The New York SHIELD Act and Healthcare
At this point, we’re well into 2020 – and for most of us, that means looking back on how we’ve done over the past year and how we plan to do better. So what better time than now to think about our data security and/or compliance efforts? Especially considering there’s a new data security law coming into effect. If you think you’re already covered under HIPAA rules and regulations, think again. The New York SHIELD (Stop Hacks and Improve Electronic Data Security) Act impacts covered entities and business associates more than many of them realize. First, let’s look at what the New York SHIELD Act actually is.
A Look at the New York SHIELD Act…
Governor Cuomo signed the New York SHIELD Act into effect on July 15, 2019. The law’s breach notification requirements already took effect on October 23, 2019 while the data security provisions will take effect on March 21, 2020. Cuomo expressed, “as technology seeps into practically every aspect of our daily lives, it’s increasingly critical that we do everything we can to ensure the information that companies are trusted with is secure.”
He continued to discuss the importance of proper data security measures, “the stark reality is security breaches are becoming more frequent, and with this legislation, New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data.”
How Does the New York SHIELD Impact Businesses?
The New York SHIELD Act impacts any and all businesses storing or accessing information belonging to residents of the state, even if those businesses reside in another state. The following breach notification and data security requirements must be kept in mind:
- All businesses are required to implement a data security program that incorporates risk assessments, employee training, incident response planning and testing, and more.
- All businesses must alert any affected individuals in the event of an unintentional or intentional disclosure of private information without reasonable delay.
Essentially, the first point refers to the data security provisions that take effect on March 21, 2020 wherein businesses must ensure they have the proper administrative, technical, and physical safeguards in place to safeguard private information. The second point refers to the breach notification requirements that have already taken effect wherein businesses must report any instances of private information disclosure as soon as possible.
How Do the Breach Notification Requirements Impact Covered Entities and Business Associates?
Chances are, covered entities and business associates that are already compliant with HIPAA already have the proper administrative, technical, and physical safeguards in place, but what about the breach notification requirements? How do they impact those in the healthcare industry? Essentially, most healthcare providers handle private information that falls under this law now.
For instance, if you’re using a patient portal and login information, such as usernames and passwords, is disclosed, that scenario would fall under this act. Here is how covered entities and business associates are expected to respond:
1. If a breach occurs that involves private information rather than protected health information, the healthcare organization must report the breach to the following:
- The State Attorney General
- State Police
- The Department of State
- Any affected Individuals
2. If a breach occurs impacting more than 5,000 residents of the state, the healthcare organization must report the breach to the Consumer Protection Bureau.
3. If a breach occurs that must be reported under HIPAA, the healthcare organization must report the breach to the State Attorney General within 5 days of reporting the breach to the Office for Civil Rights, even if private information isn’t involved.
Have You Reviewed Your Safeguards Yet? Are You Comfortable and Prepared in Terms of the Breach Notification Requirements? If Not, Call (716) 601-3524.
Why get in touch with Globalquest? Simple: We’ve been helping healthcare organizations throughout Western New York stay compliance and safe against cybercrime since 2014. Why not get in touch with us ahead of time so you’re prepared to remain compliant and keep private information safe BEFORE something happens?