Pending data breach legislation in New York would redefine unsecured PHI as personal information, affecting breach notification and data security measures across the state.
Bill A10475 has the potential to change the future of protected health information (PHI) security in New York state. The NY HIPAA law is set to incorporate individually identifiable health information and associated PHI into its definition of personal information.
The proposed New York Data Breach Notification Law, if passed, would require covered entities and business associates to immediately notify clients of any breach of unsecured PHI. The bill is meant to update breach notification requirements and procedures so that patients can receive immediate notification in the event of a breach.
In addition to the breach notification process being updated, the NY HIPAA Law would also change the definition of personal information to include usernames and passwords or similar security requirements, such as security questions, in addition to PHI.
If healthcare organizations fail to ensure that they have the proper PHI security infrastructure in place, A10475 would ensure that a penalty be levied against the liable party of $250,000 at the most–up from $100,000 under current legislation.
Given the trends in data breaches across the country, this revision to New York HIPAA regulation and PHI security legislation is especially timely considering the 113,000,000 patient records that were breached in 2015 alone. Covered entities and business associates that store PHI would be held responsible to strictly adhere to A10475’s new security and notification measures.
“In the event that any New York residents are to be notified, the person or business shall notify the state attorney general, the department of state and the office of information technology services as to the timing, content, and distribution of the notices approximate number of affected persons and provide a copy of the template of the notice sent to affected persons. Such notice shall be made without delaying notice to affected New York residents.”
Ideally, to prevent another 113,000,000 breaches of PHI from occurring in 2016, A10475 would improve efficiency in the way that New York deals with HIPAA enforcement. Other bill requirements include new credit/debit card notification, and that the general public is informed of PHI security measures and data breach prevention procedures.
A10475, if passed, would be a progressive step toward greater security for PHI across the state. Breach notification measures have been changing across the country to protect patients’ data security and right to privacy. This bill is just the latest example of measures being put in place to keep PHI more secure.