Annual Breach Reporting Required Under NY SHIELD Act for Some Health Care Companies
As discussed in an earlier blog post, the New York state Stop Hacks and Improve Electronic Data Security Act (or “SHIELD Act”), was signed into law on July 25, 2019. A potential unintended side effect of the SHIELD Act may require health care companies to provide notification to the NY Attorney General for events that occurred well before its enforcement date. While the SHIELD Act’s data security requirements, which are covered under §4, will not come into effect until March 21, 2020, all other requirements, including the breach notification requirement, became effective on October 23, 2019. The notification enforcement date is important for any Covered Entity, as defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), that has suffered a Breach, as defined by HIPAA, involving fewer than 500 individuals (“Minor HHS Breach”), was a breach of computerized data, and involved a New York resident.
HIPAA requires Covered Entities to file a report detailing any Minor HHS Breach within sixty days after the end of the calendar year in which the breaches are discovered. The Shield Act requires that any Covered Entity required to provide notification of any breach to the Secretary of Health and Human Services (“HHS”) pursuant to HIPAA must also provide notification to the NY Attorney General within five business days thereafter. As drafted, this would apparently include notification of reports of breaches that involve non-electronic PHI. As a result, if such Minor HHS Breaches involved a New York resident, companies submitting their annual reports to HHS must provide notification of such reports to the New York Attorney General.
Any Covered Entity that submits an annual report to OCR for Minor HHS Breaches that involve New York residents has, at the latest, until March 6, 2020, to submit a notification of such reports to the New York Attorney General under the SHIELD Act. In the event such annual reports were submitted to HHS earlier than sixty calendar days from the end of the year, such notification requirement period may have already passed. Due to the interaction between HIPAA and the SHIELD Act reporting requirements, companies are required to submit a notification to the New York Attorney General for events that occurred more than eight months prior to the SHIELD Act’s enforcement date. While many companies tracking the SHIELD Act were aware of the October 23, 2019 breach requirement, the requirement that the New York Attorney General must be provided a template of the notice triggered by the HHS annual reporting requirements may come as a surprise.
It is also critical to note that entities that are required to report Minor HHS Breaches to NY regulators under the SHIELD Act, should also be prepared for potential further inquiry from the NY regulators who may be learning about such breaches that occurred prior to the Effective Date of the notification provisions under the SHIELD Act.