New York’s SHIELD Act, HIPAA Work In Tandem to Protect Patient Data

Be Prepared for New York SHIELD Act Data Security Mandates

Companies doing business in New York need to make sure their cybersecurity solutions comply with the SHIELD Act. Learn how to protect your data  

New York’s recently enacted SHIELD Act amends previous cybersecurity laws, providing increased protection for private consumer data and stronger accountability for businesses that fail to abide by it.

For those businesses that also are required to comply with HIPAA (the Health Insurance Portability and Accountability Act), the new New York mandate means more regulatory scrutiny. It is even more critical that companies develop robust data security solutions to avoid costly penalties.

What Is the New York SHIELD Act?

Gov. Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Security Act in July 2019. It expands on existing privacy laws in the following ways:

• The law covers data security and breach notifications by any businesses that collect private data on New York residents, not just those that do business in the state
• There’s a new definition of a security breach. Now, notifications are triggered if an unauthorized party simply accesses data. Previously, notifications were sent when an unauthorized party actively acquired data. A data breach now is unauthorized access to or acquisition data without valid authorization of computerized data that compromises the security, confidentiality or integrity of private information maintained by a business
• More data are covered. The law includes the following in its definition of personal information: account numbers (including bank accounts, credit cards and debit cards) and security or access codes, biometric data from facial recognition technology or other sources, driver’s license numbers or other ID numbers, email addresses, email passwords, security questions and answers and Social Security numbers
• Defines private information to include data elements that are encrypted or not encrypted

How Does the SHIELD Act Interact with HIPAA?

The SHIELD Act is intertwined with HIPAA reporting requirements. When a data breach occurs, HIPAA requires that companies report the incident to the secretary of Health and Human Services and any affected consumers. Under the SHIELD Act, the breaching company must also notify the New York state attorney general within five days of reporting the incident to HHS. In such situations where HIPAA notifications also occur, the SHIELD law does not require additional notification.

How Do HIPAA and SHIELD Differ?

There are also some situations, due to the different definitions of data elements affected by the law, where HIPAA triggers a consumer notification but SHIELD does not.

Among the categorizations of personal health information (PHI) that, if breached, trigger a notification, are certificate and license numbers, dates, device identifiers and serial numbers, facial pictures, geographic information, health plan beneficiary numbers, IP addresses, medical record numbers, telephone numbers, vehicle numbers and license plate numbers, web URLs. These data elements are not included in the SHIELD definitions.

For example, if customer medical device numbers, stored IP addresses of website visitors and dates visited or purchased are stolen, HIPAA guidelines would mandate a report to HHS but SHIELD guidelines would not apply.

What Is Contained in a SHIELD Act Notification?

If a company discovers a data breach affecting New York residents, a notification must be issued. It must include contact information for the individual or business sending the notification and the phone numbers and websites of relevant state and federal agencies that can provide details on security breach responses, identity theft prevention and identity theft protection. The company must tell the state attorney general, state department and state police with the timing, content and distribution information, and the number of affected people.

What Security Is Required Under the Shield Act?

Effective March 21, 2020, businesses must deploy certain data security protections to comply with SHIELD, including:

• Administrative safeguards, including a designated employee to coordinate the security program, risk identification, workforce cybersecurity education and service providers to maintain safeguards
• Technical safeguards that assess risks in network design, software design, and data processing, transmission and storage; identifies, responds to and prevents attacks and system failures; and tests and monitors key controls, procedures and systems
• Physical safeguards including risk assessments of storage disposal, intrusion detection and prevention, protection against unauthorized use or access to private data; and disposition of private data in a reasonable timeframe

Note that businesses already in compliance with HIPAA’s privacy and security rules are deemed covered for SHIELD, too.

At Atlantic-IT, we help businesses in New York, New Jersey, Pennsylvania and nationwide with IT assessments, manage security solutions and IT planning. If your business is affected by HIPAA or SHIELD regulations, contact us today to learn how Atlantic-IT can keep critical data safe.