What Does The NY SHIELD Act Mean For Your Medical Practice?

As a member of the healthcare community, HIPAA compliance is probably old news to you at this point. Been there, done that.

However, as technology continues to shape the professional world, and has a greater and greater effect on all industries (including healthcare), you need to be prepared for new regulatory measures to govern the way you protect private data.

Case in point – New York’s SHIELD (Stop Hacks and Improve Electronic Data Security) Act.

The NY SHIELD Act And Your Medical Practice

What Is The SHIELD Act?

Signed into law on July 15, 2019, this legislation will take effect on March 21, 2020. It is designed to make sure that organizations do their due diligence to protect the private data they access that belongs to residents of New York state. This means implementing a range of cybersecurity safeguards, and, in the event of a failure, facing severe non-compliance fines.

“As technology seeps into practically every aspect of our daily lives, it’s increasingly critical that we do everything we can to ensure the information that companies are trusted with is secure,” wrote Governor Andrew Cuomo in a press release at the time of the act’s signing. “The stark reality is security breaches are becoming more frequent, and with this legislation, New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data.”

What Does The SHIELD Act Protect?

Private data covered by the SHIELD Act include:

  • Social security numbers
  • Credit or debit card numbers
  • Driver’s license numbers
  • Biometric information
  • Username/email addresses with passwords
  • Financial account numbers with or without security codes

Does The SHIELD Act Overlap With HIPAA?

For the most part, yes – if you’re HIPAA compliant, then you’re compliant with SHIELD as well, at least in terms of electronic protected health information (ePHI). The important point to understand is that SHIELD extends the protection to other types of patient data that HIPAA doesn’t take into account.

First and foremost, a distinction between private and health information is necessary to understand – meaning private data refers to personal information, such as an identifiable link tied to social security numbers, debit card information, and other types of data.

What Happens If You Experience A Breach?

In the event of a breach you must follow SHIELD’s reporting requirements as per the type of data exposed:

  • If no ePHI is affected by the breach, you must report the event to:
    • The State Attorney General
    • The Department of State
    • State Police
    • Any affected individuals
  • If the breach affects more than 5,000 New York state residents, you must report the event to the Consumer Protection Bureau
  • If the breach affects ePHI and triggers HIPAA-based reporting requirements, you must also report the event to the State Attorney General within five days of reporting to the Office for Civil Rights.

How Severe Are Noncompliance Fines?

Before the implementation of the NY SHIELD Act, you could have been subject to a $5,000 ($10 per instance) fine for failing to notify. It would end up being whichever figure was higher, up to a total of $150,000.

With the NY SHIELD Act, these fines are increased to $20 per incident with a maximum of $250,000. That’s not to mention that you could face a fine up to three years after an incident rather than two years.

Need Expert Assistance With SHIELD Compliance?

Need a hand assessing your SHIELD (or HIPAA) compliance? Don’t worry, it’s OK to ask for help especially when the stakes are this big. You can partner with PNJ Technology Partners to have your compliance practices double-checked and supported by the right technology.

Click here to get started or call us at (518) 459-6712.