Complying With New York's SHIELD ActJon Moore of Clearwater Explains What Healthcare Organizations Need to Know
What should healthcare organizations know about complying with the breach notification and data security requirements of New York's SHIELD Act? And how does the new law compare with HIPAA? Jon Moore, chief risk officer at consulting firm Clearwater, explains.
The Stop Hacks and Improve Electronic Data Security (SHIELD) Act broadens the state's breach notification law and requires that businesses put into place safeguards to protect the security, confidentiality and integrity of "private information."
The law's tough breach notification requirements take effect on Oct. 23, and the data security provisions will kick in on March 21, 2020.
Some of the requirements of the SHIELD Act and HIPAA overlap, requiring a careful analysis, Moore explains in an in-depth interview with Information Security Media Group.
Although the SHIELD Act deals with requirements for protecting "private information" that does not include healthcare-specific data, many healthcare providers handle the types of information described in the New York legislation, he points out.
"So, for instance, if I'm healthcare provider that has a patient portal, and I have a compromise of that portal that reveals login information like passwords and usernames, that would be included under 'private information' under the SHIELD Act," he says.
In the interview (see audio link below photo), Moore discusses:
- Examples of breach scenarios under the SHIELD Act that would require breach notification reporting by a HIPAA covered entity or business associate;
- How compliance with the HIPAA Security Rule helps an organization comply with the data security requirements of the SHIELD Act;
- How the SHIELD Act compares with other privacy and security laws, including the California Consumer Privacy Act and the European Union's General Data Protection Regulation.
Moore joined security and privacy risk management consulting firm Clearwater in April 2018 as senior vice president and chief risk officer. He previously worked at PriceWaterhouseCoopers, where he led the firm's federal healthcare practice.