For businesses regulated by the Health Insurance Portability and Accountability Act ("HIPAA") or the Gramm Leach Bliley Act ("GLBA"), the amount of effort required to be compliant can be staggering. Those entities handling the personally identifiable information ("PII") or non-public information for their customers have affirmative notice obligations and duties to protect PII under federal rules such as HIPAA and GLBA.
In addition to these federal obligations, entities may also have to contend with state statutes. Most states require that any entity doing business within the state provide notice to a resident whose PII either has been access by an unauthorized third party or of some other breach of the entity's security. While most states' definitions and obligations track the federal language, some states' requirements are more stringent. Additionally, these requirements are typically imposed on any entity that does business with residents of the state, rather than just entities governed by federal regulations such as HIPAA or GLBA.
Any entity that handles the sensitive information of individuals should include an ongoing review of the breach notification statutes for any state in which it has customers as part of its compliance audit and review process.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
