420-P:10 Safe Harbor for HIPAA Compliance. –
A licensee that is in possession of protected health information subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and that has established and maintains programs and procedures regarding information privacy, security, and breach notification that are prescribed by HIPAA and by Parts 160 and 164 of Title 45 of the Code of Federal Regulations established pursuant to HIPAA, shall be considered to meet the requirements of this chapter with respect to such protected health information, provided that the licensee is compliant with the HIPAA privacy, security, and breach notification requirements and submits a written statement certifying such compliance. Furthermore, to the extent a licensee maintains other nonpublic information concerning a consumer in the same manner as protected health information, it shall be considered to meet the requirements of this chapter with respect to such nonpublic information, provided the licensee submits a written statement that it does maintain and protect other nonpublic information as it does protected health information. However, any licensee subject to this HIPAA safe harbor shall continue to be subject to, and shall comply with, the commissioner notification requirements of RSA 420-P:6, I and II. For purposes of this section, the definition of "protected health information" shall be as set forth in HIPAA and the regulations promulgated thereunder and shall be considered to be a subset of nonpublic information, as defined in RSA 420-P:3, XI.