Original Content - Posted by Bill Miaoulis.
If a hospital in Colorado has a security breach and the breach includes patients from California, North Carolina, Alabama, etc. which state breach notification law applies? From my point of view (I am NOT an attorney and give no legal advice), the State of Colorado Law would apply and of course the Federal HITECH Breach Notification requirements. But some in my profession and some attorneys have stated that the Colorado Hospital would also have to comply with California, North Carolina and Alabama law. If this is in fact true, then it creates a huge responsibility on healthcare providers to comply with the 44 state laws, District of Columbia,Puerto Rico and the Virgin Islands and of course HITECH.
One of the best sources of information about individual states can be found at the breachcenter.com http://www.breachcenter.com/tiki-index.php?page_ref_id=21
Clearly health care providers need to concern themselves with HITECH and their states Breach Notification Requirements. I would also believe that integrated delivery networks must also comply with any state in which they have a physical presence. The difficult part to answer is when do you have to comply with out of state law. I still find it hard to believe that California Law can govern Hospitals in Colorado, but some folks believe that. Your comments are welcome and appreciated. If you have something to add, please contact me or post a comment.