New Hampshire recently enacted legislation restricting the use and disclosure of protected health information (“PHI”). As of January 1, 2010, health care providers and their business associates will be obligated to notify affected individuals of disclosures of PHI that are allowed under federal law, but are prohibited under the New Hampshire statute.
The New Hampshire law requires health care providers and their business associates to (i) obtain authorization for the use or disclosure of PHI for “marketing” and (ii) offer individuals an opt-out opportunity for the use or disclosure of PHI for fundraising purposes. In addition, it prohibits the disclosure of PHI for marketing (even with an authorization) or fundraising by voice mail, unattended facsimile, or through other methods of communication that are not secure.
In the event PHI is used or disclosed in violation of the New Hampshire law, the health care provider must notify affected individuals whose PHI was disclosed. Business associates will be responsible for the cost of notification if the non-compliant disclosure or use was by the business associate. The terms "business associate," "use," "disclosure" and "protected health information" have the same meanings as under HIPAA. Under the New Hampshire law individuals may file civil suits for violations of the marketing and fundraising restrictions, with possible damages of $1,000 or more per violation, plus legal fees and costs.
The full text of the New Hampshire bill (as signed into law) may be viewed here.