Share this article on:
In July 2019, the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act was signed into law. The New York SHIELD Act expanded the breach notification requirements for businesses that collect the personal information of New York residents. On March 21, 2020, the data security provisions of the New York SHIELD Act come into effect.
There are also exemptions for small businesses, which are deemed to be businesses with fewer than 50 employees, businesses with less than $3 million in gross revenues for each of the past 3 fiscal years, or businesses with less than $5 million in year-end total assets. In these cases, their data security program can be scaled according to the size and complexity of the business, the nature of business activities, and the sensitivity of the personal data collected.
For most HIPAA-covered entities, compliance will be relatively straightforward. Entities in compliance with the Health Insurance Portability and Accountability Act (HIPAA) are deemed to be in compliance with the New York SHIELD Act.
New York SHIELD Act Requirements for HIPAA Covered Entities
Compliance with HIPAA does not guarantee compliance with the New York SHIELD Act. While there is some overlap, the New York SHIELD Act covers different data types to HIPAA. HIPAA-covered entities that collect the personal data of New York State residents will need to ensure they are in compliance with the Act’s data security provisions for those data types.
One notable example of when the SHIELD Act applies and HIPAA does not, is for information technology systems that contain employee data but no protected health information. Employees’ social security numbers or driver’s license numbers, for example. While the data is not covered by HIPAA, the SHIELD Act requires reasonable technical, administrative, and physical safeguards to be implemented to ensure the data is safeguarded. The data security provisions of the SHIELD Act are detailed below.