When you realize there has been a breach of protected health information (PHI), your first thought is of HIPAA and how to satisfy federal requirements for responding. But that is far from the end of your obligation, as state requirements can be just as onerous.

And if you do business in more than one state, the response can be especially burdensome because state laws requiring data breaches can be radically distinct — each requiring something different and, in many cases, specifically tailored to that state’s government, notes Nathan A. Kottkamp, JD, a partner with the law firm of McGuireWoods in Richmond, VA.

Alabama and South Dakota are the only states that don’t have data breach notification laws.

“There is a crazy quilt of 48 different state laws that come into play. Many of them layer on HIPAA, so that comes into play, but just complying with the breach requirements of HIPAA is not enough to comply with all these state laws,” Kottkamp says. “What ends up happening is that if you have pure PHI for HIPAA purposes, just health information and name, in almost all of those cases all of these state laws are not going to come into play because they are focused on financial information. However, in many situations where there is a breach of PHI, the contents of that PHI are broader than just pure health information. They might involve account information, or a deductible, or a credit card that was used to pay for that healthcare.”

The inclusion of any information like that most likely triggers state law requiring breach notification, he says. Then things get complicated. For instance, there are wide variations in state law and nuances about exactly how a breach notification letter must be worded.

“There are state requirements that you must send a letter to their respective attorney general or consumer affairs division prior to sending it out to those affected by the breach. There is a small number that require the state actually bless the letter before sending it to those people,” he says. “Then there are the timing issues, and with HIPAA, 60 days is your outside limit. But 45 days in at least two states, and Florida has the current record for the tightest, which is 30 days. You can really get yourself tripped up if you are laser focused on HIPAA and send your notification letter, but if, for instance, you forget to send the required statement about putting a credit freeze on your account as is required in six states and given a nod in other states.”

In addition to listing all sorts of universal contact information like the Federal Trade Commission and credit reporting agencies, Maryland and North Carolina require that the breach notification letter include state-specific information for contacting the attorneys general in those states.

“If you have a 50-state breach, you can’t use the exact same breach letter for everyone affected by the breach unless you want to tell people in Idaho how to contact the attorney general in North Carolina, which doesn’t make much sense,” he says. “People like to think they can use a broad notification letter that covers everything that any state could possibly require, but then lo and behold, they’ve missed something like that state-specific requirement.”

Many states also have supplemental requirements within their state agencies, Kottkamp notes. Whereas most states require that you notify the attorney general, some also specifically require that you additionally and separately notify another agency such as the department of consumer affairs.

States also have different thresholds for when you must notify the attorney general and other departments in those cases. Some states require reporting only if the breach affects more than 500 people, Kottkamp notes, while others set the trigger at 750 or 1,000.

“If you have a multistate affair with more than just health information, you literally have to go state by state to make sure you’re checking all the boxes,” Kottkamp says. “Some smaller healthcare providers won’t have to deal with a breach in multiple states, but larger health systems and other kinds of operations in the healthcare industry are going to find that a breach of any size is likely to involve people in more than just the one state where the company resides or is headquartered.”

Even large organizations can overlook the risk related to state breach notification requirements, Kottkamp warns. A hospital or health system may have a solid plan for fulfilling HIPAA breach notification requirements but only address state requirements as an afterthought, assuming the federal compliance automatically satisfies the state or that state requirements are comparatively minor.

New York Goes After Delayed Notice

That is not at all reliable, and the consequences can be serious. States take their breach notification laws seriously, as evidenced by the New York attorney general’s recent settlement with CoPilot Provider Support Services, Kottkamp says. CoPilot, which provides support services to the healthcare industry, waited more than a year to provide notice of a data breach that exposed 221,178 patient records.

The company blamed the delay on an ongoing investigation by the FBI, but agreed to pay $130,000 in penalties and to improve its notification and legal compliance program, the Department of Justice announced.

On Oct. 26, 2015, an unauthorized individual gained access to CoPilot’s confidential patient reimbursement data via the website administration interface and downloaded reimbursement-related records for 221,178 patients. In mid-February 2016, the FBI opened an investigation at CoPilot’s request, focusing on a former CoPilot employee. On Jan. 18, 2017, CoPilot began to provide formal notice to affected consumers in New York, more than one year after CoPilot learned of the breach of patient data.

“You’re looking at audits and other sorts of regulatory actions by the states if you don’t comply. If the state requires you to notify its attorney general and you don’t, the state will see the breach when it comes up on the federal government’s list of large breaches,” Kottkamp says. “Then, they’re going to contact you and ask why you didn’t notify them. That’s a big problem. That’s an open invitation for the state attorney general to just come in and hammer that provider.”

The most aggressive states are likely to be the ones with the toughest cyber laws, so the top of the list would include New York, Florida, California, Illinois, Ohio, and Massachusetts, Kottkamp says. Massachusetts also has an oddball statute that, unlike how almost every other state requires the provider to describe what happened in the breach, specifically prohibits the provider from describing the breach.

“I don’t know if they’re worried about copycats or what, but it’s a bizarre law,” he says. “That’s a great example of how you might think you’re doing the right thing because it’s the obvious thing and what every other state requires, but you do that in Massachusetts and you’re in trouble.”

Any state with an outlier requirement — like Maryland and North Carolina with their requirement for notifying specific agencies, and Ohio with its 45-day time limit — are likely to be more aggressive about enforcement, Kottkamp says. They know those are unusual requirements and they will check to make sure you paid attention.

Risk managers and compliance officers should maintain a list of applicable breach notification laws for every state in which the organization does business, Kottkamp suggests. That may be a long list for many covered entities, even relatively small ones, he says.

“Whenever there is a breach and it’s more than just pure PHI, one of the top five questions to ask is what states are affected,” he says. “Then, you pull the breach notification laws for those states and start layering. The sort of stained glass window you end up with dictates what you need to do for breach notification, and you may find that you have to write several letters and send to many different places by different deadlines.”

One source for the state breach notification laws is a compilation by the National Conference of State Legislatures, which can be found online at: http://bit.ly/1ao7NAi. Several law firms also have compiled state-by-state guides, such as one by the firm Foley & Lardner, which is available online at: