New Hampshire’s new breach notification law builds on the breach notification requirements under the HITECH Act by requiring health care providers and business associates to notify individuals of disclosures of their protected health information that are prohibited by New Hampshire law, even if such disclosures are permitted under HIPAA or other federal law. This new health information protection was enacted with other measures relating to privacy of electronic medical records and allowing individuals to opt out of sharing their names, addresses, and protected health care information with e-health data exchanges.
H.B. 619 becomes effective for data breaches occurring on and after January 1, 2010. Individuals may sue for violations of the notification requirement and, significantly, seek damages of not less than $1,000 per violation. The law also expressly requires business associates to cover the costs of notification if the use or disclosure triggering notification was made by the business associate.
Now, when New Hampshire health care providers and business associates experience a possible data breach, they will have to consider a number of laws to determine the appropriate response. These include H.B. 619, the state’s general breach notification statute, and the breach notification rules under the HITECH Act and implementing regulations. This is even more complex for health care providers and business associates operating in multiple states as at least five other states (Arkansas, California, Delaware, Missouri, Texas) and Puerto Rico require notification in the event some form of medical information is breached.
Unlike New Hampshire’s general data breach notification statute, this law applies only to health care providers and business associates. H.B. 619 incorporates the definitions of “business associate” and “protected health information” under the HIPAA privacy regulations, but the term “health care provider” includes:
any person, corporation, facility, or institution either licensed by this state or otherwise lawfully providing health care services, including, but not limited to, a physician, hospital, office, clinic, health center or other health care facility, dentist, nurse, optometrist, pharmacist, podiatrist, physical therapist, or mental health professional, and any officer, employee, or agent of such provider acting in the course and scope of employment or agency related to or supportive of health care services.
Of course, health care providers and business associates remain subject to the state’s general breach notification law. That law requires all businesses to notify state residents of an unauthorized acquisition of computerized data that compromises the security or confidentiality of personal information maintained by the business. The general notification law contains a “risk of harm” trigger – that is, no notice is required by covered entities that have determined misuse of the information has not occurred or is not reasonably likely to occur. H.B. 619 contains no such “risk of harm” trigger.