Trifecta General Counsel and Moxe Health have joined to present this series, helping you understand interactions between state privacy laws and HIPAA. Previously we looked at Ohio. This time it’s Old Dominion, the state that calls itself “Mother of Presidents.”
Virginia law specifically defines allowed “uses and disclosures” (U&I) of information by health care entities. A “health care entity” includes health systems, health plans and business associates. This U&I includes connection to health care operations, treatments or payments.
Virginia data privacy laws are similar to Ohio’s; operations, treatment and payment activities are included in the allowed U&I language. If the disclosure is to a health information exchange, in Ohio the patient has more rights to limit the information than with other health care entities.
As with Ohio, HIPAA applies to PHI collected from state residents. There are no Virginia state laws that specify data security requirements regarding personal health information (PHI) or any other personal information.
In the event of a breach of personal information that includes Virginia residents (such as PHI governed under HIPAA), you are required to:
Notices must occur without unreasonable delay and must include:
Unlike Ohio, Virginia does not require notification of credit bureaus.
Virginia law details other breach notification steps if a breach of health care information occurs to an entity not defined as a Covered Entity or a Business Associate under HIPAA.
At Trifecta and Moxe we are passionate about data privacy. Even if HIPAA is already in your daily vocabulary, it can be a great reason to learn more about laws designed to protect your PHI.
Let us know if you have questions about HIPAA, and stay tuned for our next state-based analysis of data privacy, security and breach management.
Trifecta General Counsel provides next-generation legal services for tech-focused companies. Moxe facilitates bidirectional sharing of medical records between health plans and health systems, enabling collaboration and the sharing of key patient insights.