The New York SHIELD Act’s Impact on Healthcare Organizations
It’s no secret… Cybercrime is on the rise and personal data is being exposed in MASSIVE breaches around the world each and every day. Many state governments are feeling the pressure to adopt privacy protection laws to better safeguard the confidential information of consumers. The New York SHIELD (Stop Hacks and Improve Electronic Data Security) Act is a perfect example of this – signed into effect on July 15, 2019 to ensure the information that consumers entrust to companies is secure. If you think you’re protected because you’re already compliant with HIPAA, that’s only partially true. Covered entities and business associates must be aware that many areas between the two laws overlap, and as such, it’s integral to be familiar with any differences.
What Exactly is the New York SHIELD Act?
The New York SHIELD Act was signed into effect on July 15, 2019 with the breach notification requirements taking effect on October 23, 2019 while the data security provisions will take effect on March 21, 2020. This law protects the private information of ANY residents of the state, which means even businesses outside of the state may be subject to the provisions of the law, as long as they’re storing or accessing private information belonging to residents. There are four important factors to keep in mind:
- The definition of “private information” has been expanded to include social security numbers, driver’s licenses or other ID card numbers, account numbers and/or credit or debit card numbers (even without a security code or password), login information, and biometric information.
- The definition of “data breach” has been expanded to include any unauthorized access to private information, even if someone simply views the private information and does not have a copy of it, whether digitally or physically.
- The notification procedures required when a breach of private information occurs have been expanded to obligate companies to give notice to individuals affected without reasonable delay. The company must also inform the state attorney general.
- The act requires companies to develop, implement, and maintain adequate administrative, physical, and technical safeguards designed to protect the private information of residents.
The good news? If you’re already compliant with HIPAA, you are most likely already compliant with the New York SHIELD Act’s reasonable security requirements in terms of administrative, physical, and technical safeguards.
How Does the New York SHIELD Act Impact Healthcare Organizations in Terms of Breach Notification Requirements?
First and foremost, keep in mind that the act doesn’t require you to notify affected individual twice when a data breach notification is required under HIPAA, however, there are times when covered entities and business associates may need to follow the breach notification provisions under the New York SHIELD Act rather than HIPAA. For instance, if you’re using a patient portal and login information is disclosed, that scenario would fall under this act.
That means that if private information rather than protected health information is disclosed, you must report the breach to the following:
- The State Attorney General
- State Police
- The Department of State
- Any affected Individuals
If a breach occurs impacting more than 5,000 residents of the state, the Consumer Protection Bureau must be notified as well. If a breach occurs that must be reported under HIPAA, you must report the breach to the state attorney general within 5 days of reporting to the Office for Civil Rights, even if private information isn’t involved.
Are You Confident in Your Ability to Comply with the New York SHIELD Act’s Breach Notification Requirements? If Not, Call (716) 216-0691. Buffalo Computer Help is the Top IT Services Company in Western New York.