What is HIPAA Law NY?
While HIPAA law applies at a federal level, states are also permitted to develop privacy laws that are more stringent than the HIPAA Privacy Rule. Many states have developed such laws. The state of New York is one such state that has a series of more stringent laws than the HIPAA Privacy Rule. New York state HIPAA law (or HIPAA law NY as it will be referred to throughout) is explained in detail below.
HIPAA Law NY and the New York State Mental Hygiene Law
The New York Mental Hygiene Law regulates mental health providers’ use and disclosure of confidential mental health information. This regulation is more stringent than HIPAA in several aspects.
Under HIPAA, protected health information (PHI) may be disclosed in a judicial or administrative proceeding if the request is made under a court order or attorney-issued subpoena. A subpoena seeking medical records can be issued without a court order by the attorney for one party to another party.
The New York mental hygiene law is more stringent than HIPAA as to when PHI may be disclosed in a judicial or administrative proceeding. Under HIPAA law NY, a court order is required to disclose mental health information. A subpoena will not suffice. This aspect of HIPAA law NY aims to protect patient privacy by requiring that a court review a request for medical records before ordering production of the records.
Under HIPAA, a provider may generally disclose PHI to law enforcement when required by law, under a court order or subpoena. This means that law enforcement need not necessarily seek a court order to obtain PHI. HIPAA law NY is more stringent. Under New York law, disclosure of mental health information requires a court order.
In addition, HIPAA permits law enforcement to subpoena any PHI that is needed to identify or locate a suspect, fugitive, material witness, or missing person. While HIPAA law NY only allows disclosure of “identifying data concerning hospitalization” – a very narrow category of PHI – in response to a law enforcement need to identify or locate these individuals. The same is true for law enforcement requests for information about crime victims. HIPAA permits law enforcement to subpoena any PHI needed to meet this request. However, under the more stringent New York mental hygiene law, the only PHI that may be disclosed for this purpose is limited to “identifying data concerning hospitalization.”
HIPAA Law NY and the New York Right of Access Rule
Under the HIPAA right of access rule, providers must permit patients to inspect and obtain copies of their medical records. A provider has 30 days to grant the requested access or to provide the requested copies. HIPAA law NY on the right of access is considerably more stringent. Under New York law, a patient is generally entitled to review all information concerning or relating to their treatment.
Once a patient requests an inspection of their medical records, a physician or healthcare facility has 10 days to provide the patient with an opportunity to inspect them. New York law requires that providers act on requests for copies of medical records within a reasonable time. The New York State Health Department considers 10 to 14 days to be a reasonable time in which a provider should respond to a request for copies.
HIPAA Law NY and Parental Access to a Child’s Medical Information
Under HIPAA, a provider may refuse to let a parent access their child’s medical information if the provider has a reasonable belief that the child has been or may be subjected to domestic violence, abuse, neglect by the parent, or if disclosure could endanger the child. The provider can refuse to give access to the parent if the provider, in the exercise of professional judgment, decides that disclosure is not in the child’s best interest. HIPAA law NY imposes an even more stringent rule to protect child medical information from parental access. Under New York law, a provider may deny access to the parent for any one of these three reasons:
- The provider determines that the disclosure would have a detrimental effect on the provider’s relationship with the child;
- The provider determines that the disclosure would have a detrimental effect on the care or treatment of the child; or
- The provider determines that the disclosure would have a detrimental effect on the child’s relationship with their parents.
NY SHIELD Act
The New York SHIELD (Stop Hacks and Improve Electronic Security) Act amended New York data breach notification and cybersecurity laws.
NY SHIELD Act Data Security Provisions
The NY SHIELD Act also imposed new data security protections. The NY SHIELD Act Data Security Provisions require that businesses implement administrative, technical, and physical safeguards to protect information (similar to HIPAA’s safeguard requirements).
- Administrative: designate one or more employees to coordinate their security program; identify reasonably foreseeable risks and assess existing safeguards (security risk assessment; conduct workforce cybersecurity training; and select service providers that can maintain appropriate safeguards and require those safeguards by contract (business associate agreement).
- Technical: assess risks in network and software design, risks in information processing, transmission, and storage; detect, prevent, and respond to attacks or system failures; and regularly test and monitor the effectiveness of critical controls, systems, and procedures.
- Physical: assess risks of information storage disposal; detect, prevent, and respond to intrusions; protect against unauthorized access to or use of private information during or after collection, transportation, destruction, or disposal of the information; and dispose of private information within a reasonable amount of time.
New York Data Breach Notification Law
Under the NY SHIELD Act, healthcare organizations must report breaches of personal information, private information, and data elements.
- Personal Information: any information concerning a person which, because of name, number, personal mark, or another identifier, can be used to identify that person.
- Private Information: personal information that consists of any information in combination with one more data element, WHEN either the data element or the combination of personal information plus the data element is not encrypted; or when the data element, or the combination of personal information plus the data element, is encrypted with an encryption key that has been accessed or acquired.
- Data Element: Social Security numbers, driver’s license numbers, non-driver identification card numbers, bank account numbers, credit card numbers, and debit card numbers, combined with any required security code, access code, or password that would permit access to an individual’s financial account.
The New York Data Breach Notification Law imposes stricter reporting laws than HIPAA. When HIPAA requires notification of a breach to the Secretary of Health and Human Services and affected individuals, the breaching entity, under the SHIELD law, must also notify the New York State Attorney General of the breach – within 5 business days of notifying HHS. In other words, in this circumstance, the New York SHIELD Act AND HIPAA both require HHS to be notified.
Suppose any New York residents are to be notified. In that case, the person or business must inform the New York State Attorney General, the department of state, and the division of state police as to the timing, content, and distribution of the notices and the approximate number of affected people. It must provide a copy of the notice template sent to affected individuals. Such notice must be made without delaying notice to affected New York residents.
Suppose more than five thousand New York residents are to be notified at one time. In that case, the person or business must also notify consumer reporting agencies as to the timing, content, and distribution of the notices and the approximate number of affected individuals. Such notice must be made without delaying notice to affected New York residents.
HIPAA Form New York
A HIPAA Form in New York is required under certain circumstances. HIPAA regulations outline the uses and disclosures of PHI that require authorization to be obtained from a patient/plan member before that person’s PHI can be shared or used.
HIPAA Forms in New York are required before:
- The covered entity can use or disclose PHI whose use or disclosure is otherwise not permitted by the HIPAA Privacy Rule
- The covered entity can use or disclose PHI for marketing purposes. If the marketing communication involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved.
The law requires that a HIPAA release form contain specific “core elements” to be valid.
These elements include:
- A description of the specific information to be used or disclosed.
- The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
- The name or other specific identification of any third parties (persons or classes of persons) to whom the covered entity may make the requested use or disclosure.
- A description of each purpose of the requested use or disclosure.
- An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure.
- The signature of the individual and the date.
New York State HIPAA Training
HIPAA imposes employee training requirements that are the same regardless of the healthcare organization’s state. New York state HIPAA training must be provided to each employee that has the potential to access PHI. Training must be provided annually, in which employees must legally attest that they understand and agree to adhere to the training material.
Complying with New York HIPAA Law
To meet the requirements of the HIPAA regulations, healthcare organizations (healthcare providers, healthcare vendors, and MSPs) must implement a HIPAA compliance program. Most federal HIPAA requirements apply at the state level in New York as well.
Security Risk Assessments, Gap Identification, and Remediation
To be HIPAA compliant, it is crucial to identify where your deficiencies lie. To do so, healthcare organizations must conduct six self-audits annually. These self-audits uncover weaknesses and vulnerabilities in your security practices. To ensure that your organization meets HIPAA safeguard requirements, you must create remediation plans. Remediation plans list your identified deficiencies and how you plan to address them, including actions and a timeline.
HIPAA Policies and Procedures
To ensure that you meet HIPAA Privacy, Security, and Breach Notification requirements, you must implement written policies and procedures. These policies and procedures must be customized for your practice’s specific needs, applying directly to how your business operates. To account for any changes in your business practices, you must review your policies and procedures annually and make amendments where appropriate.
Business Associate Agreements
Business associate agreements must be signed with each of your business associate vendors. HIPAA defines a business associate as any entity that performs a service for your practice that gives them the potential to access PHI. Common examples of business associates include electronic health records platforms, email service providers, online appointment scheduling software, and cloud storage providers.
You cannot use any vendor and be HIPAA compliant. They need to be willing and able to sign a business associate agreement (BAA). A BAA is a legal contract that requires each signing party to be HIPAA compliant and be responsible for maintaining their compliance. When a vendor doesn’t sign a BAA, it cannot be used for business associate services.
Incident Management
To comply with the HIPAA Breach Notification Rule, you must have a system to detect, respond to, and report breaches. Employees must also have the means to report incidents anonymously and be aware of what to do if they suspect a breach has occurred.
New York State HIPAA Violation
What is a HIPAA violation in New York? While many HIPAA violations occur due to breaches, it is not the breach itself that would conclude that a healthcare organization violated HIPAA. Most HIPAA violations occur when healthcare organizations fail to conduct accurate and thorough risk assessments, provide patients timely access to their medical records, have signed business associate agreements, or report breaches promptly.