Even if your business has access to sensitive patient information, your firm may not be subject to HIPAA. However, these does not mean your business is legally exempt from establishing security.
Forty-seven states, Washington D.C., Puerto Rico, and the U.S. Virgin Islands have their own PII breach notification laws that must be followed in the event of an incident. Each state varies in their requirements and what type of data is subject to their PII legislation.
Several states currently have PII laws that require businesses and state government entities to proactively protect PII in addition to breach notification requirements, while other states are in the process of developing these types of data loss prevention mandates.