5.1. How do US states extend HIPAA?
The US federal government basically defines a “covered entity” as a health care provider, a health plan, or a health care clearninghouse. But the state of Texas extends the definition to include any business “assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information” in the Texas Medical Records Privacy Act.
There are many state privacy laws, the most well-known being the California Consumer Privacy Act or CCPA. However, there are many other state laws to be aware of:
- California Privacy Rights Act
- Colorado Privacy Act
- Connecticut Personal Data Privacy and Online Monitoring Act
- Delaware Personal Data Privacy Act
- Illinois Biometric Information Privacy Act
- Indiana Consumer Data Protection Act
- Iowa Consumer Data Protection Act
- Montana Consumer Data Privacy Act
- Oregon Consumer Privacy Act
- Tennessee Information Protection Act
- Texas Data Privacy and Security Act
- Utah Consumer Privacy Act
- Vermont House Bill 121
- Virginia Consumer Data Protection Act
- Washington Biometric Privacy Law
5.2. Is there such a thing as expert determination for CCPA?
California’s CCPA makes references to HIPAA, as do other state laws. In particular, California’s AB 713 refers to “The deidentification methodology described in Section 164.514(b)(1) of Title 45 of the Code of Federal Regulations, commonly known as the HIPAA expert determination method.”
Ask your legal counsel how state laws are relevant to your business.