That's particularly the case for healthcare entities and business associates that are also liable for breach notification under HIPAA, Greene says in an interview with Information Security Media Group.
When there's a breach, healthcare entities and their vendors should consider prioritizing compliance with state breach notification requirements "because sometimes the time frames [for reporting] can be more stringent than HIPAA, and it can also affect the HIPAA [breach notification] analysis, he says.
"Sometimes it's helpful to do the state analysis first because it could alter the course of action you want to take under HIPAA."
In the interview, Greene discusses a range of issues, including:
- Why all types of entities need to pay especially close attention to the intricacies of each state's breach notification requirements;
- States that have the most stringent breach reporting requirements;
- Why Texas was considered as having a "defacto" national breach law - prior to all 50 states finally passing their own breach notification laws - and what changes now;
- The likelihood that Congress will ever pass a national breach notification law.
As a partner at Davis Wright Tremaine LLP in Washington, Greene specializes in HIPAA and HITECH Act issues. He formerly was senior health information technology and privacy specialist at the HHS Office for Civil Rights, where he played a significant role in administering and enforcing the HIPAA privacy, security and breach notification rules.