Trifecta General Counsel and Moxe Health have joined to present this series, helping you understand interactions between state privacy laws and HIPAA. Previously we looked at Ohio. This time it’s Old Dominion, the state that calls itself “Mother of Presidents.”
Virginia law specifically defines allowed “uses and disclosures” (U&I) of information by health care entities. A “health care entity” includes health systems, health plans and business associates. This U&I includes connection to health care operations, treatments or payments.
Virginia data privacy laws are similar to Ohio’s; operations, treatment and payment activities are included in the allowed U&I language. If the disclosure is to a health information exchange, in Ohio the patient has more rights to limit the information than with other health care entities.
As with Ohio, HIPAA applies to PHI collected from state residents. There are no Virginia state laws that specify data security requirements regarding personal health information (PHI) or any other personal information.
In the event of a breach of personal information that includes Virginia residents (such as PHI governed under HIPAA), you are required to:
- Notify the state attorney general’s office.
- Notify the affected Virginia resident(s) — by writing to the last known address, or by phone contact.
- A substitute notification — such as email, posting on website, and notice to statewide media — is allowed if the breach is widespread, or if sufficient information isn’t available for direct notices.
Notices must occur without unreasonable delay and must include:
- A description of the incident and type(s) of information lost.
- Steps the individual may take to prevent further unauthorized access.
- A contact phone number.
- A reminder to the individual to watch accounting statements and credit reports with vigilance.
Unlike Ohio, Virginia does not require notification of credit bureaus.
Virginia law details other breach notification steps if a breach of health care information occurs to an entity not defined as a Covered Entity or a Business Associate under HIPAA.
Let us know if you have questions about HIPAA, and stay tuned for our next state-based analysis of data privacy, security and breach management.
Trifecta General Counsel provides next-generation legal services for tech-focused companies. Moxe facilitates bidirectional sharing of medical records between health plans and health systems, enabling collaboration and the sharing of key patient insights.
Similar to this Article
March 6, 2019
Potential HIPAA Rule Modifications
On Dec 14, 2018 the Department of Health and Human Services, Office for Civil Rights …
January 9, 2019
How to completely wreck your EMR
If you’ve ever wanted to take a sledge hammer to your medical records system, be …
September 14, 2018
I Wish They All Could Be California (Data Privacy) Laws
Editor’s Note: This is part of a shared blog series between Trifecta General Counsel and …
Join Our Network
Start connecting with millions of patients, health systems, and health plans.