This message has been cross posted to the following eGroups: HIPAA: Health Insurance Portability and Accountability Act Forum and West Coast Region community .
-------------------------------------------
I have a question about whether a privacy breach is reportable to CDPH when the patient is a California resident but receives care in a facility in another state, and the breach is caused by that out-of-state facility.
Is there a duty to report to the state if that out-of-state facility is associated to a California hospital, but is separately licensed in the other state?
Would the laws of the state where the clinic is licensed trump the CA breach notifications laws? Would the absence of any such laws in the other state still surplant the CA notification laws.
Any response from an entity that practices in CA and another state would be appreciated.
-------------------------------------------
John Hodge CHC, CHPC
Compliance/Privacy Officer
-------------------------------------------