On January 3, 2007, Governor Granholm signed a new notification law that requires Michigan residents be notified if the security of a database containing their personal information is breached. The legislation requires that businesses and government agencies notify consumers when a security breach puts personal information, including social security numbers, driver's license numbers, and financial information, at risk. Failure to properly notify consumers of a security breach can result in a fine of up to $750,000.
This new law has an important carve-out for providers and others who are subject to HIPAA—but only if such persons are actually complying with the HIPAA privacy and security rules.
Under the HIPAA privacy and security rules, health plans and providers are required to have in place security measures to restrict access to records and ensure their integrity and availability. Although the HIPAA rules require you to monitor for security breaches and take steps to minimize any harm resulting from a security breach, neither set of rules explicitly requires notification—though notification may be necessary to minimize harm.
If you experience a data breach and are not in compliance with the HIPAA privacy and security rules, you not only face potential liability under HIPAA, but you may also face liability under the new Michigan identity theft notification law if you do not provide notice to affected individuals. The Michigan identity theft notification law provides for a civil fine of up to $250 for each notification letter that was not sent, not to exceed $750,000 for any one security breach.
Keep in mind that the HIPAA exception applies only to the health plan and medical records. As an employer, you may also have personnel records or other employment records that are not subject to HIPAA. If the security breach involves improper access to sensitive information in these records, the identity theft notification law will apply.
Warner Norcross & Judd LLP routinely helps its clients deal with HIPAA compliance issues and security incidents. If you have any questions about this new law, about the HIPAA privacy and security rules, or about a security incident, please contact Norbert F. Kugele at 616.752.2186, or any other member of the Health Care and Life Sciences Practice Group.