New York State Set to Impose New Health Data Security Breach Rules

Oct. 13, 2019
As of October 23, the state of New York will be implementing changes to its notification laws requiring notification to the state of health data or biometric security breaches

As an October 8 report in Bloomberg Law online notes, “Businesses hit with a biometric or health data security breach could face heightened scrutiny from New York’s attorney general under changes to the state’s notification law, privacy attorneys said. As of Oct. 23, companies whose customers include New York residents must alert Attorney General Letitia James (D) to such breaches under the New York SHIELD Act. Companies that collect health data will now have to report data breaches to the New York attorney general, in addition to federal authorities,” Daniel R. Stoller, Bloomberg Law’s chief legal editor reported.

As Stoller noted, “James’ office has been aggressive in probing data breaches, including recent investigations into Equifax Inc., Dunkin Donuts Inc., and Capital One Financial Corp. The state’s top cop is unlikely to let up on this pressure and may use the new data breach notice law to go after more companies for data breach notice failures, privacy attorneys said. Representatives for the New York Attorney General’s Office didn’t immediately respond to requests for comment.”

Further, Stoller wrote, “Privacy attorneys say businesses should revisit their data breach response plans and those collecting biometric or health information should carefully secure this data to limit state attorneys general enforcement risk. Under the SHIELD Act, companies must notify James following a data breach for a wide group of sensitive data, including Social Security numbers and driver’s license data. The increased transparency is likely to lead to more enforcement actions for companies that don’t do enough to protect biometric or health, privacy attorneys said. Companies also must adopt reasonable security measures by March 2020, among other new rules.”

And Stoller quoted Joseph J. Lazzarotti, a privacy principal at Jackson Lewis in New Jersey, who told him that businesses that have good processes and perform due diligence should face minimal regular risk, as they’ll be better prepared for any post-breach enforcement investigations.

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?