Trusiak Law - Buffalo Attorney, HERO act, HIPAA Law

Blog

SuperUser Account
/ Categories: General

Word Of Caution To HIPAA Hybrid Covered Entities: NYS Shield Act Amends NYS Breach Notification Law, Adds Data Security Requirements, Imposes Data Security Obligations For Hybrid Covered Entities

Changes to the existing data breach notification law (General Business Law, Article 39-F, Section 899-aa) will be effective October 23, 2019 and include:

  • Expanding the definition of the types of "private information" to be protected by the data breach law;
  • Expanding the definition of a "breach" to include not just unauthorized "acquisition" of private information but also unauthorized "access" to private information;
  • Extending the applicability of the data breach law to any "person or business," whether conducting business in New York or not, that owns or licenses private information of a New York resident;
  • If a "covered entity" under the Health Insurance Portability and Accountability Act ("HIPAA") is required to provide notification of a breach to the U.S. Secretary of Health and Human Services ("HHS"), the covered entity must also notify the New York Attorney General of the breach within five business days of notifying HHS;
  • Requiring that breach notices include the telephone numbers and websites for the relevant New York and federal agencies that provide information regarding security breach response and identity theft prevention information.
  • It is important to recognize the SHIELD Act is subordinate to HIPAA. If a Covered Entity under HIPAA is a hybrid entity, then SHIELD Act obligations may apply to the non-HIPAA covered programs.

Further, the SHIELD Act added "Data Security Protections" in a new Section 899-bb of the General Business Law that becomes effective March 21, 2020.

"Any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data."

These "reasonable safeguards" require any person or business to either (a) be in compliance with other applicable cybersecurity laws, such as the Gramm-Leach-Bliley Act, HIPAA, or the Cybersecurity Requirements for Financial Services Companies promulgated by the New York Department of Financial Services or (b) implement a "data security program" that includes reasonable administrative, technical and physical safeguards.

The text of the SHIELD Act may be read in full at https://legislation.nysenate.gov/pdf/bills/2017/s6933b.

Trusiak Law can assist you in implementing measures to comply with the SHIELD Act. It will be done under attorney client privilege to protect you.

Previous Article Fair Market Value and Anti-Kickback Statute Considerations for Physician Lease Arrangements
Next Article HHS Updates It's HIPAA Securty Risk Assessment Tool
Print
581

Text/HTML

Call and schedule your meeting today! Contact Trusiak Law