July 2, 2020

Volume X, Number 184

July 01, 2020

Subscribe to Latest Legal News and Analysis

June 30, 2020

Subscribe to Latest Legal News and Analysis

June 29, 2020

Subscribe to Latest Legal News and Analysis

Annual Breach Reporting Required Under NY SHIELD Act for Some Health Care Companies

As discussed in an earlier blog post, the New York state Stop Hacks and Improve Electronic Data Security Act (or “SHIELD Act”), was signed into law on July 25, 2019.  A potential unintended side effect of the SHIELD Act may require health care companies to provide notification to the NY Attorney General for events that occurred well before its enforcement date. While the SHIELD Act’s data security requirements, which are covered under §4, will not come into effect until March 21, 2020, all other requirements, including the breach notification requirement, became effective on October 23, 2019.  The notification enforcement date is important for any Covered Entity, as defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), that has suffered a Breach, as defined by HIPAA, involving fewer than 500 individuals (“Minor HHS Breach”), was a breach of computerized data, and involved a New York resident.

HIPAA requires Covered Entities to file a report detailing any Minor HHS Breach within sixty days after the end of the calendar year in which the breaches are discovered.  The Shield Act requires that any Covered Entity required to provide notification of any breach to the Secretary of Health and Human Services (“HHS”) pursuant to HIPAA must also provide notification to the NY Attorney General within five business days thereafter. As drafted, this would apparently include notification of reports of breaches that involve non-electronic PHI. As a result, if such Minor HHS Breaches involved a New York resident, companies submitting their annual reports to HHS must provide notification of such reports to the New York Attorney General.

Any Covered Entity that submits an annual report to OCR for Minor HHS Breaches that involve New York residents has, at the latest, until March 6, 2020, to submit a notification of such reports to the New York Attorney General under the SHIELD Act.  In the event such annual reports were submitted to HHS earlier than sixty calendar days from the end of the year, such notification requirement period may have already passed.  Due to the interaction between HIPAA and the SHIELD Act reporting requirements, companies are required to submit a notification to the New York Attorney General for events that occurred more than eight months prior to the SHIELD Act’s enforcement date.  While many companies tracking the SHIELD Act were aware of the October 23, 2019  breach requirement, the requirement that the New York Attorney General must be provided a template of the notice triggered by the HHS annual reporting requirements may come as a surprise.

It is also critical to note that entities that are required to report Minor HHS Breaches to NY regulators under the SHIELD Act, should also be prepared for potential further inquiry from the NY regulators who may be learning about such breaches that occurred prior to the Effective Date of the notification provisions under the SHIELD Act.

©2020 Epstein Becker & Green, P.C. All rights reserved.National Law Review, Volume X, Number 59

TRENDING LEGAL ANALYSIS


About this Author

Arthur J. Fried, Health Care, Life Sciences, Attorney, Epstein Becker, Law firm
Member

ARTHUR J. FRIED is a Member of the Firm in the Health Care and Life Sciences practice, in the firm's New York office. He represents all types of health care providers, including academic medical centers, hospitals, and faculty practices.

Mr. Fried:

  • Advises hospitals, academic medical centers, and other providers in such areas as strategic health system development, physician integration, health care reform, medical staff matters, and governance

  • Provides advice on...

212-351-4710
Alaap Shah Attorney Healthcare Life Sciences
Member

Alaap B. Shah is a Member of the Firm in the Health Care and Life Sciences practice, in the firm's Washington, DC, office.

Mr. Shah:

  • Advises clients on federal and state privacy and data security laws and regulations
  • Advises on cybersecurity and data breach matters
  • Advises clients on health care fraud and abuse matters and government investigations relating to health information technology
  • Counsels clients on digital health and data strategies and related compliance issues

His work focuses on defense and counseling of health care entities on legal and regulatory compliance issues. He has extensive experience with legal issues related to health information technology, HIPAA, HITECH, anti-kickback laws, the False Claims Act, breach of contract issues, business torts, and a variety of unfair competition laws. He has established compliance programs, conducted privacy and security risk assessments, established trust networks, responded to data breaches, and managed e-discovery issues.

Mr. Shah is a Certified CSF Practitioner, a designation given by the Health Information Trust Alliance (HITRUST), an organization that provides training to develop and maintain effective security programs for health care and life sciences companies that comply with security laws, regulations, and standards, including HITECH, HIPAA, PCI, JCAHO, CMS, ISO, NIST, and various other federal, state, and business requirements. He is also recognized by the Healthcare Information and Management Systems Society (HIMSS) as a Certified Professional in Healthcare Information and Management Systems (CPHIMS).  Mr. Shah is also recognized by the International Association of Privacy Professionals (IAPP) as a Certified Information Privacy Professional in the United States.

Mr. Shah began his legal career at Epstein Becker Green. Before rejoining the firm in October 2017, he served as Senior Counsel and Chief Privacy and Security Officer at an oncology membership society where he strengthened enterprise-wide privacy and security, helped establish a big data initiative focused on improving quality of care by harnessing cancer patient medical information, and built data sharing trust networks among the oncology community.

During law school, Mr. Shah worked with the U.S. Department of Health and Human Services (DHHS), Office of General Counsel, where he provided legal counsel and support to all agencies and programs under the Public Health Division of DHHS. Prior to law school, Mr. Shah worked as a research technician at cancer treatment and research institution in New York City, where he helped manage a laboratory and conducted cancer immunology research, and his contributions led to the publication of 13 journal articles.

202-861-5320
Patricia M. Wagner, Epstein becker green, health care, life sciences
Member

PATRICIA M. WAGNER is a Member of the Firm in the Health Care and Life Sciences and Litigation practices, in the firm's Washington, DC, office. In 2014, Ms. Wagner was selected to the Washington DC Super Lawyers list in the area of Health Care.

Ms. Wagner's experience includes the following:

Advising clients on a variety of matters related to federal and state antitrust issues 

Representing clients in antitrust matters in front of the Federal Trade Commission and the United States Department of...

202-861-4182
Matthew Berger Healthcare Attorney Epstein Becker Green
Associate

MATTHEW H. BERGER* is an Associate in the Health Care and Life Sciences practice, in the Washington, DC, office of Epstein Becker Green. A Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy Professionals, Mr. Berger has extensive experience in international data transfer standards and protocols, supply chain data vulnerabilities, and data breach management due to his work as a privacy professional supporting the U.S. Department of Energy’s Privacy Program and other federal agencies’ privacy programs and as a data privacy and...

202-861-1829