The New York SHIELD Act And It’s Impact On Healthcare Organizations
2020 is finally here, and for most of us, that means it’s time to reflect on the past year and think about whether or not we accomplished our goals. If we didn’t, we typically resolve to do better in the coming days. What better time than now to start thinking about data security? As cybercrime is evolving at a rapid rate, it’s important to ensure you’re doing everything possible to protect your patients information. Chances are, you’re already concerned with HIPAA compliance. But this year, there’s a new data security law coming into effect, and those in the healthcare industry will need to pay special attention to it.
New York’s SHIELD Act Will Be Important for Healthcare Organizations, Even If They’re Already HIPAA Compliant.
New York’s SHIELD (Stop Hacks and Improve Electronic Data Security) Act comes into effect on March 21, 2020. Governor Cuomo, who signed the SHIELD act into law on July 15, 2019, expressed, “As technology seeps into practically every aspect of our daily lives, it’s increasingly critical that we do everything we can to ensure the information that companies are trusted with is secure.”
He continued to review the importance of the new law, “The stark reality is security breaches are becoming more frequent, and with this legislation, New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data.”
Let’s Review Exactly What Changes Are Imposed Under the New York SHIELD Act…
The SHIELD Act focuses on ensuring companies better protect sensitive information belonging to residents of the state. The territory extends further than the state itself – requiring ALL businesses and healthcare organizations that store or access information belonging to residents of the state to ensure the proper safeguards are in place to protect that information. Under the SHIELD Act, the definition of a breach has been expanded to include any sort of unauthorized access to digitized data that may compromise the integrity, security, and confidentiality of private information
In addition, the definition of private information has been expanded to include the following:
- Social security numbers
- Credit or debit card numbers
- Driver’s license numbers
- Biometric information
- Username/email addresses with passwords
- Financial account numbers with or without security codes
If you’re HIPAA-compliant, you’re likely already compliant with the SHIELD Act. However, there are various elements of the bill that impact your healthcare organization. First and foremost, a distinction between private and health information is created – meaning private data refers to personal information, such as an identifiable link tied to social security numbers, debit card information, and other types of data. In addition, private information also refers to retinal scans or patient portals.
What does this mean? It means if a breach occurs wherein email addresses and passwords are breached, it falls under this law. The biggest impact on healthcare organizations is in regards to the new reporting requirements.
1. If a breach occurs and doesn’t involve electronic health information, but instead, involves private information, the healthcare organization must report the breach to the following:
- The State Attorney General
- The Department of State
- State Police
- Any Affected Individuals
2. If a breach occurs and impacts more than 5,000 residents of the state, the healthcare organization must report it to the Consumer Protection Bureau.
3. If a breach occurs that must be reported under HIPAA, even if private information isn’t involved, the healthcare organization must report the breach to the State Attorney General within 5 days after reporting the breach to the Office for Civil Rights.
Need help complying with the SHIELD act? Call (631) 203-6403. Ll Tech Advisors is the top healthcare IT services company in Long Island, NY and surrounding areas.
Like this article? Keep reading…