Hunton & Williams LLP write:
On January 1, 2010, two important state data security and privacy laws took effect in Nevada and New Hampshire. The laws create new obligations for most companies that do business in Nevada and for health care providers and business associates in New Hampshire.
[…]
The new law in New Hampshire requires health care providers and business associates to (1) obtain an authorization from individuals before using or disclosing their protected health information (“PHI”) for marketing, and (2) provide an opportunity for individuals to choose not to receive any fundraising communications that involve their PHI. New Hampshire’s law also requires health care providers and business associates to notify individuals in writing of any use or disclosure of their PHI that is not permitted by New Hampshire law, even if such use or disclosure is allowed under federal law. For example, New Hampshire prohibits all marketing communications (including those authorized by individuals) by voicemail, facsimile, or “other methods of communication that are not secure,” while federal law contains no such prohibitions.
New Hampshire’s new law adds to the list of state and federal laws regulating breaches of health information: in August 2009, Missouri’s information security breach notification statute, which applies to breaches of “medical information” and “health insurance information,” took effect, and in February 2010, the federal regulations addressing breaches of unsecured PHI will become effective.
Read more on Privacy and Information Security Law Blog.