On October 23, 2019, the Stop Hacks and Improve Electric Data Security (“SHIELD”) Act goes into effect and significantly modifies the existing New York State breach notification requirements, including the addition of new requirements for covered entities (e.g., all health care providers and health plans) to report HIPAA breaches to the New York State Attorney General, as well as the Federal Department of Health and Human Services, Office of Civil Rights (“OCR”). Other significant provisions of the SHIELD Act include the following:
- The definition of “private information,” which triggers notification and reporting obligations, is expanded to include, among other things, credit/debit card numbers (even if a password is not involved); biometric information and email addresses in conjunction with passwords.
- There is additional information required to be included in breach notification letters (i.e., notification information for state agencies).
- A new exception allows entities to avoid certain of the notification and reporting obligations if they can document that a potential breach was an inadvertent disclosure and it is unlikely that individuals will be harmed.
- Entities not already subject to information security laws (e.g., HIPAA, Gramm-Leach-Bliley Act) are required to implement information security programs.
- At the very least, the SHIELD Act will require New York entities to: (1) evaluate their security incident response protocols to include the new requirements; (2) implement information security programs if they are not already subject to information security laws; and (3) report HIPAA breaches (even if no “private information” is involved) to the New York State Attorney General within five (5) days of making a report to the OCR.
If you have any questions about this alert, please contact a member of our Hospital and Physician Practice Group or the Garfunkel Wild attorney with whom you regularly work.