January 27, 2021

Volume XI, Number 27


January 27, 2021

Subscribe to Latest Legal News and Analysis

January 26, 2021

Subscribe to Latest Legal News and Analysis

January 25, 2021

Subscribe to Latest Legal News and Analysis

Annual Breach Reporting Required Under NY SHIELD Act for Some Health Care Companies

As discussed in an earlier blog post, the New York state Stop Hacks and Improve Electronic Data Security Act (or “SHIELD Act”), was signed into law on July 25, 2019.  A potential unintended side effect of the SHIELD Act may require health care companies to provide notification to the NY Attorney General for events that occurred well before its enforcement date. While the SHIELD Act’s data security requirements, which are covered under §4, will not come into effect until March 21, 2020, all other requirements, including the breach notification requirement, became effective on October 23, 2019.  The notification enforcement date is important for any Covered Entity, as defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), that has suffered a Breach, as defined by HIPAA, involving fewer than 500 individuals (“Minor HHS Breach”), was a breach of computerized data, and involved a New York resident.

HIPAA requires Covered Entities to file a report detailing any Minor HHS Breach within sixty days after the end of the calendar year in which the breaches are discovered.  The Shield Act requires that any Covered Entity required to provide notification of any breach to the Secretary of Health and Human Services (“HHS”) pursuant to HIPAA must also provide notification to the NY Attorney General within five business days thereafter. As drafted, this would apparently include notification of reports of breaches that involve non-electronic PHI. As a result, if such Minor HHS Breaches involved a New York resident, companies submitting their annual reports to HHS must provide notification of such reports to the New York Attorney General.

Any Covered Entity that submits an annual report to OCR for Minor HHS Breaches that involve New York residents has, at the latest, until March 6, 2020, to submit a notification of such reports to the New York Attorney General under the SHIELD Act.  In the event such annual reports were submitted to HHS earlier than sixty calendar days from the end of the year, such notification requirement period may have already passed.  Due to the interaction between HIPAA and the SHIELD Act reporting requirements, companies are required to submit a notification to the New York Attorney General for events that occurred more than eight months prior to the SHIELD Act’s enforcement date.  While many companies tracking the SHIELD Act were aware of the October 23, 2019  breach requirement, the requirement that the New York Attorney General must be provided a template of the notice triggered by the HHS annual reporting requirements may come as a surprise.

It is also critical to note that entities that are required to report Minor HHS Breaches to NY regulators under the SHIELD Act, should also be prepared for potential further inquiry from the NY regulators who may be learning about such breaches that occurred prior to the Effective Date of the notification provisions under the SHIELD Act.

©2020 Epstein Becker & Green, P.C. All rights reserved.National Law Review, Volume X, Number 59



About this Author

Arthur J. Fried, Health Care, Life Sciences, Attorney, Epstein Becker, Law firm

ARTHUR J. FRIED is a Member of the Firm in the Health Care and Life Sciences practice, in the firm's New York office. He represents all types of health care providers, including academic medical centers, hospitals, and faculty practices.

Mr. Fried:

  • Advises hospitals, academic medical centers, and other providers in such areas as strategic health system development, physician integration, health care reform, medical staff matters, and governance

  • Provides advice on...

Alaap Shah Attorney Healthcare Life Sciences

Alaap B. Shah is a Member of the Firm in the Health Care and Life Sciences practice, in the firm's Washington, DC, office.

Mr. Shah:

  • Advises clients on federal and state privacy and data security laws and regulations
  • Advises on cybersecurity and data breach matters
  • Advises clients on health care fraud and abuse matters and government investigations relating to health information technology
  • Counsels clients on digital health and data strategies and related compliance issues

His work focuses on defense and counseling...

Patricia M. Wagner, Epstein becker green, health care, life sciences

PATRICIA M. WAGNER is a Member of the Firm in the Health Care and Life Sciences and Litigation practices, in the firm's Washington, DC, office. In 2014, Ms. Wagner was selected to the Washington DC Super Lawyers list in the area of Health Care.

Ms. Wagner's experience includes the following:

Advising clients on a variety of matters related to federal and state antitrust issues 

Representing clients in antitrust matters in front of the Federal Trade Commission and the United States Department of...

Matthew Berger Healthcare Attorney Epstein Becker Green

MATTHEW H. BERGER* is an Associate in the Health Care and Life Sciences practice, in the Washington, DC, office of Epstein Becker Green. A Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy Professionals, Mr. Berger has extensive experience in international data transfer standards and protocols, supply chain data vulnerabilities, and data breach management due to his work as a privacy professional supporting the U.S. Department of Energy’s Privacy Program and other federal agencies’ privacy programs and as a data privacy and...