Skip to main content
A Better Partnership


Jan 2007
January 08, 2007

New Michigan Identity Theft Law

On January 3, 2007, Governor Granholm signed a new notification law that requires Michigan residents be notified if the security of a database containing their personal information is breached. The legislation requires that businesses and government agencies notify consumers when a security breach puts personal information, including social security numbers, driver's license numbers, and financial information, at risk. Failure to properly notify consumers of a security breach can result in a fine of up to $750,000.

This new law has an important carve-out for providers and others who are subject to HIPAA—but only if such persons are actually complying with the HIPAA privacy and security rules.

Under the HIPAA privacy and security rules, health plans and providers are required to have in place security measures to restrict access to records and ensure their integrity and availability. Although the HIPAA rules require you to monitor for security breaches and take steps to minimize any harm resulting from a security breach, neither set of rules explicitly requires notification—though notification may be necessary to minimize harm.

If you experience a data breach and are not in compliance with the HIPAA privacy and security rules, you not only face potential liability under HIPAA, but you may also face liability under the new Michigan identity theft notification law if you do not provide notice to affected individuals. The Michigan identity theft notification law provides for a civil fine of up to $250 for each notification letter that was not sent, not to exceed $750,000 for any one security breach.

Keep in mind that the HIPAA exception applies only to the health plan and medical records. As an employer, you may also have personnel records or other employment records that are not subject to HIPAA. If the security breach involves improper access to sensitive information in these records, the identity theft notification law will apply.

Warner Norcross & Judd LLP routinely helps its clients deal with HIPAA compliance issues and security incidents. If you have any questions about this new law, about the HIPAA privacy and security rules, or about a security incident, please contact Norbert F. Kugele at 616.752.2186, or any other member of the Health Care and Life Sciences Practice Group.

NOTICE. Although we would like to hear from you, we cannot represent you until we know that doing so will not create a conflict of interest. Also, we cannot treat unsolicited information as confidential. Accordingly, please do not send us any information about any matter that may involve you until you receive a written statement from us that we represent you.

By clicking the ‘ACCEPT’ button, you agree that we may review any information you transmit to us. You recognize that our review of your information, even if you submitted it in a good faith effort to retain us, and even if you consider it confidential, does not preclude us from representing another client directly adverse to you, even in a matter where that information could and will be used against you.

Please click the ‘ACCEPT’ button if you understand and accept the foregoing statement and wish to proceed.



+ -