In an article for Health IT Security, Bass, Berry & Sims attorney Roy Wyman discussed the compliance complexities facing healthcare companies as new state privacy rules take effect. Not only are healthcare companies faced with the privacy regulations imposed by federal laws, such as HIPAA, these same companies will now need to comply with all the different regulations under the various state privacy laws. As Roy pointed out, in 2023 so far there have been seven new general privacy laws; there are others enacted prior to 2023 and several states may pass laws later this year.

“No two of these state laws are identical,” Roy added. “The general privacy laws, the ones dealing with healthcare services specifically for those that are not covered entities are even more far-reaching and very different in their approach. And so, every compliance program is trying to figure out how to address it and how to deal with the different states.”

Along with HIPAA, state privacy rules regulate what type of personal health information can be collected; what, if anything, can be shared and with whom; how the information can be shared; how patients can access this information and withdraw consent, if preferred; and many other stipulations.

“I think the most critical first step regardless is a data map,” Roy suggested. “By that I mean having a spreadsheet or a diagram or something that shows all of the places where you collect personal information.”

The full article, “How Digital Health Companies Navigate the Patchwork of State Data Privacy Laws,” was published by Health IT Security on September 28 and is available online. To read more details about the various state privacy laws, click here.