Healthcare Law Alert: What Healthcare Providers Need to Know About the Shield Act

On July 25, 2019, Governor Cuomo signed into law S. 5575, otherwise known as the Shield Act. The goal of the Act in large part is to revise and strengthen already existing New York cybersecurity laws, affecting a wide variety of New York business entities, including healthcare providers.

The Act revises and extends New York’s breach law, General Obligations Law § 899-aa. Significant changes include revisions to the definition of “private information” to include “biometric” data and additional reporting requirements to the New York State Attorney General. Among other changes, a breach will now also include any unauthorized “access” to private information. Previously, a breach was only reportable under New York law for “acquisition” of private information. This change is likely aimed at ransomware attacks given the fact that “access” is defined to include things such as viewing, communicating with, or altering private information.

Importantly for healthcare providers, and specifically HIPAA Covered Entities, the Shield Act will require a Covered Entity to provide notice to the Attorney General of any HIPAA breach regardless of whether the breach includes any “private information”. Notice to the Attorney General will need to be provided within 5 business days of any notice provided to the federal Office of Civil Rights. Notices to individuals impacted by a breach will also need to include contact information for state and federal agencies that provide information regarding security breach response and identity theft protection.

Healthcare providers may breathe a sigh of relief when it comes to implementing any additional administrative, technical, or physical safeguards. While the Act adds new obligations for business entities to implement “reasonable” security measures, HIPAA-compliant entities will be deemed compliant with the Shield Act’s reasonable security requirement.

The Shield Act becomes law 90 days after the Governor’s signature, but businesses will have 240 days to establish compliance with the Shield Act’s data security protections.


Visit our Healthcare Practice Area to learn more about the legal services we can provide. If you have any questions or would like more information on the issues discussed in this communication, please contact Mary Miner or Andriy Troyanovych, or any member of our Healthcare Practice Area.

This communication is for informational purposes and is not intended as legal advice.