As the March 21 deadline for the New York SHIELD Act draws closer, health care providers may be wondering: does their status as a covered entity under HIPAA, and its associated data security protections, automatically translate into compliance with the data security portions of SHIELD?

The Stop Hacks and Improve Electronic Data Security (SHIELD) Act requires a comprehensive cybersecurity program and data breach notifications to take effect for virtually every business with clients or patients who reside in New York state. Failure to comply with SHIELD places businesses at risk for penalties.

Health care practices and hospitals are regulated entities under HIPAA and required to comply with the Privacy and Security Rules.  It’s likely health care entities do not need to take additional steps to align with the SHIELD Act.  However, a health care entity may have obligations under SHIELD that are different than under HIPAA; if, for example, the health care organization maintains a system with employee information that includes Social Security Numbers.  This system would not be governed by HIPAA if it only contains employee SSNs and no PHI.  In this instance, SHIELD would require protection of that particular system containing SSNs.

But if there’s any uncertainty or concern about your organization’s compliance with SHIELD, now is the time to take action and consult your legal advisor. It’s also an opportune time to listen to our recording of the SHIELD Act webinar: “Yield for SHIELD: Getting Compliant by March 2020.”