subject” in GDPR parlance) that can be used to directly or indirectly identify the person. This includes names, photos, email addresses, bank details, posts on social networking websites, medical information and computer internet protocol (IP) addresses.

ad goes here:advert-3
ADVERTISEMENT
SCROLL TO CONTINUE

The GDPR also includes specific provisions for sensitive personal data, or “special categories of data,” including passwords for access to information technology (IT) systems and websites, credit card details, Social Security numbers, passport numbers, and genetic and biometric data.

Data processing includes collecting, using, storing, disclosing and discarding.

The GDPR applies to all companies processing personal data of subjects residing in the EU. Specifically, it applies to organizations located within the EU, as well as organizations located outside the EU if they offer goods or services to, or monitor the behavior of, EU data subjects.

The GDPR requires entities that suffer data security breaches to notify the relevant data protection authority within 72 hours of discovery and to notify the affected subjects without undue delay. Data breach notification in the EU is a new requirement.

In the U.S., there is no general federal data breach notification law. Instead, whether notification is necessary depends on the state of residence of the affected individual and/or what information was compromised. Forty-eight states have data breach notification laws. And HIPAA has notification requirements for the compromise of protected health information. The already onerous requirements in the U.S. are further complicated by this GDPR requirement.

Pages: 1 2 3 4 | Single Page

Filed Under: Legal Tagged With: HIPAA, protected health informationIssue: December 2019

You Might Also Like:
  • Legal Updates: Healthcare Data Privacy and Security under HIPAA
  • Avoid Data Breaches, HIPAA Violations When Posting Patients’ Protected Health Information Online
  • Department of Health and Human Services’ Final Rule Expands HIPAA Obligations, Violation Penalties
  • Preparing for Increased HIPAA Audits Among Smaller Rheumatology Providers

Meeting Abstracts

Browse and search abstracts from the ACR Convergence and ACR/ARP Annual Meetings going back to 2012.

Visit the Abstracts site »

ACR Convergence

Don’t miss rheumatology’s premier scientific meeting for anyone involved in research or the delivery of rheumatologic care or services.

Visit the ACR Convergence site »

Rheumatology Research Foundation

The Foundation is the largest private funding source for rheumatology research and training in the U.S.

Learn more »

The Rheumatologist newsmagazine reports on issues and trends in the management and treatment of rheumatic diseases. The Rheumatologist reaches 11,500 rheumatologists, internists, orthopedic surgeons, nurse practitioners, physician assistants, nurses, and other healthcare professionals who practice, research, or teach in the field of rheumatology.

About Us / Contact Us / Advertise / Privacy Policy / Terms of Use

  • Connect with us:
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Feed

Copyright © 2006–2022 American College of Rheumatology. All rights reserved.

ISSN 1931-3268 (print)
ISSN 1931-3209 (online)

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.