In addition to the breach notification process being updated, the NY HIPAA Law would also change the definition of personal information to include usernames and passwords or similar security requirements, such as security questions, in addition to PHI.
If healthcare organizations fail to ensure that they have the proper PHI security infrastructure in place, A10475 would ensure that a penalty be levied against the liable party of $250,000 at the most–up from $100,000 under current legislation.
Given the trends in data breaches across the country, this revision to New York HIPAA regulation and PHI security legislation is especially timely considering the 113,000,000 patient records that were breached in 2015 alone. Covered entities and business associates that store PHI would be held responsible to strictly adhere to A10475’s new security and notification measures.
The legislation states:
“In the event that any New York residents are to be notified, the person or business shall notify the state attorney general, the department of state and the office of information technology services as to the timing, content, and distribution of the notices approximate number of affected persons and provide a copy of the template of the notice sent to affected persons. Such notice shall be made without delaying notice to affected New York residents.”
Ideally, to prevent another 113,000,000 breaches of PHI from occurring in 2016, A10475 would improve efficiency in the way that New York deals with HIPAA enforcement. Other bill requirements include new credit/debit card notification, and that the general public is informed of PHI security measures and data breach prevention procedures.
A10475, if passed, would be a progressive step toward greater security for PHI across the state. Breach notification measures have been changing across the country to protect patients’ data security and right to privacy. This bill is just the latest example of measures being put in place to keep PHI more secure.