Skip to Main Content
Services Talent Knowledge
Site Search
Menu

Alert

Our attorneys stay on top of changes in legislation, agency regulations, case law, and industry trends—then craft timely legal alerts to keep clients up to date on legal developments important to their business.

September 4, 2019

The SHIELD Act: A Primer for Health and Human Services Providers

On July 25, 2019, the NY Stop Hacks and Improve Electronic Data Security (SHIELD) Act was signed into law. The SHIELD Act impacts all NY individuals and businesses that own or license computerized data that includes “private information” and amends and adds to existing provisions in the NY General Business Law to include expanded requirements for breach notification and data security protections. Health and human services providers should review and update their breach notification policies to ensure compliance with the law.

Expanding the Definition of “Private Information”

Under the SHIELD Act, NY individuals and businesses that own or license computerized data that includes “private information” must comply with breach requirements. The SHIELD Act expands the definition of “private information” to include:

1. Personal information1 consisting of any information in combination with any one or more of the following data elements2:

  • An account number or credit or debit card number if circumstances exist where that number could be used to access an individual’s financial account without additional identifying information or a security code, access code, or password
  • Biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics used to authenticate or ascertain the individual’s identity (e.g., fingerprint, voice print, retina or iris image, or another unique physical representation or digital representation of biometric data);3

2. A username or email address in combination with a password or security question and an answer permitting access to an online account

Impact on Breach Notification Requirements

Under the NY General Business Law, a “breach” means unauthorized access to, acquisition of, or access to or acquisition without valid authorization of computerized data that compromises the security, confidentiality, or integrity of private information maintained by a business. Under the SHIELD Act, if a breach notice is made to affected individuals under HIPAA, no additional notice to individuals is required under the SHIELD Act, but notice must be made to the State Attorney General, the Department of State, and the Division of State Police regarding the timing, content, and distribution of the notices and the approximate number of affected individuals. In addition, the business must provide a copy of the template of the notice sent to the affected individuals, and, if more than 5,000 NY residents need to be notified, the business must also notify consumer reporting agencies regarding the timing, content, and distribution of the notices and the approximate number of affected individuals.

Any covered entities required to provide a breach notification––including a breach of information that is not “private information” as defined above––to the Secretary of Health and Human Services Office of Civil Rights (HHS-OCR) pursuant to HIPAA must also notify the State Attorney General within five business days of notifying the HHS-OCR.

HIPAA-Compliant Entities: Automatically in Compliance With SHIELD Act Security Standards

Individuals and businesses that own or license computerized data that includes the “private information” of NY residents must implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information. Businesses subject to HIPAA are automatically in compliance with the SHIELD Act security standards if they are compliant with HIPAA’s Security Rule.

The SHIELD Act’s breach notification requirements take effect on October 23, 2019, and its data security requirements take effect on March 21, 2020. Moving forward, health care providers and entities that are covered entities or business associates regulated under HIPAA may need to comply with notification requirements under HIPAA and the SHIELD Act and should review and update their current breach notification policies to ensure compliance. Providers updating their breach notification policies should also reference our recent “DOH Implements New Notification Protocols for Cybersecurity Incidents” alert, which covers the DOH’s new notification protocols for informing it about cybersecurity incidents.

“Personal information” means any information concerning a natural person which, because of the name, number, personal mark, or other identifier, can be used to identify that natural person.

2 This applies only when the data element or the combination of personal information plus the data element is not encrypted or is encrypted with an encryption key that has not been accessed or acquired.

3 The other categories of data elements that are already in place under the NY General Business Law Section 899-aa are:

  • Social security number
  • Driver’s license number or non-driver identification card number
  • Account number or credit or debit card number in combination with any required security code, access code, password, or other information that would permit access to an individual’s financial account

If you have any questions regarding the content of this alert, please contact Bridget Steele, associate, at bsteele@barclaydamon.com or another member of the firm’s health care or health and human services providers teams.

Subscribe

Click here to sign up for alerts, blog posts, and firm news.

Featured Media

Alerts

RAPID Action: NYS Office of Energy Renewable Energy Siting and Transmission Announces Draft Regulations for New Transmission Siting Framework

Alerts

NYSDEC Issues Draft Freshwater Wetlands General Permit

Alerts

USPTO Updates Audit Program

Alerts

NYS DOL Publishes Long-Awaited FAQs on Paid Prenatal Leave Law

Alerts

Update on Massachusetts Pay Transparency Law Disclosures and EEO Reporting Requirements in 2025

Alerts

Massachusetts Employers Required to Provide Job Applicants Notice That Use of a Lie Detector Test Is Unlawful

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out