Trifecta General Counsel and Moxe Health have joined to present this series, helping you understand interactions between state privacy laws and HIPAA. Previously we looked at Ohio. This time it’s Old Dominion, the state that calls itself “Mother of Presidents.”
Virginia law specifically defines allowed “uses and disclosures” (U&I) of information by health care entities. A “health care entity” includes health systems, health plans and business associates. This U&I includes connection to health care operations, treatments or payments.
Virginia data privacy laws are similar to Ohio’s; operations, treatment and payment activities are included in the allowed U&I language. If the disclosure is to a health information exchange, in Ohio the patient has more rights to limit the information than with other health care entities.
As with Ohio, HIPAA applies to PHI collected from state residents. There are no Virginia state laws that specify data security requirements regarding personal health information (PHI) or any other personal information.
In the event of a breach of personal information that includes Virginia residents (such as PHI governed under HIPAA), you are required to:
- Notify the state attorney general’s office.
- Notify the affected Virginia resident(s) — by writing to the last known address, or by phone contact.
- A substitute notification — such as email, posting on website, and notice to statewide media — is allowed if the breach is widespread, or if sufficient information isn’t available for direct notices.
Notices must occur without unreasonable delay and must include:
- A description of the incident and type(s) of information lost.
- Steps the individual may take to prevent further unauthorized access.
- A contact phone number.
- A reminder to the individual to watch accounting statements and credit reports with vigilance.
Unlike Ohio, Virginia does not require notification of credit bureaus.
Virginia law details other breach notification steps if a breach of health care information occurs to an entity not defined as a Covered Entity or a Business Associate under HIPAA.
Let us know if you have questions about HIPAA, and stay tuned for our next state-based analysis of data privacy, security and breach management.
Trifecta General Counsel provides next-generation legal services for tech-focused companies. Moxe facilitates bidirectional sharing of medical records between health plans and health systems, enabling collaboration and the sharing of key patient insights.