As a member of the healthcare community, HIPAA compliance is probably old news to you at this point. Been there, done that.
However, as technology continues to shape the professional world, and has a greater and greater effect on all industries (including healthcare), you need to be prepared for new regulatory measures to govern the way you protect private data.
Case in point – New York’s SHIELD (Stop Hacks and Improve Electronic Data Security) Act.
Signed into law on July 15, 2019, this legislation will take effect on March 21, 2020. It is designed to make sure that organizations do their due diligence to protect the private data they access that belongs to residents of New York state. This means implementing a range of cybersecurity safeguards, and, in the event of a failure, facing severe non-compliance fines.
“As technology seeps into practically every aspect of our daily lives, it’s increasingly critical that we do everything we can to ensure the information that companies are trusted with is secure,” wrote Governor Andrew Cuomo in a press release at the time of the act’s signing. “The stark reality is security breaches are becoming more frequent, and with this legislation, New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data.”
Private data covered by the SHIELD Act include:
For the most part, yes – if you’re HIPAA compliant, then you’re compliant with SHIELD as well, at least in terms of electronic protected health information (ePHI). The important point to understand is that SHIELD extends the protection to other types of patient data that HIPAA doesn’t take into account.
First and foremost, a distinction between private and health information is necessary to understand – meaning private data refers to personal information, such as an identifiable link tied to social security numbers, debit card information, and other types of data.
In the event of a breach you must follow SHIELD’s reporting requirements as per the type of data exposed:
Before the implementation of the NY SHIELD Act, you could have been subject to a $5,000 ($10 per instance) fine for failing to notify. It would end up being whichever figure was higher, up to a total of $150,000.
With the NY SHIELD Act, these fines are increased to $20 per incident with a maximum of $250,000. That’s not to mention that you could face a fine up to three years after an incident rather than two years.
Need a hand assessing your SHIELD (or HIPAA) compliance? Don’t worry, it’s OK to ask for help especially when the stakes are this big. You can partner with PNJ Technology Partners to have your compliance practices double-checked and supported by the right technology.