As discussed in an earlier blog post, the New York state Stop Hacks and Improve Electronic Data Security Act (or “SHIELD Act”), was signed into law on July 25, 2019.  A potential unintended side effect of the SHIELD Act may require health care companies to provide notification to the NY Attorney General for events that occurred well before its enforcement date. While the SHIELD Act’s data security requirements, which are covered under §4, will not come into effect until March 21, 2020, all other requirements, including the breach notification requirement, became effective on October 23, 2019.  The notification enforcement date is important for any Covered Entity, as defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), that has suffered a Breach, as defined by HIPAA, involving fewer than 500 individuals (“Minor HHS Breach”), was a breach of computerized data, and involved a New York resident.

HIPAA requires Covered Entities to file a report detailing any Minor HHS Breach within sixty days after the end of the calendar year in which the breaches are discovered.  The Shield Act requires that any Covered Entity required to provide notification of any breach to the Secretary of Health and Human Services (“HHS”) pursuant to HIPAA must also provide notification to the NY Attorney General within five business days thereafter. As drafted, this would apparently include notification of reports of breaches that involve non-electronic PHI. As a result, if such Minor HHS Breaches involved a New York resident, companies submitting their annual reports to HHS must provide notification of such reports to the New York Attorney General.

Any Covered Entity that submits an annual report to OCR for Minor HHS Breaches that involve New York residents has, at the latest, until March 6, 2020, to submit a notification of such reports to the New York Attorney General under the SHIELD Act.  In the event such annual reports were submitted to HHS earlier than sixty calendar days from the end of the year, such notification requirement period may have already passed.  Due to the interaction between HIPAA and the SHIELD Act reporting requirements, companies are required to submit a notification to the New York Attorney General for events that occurred more than eight months prior to the SHIELD Act’s enforcement date.  While many companies tracking the SHIELD Act were aware of the October 23, 2019  breach requirement, the requirement that the New York Attorney General must be provided a template of the notice triggered by the HHS annual reporting requirements may come as a surprise.

It is also critical to note that entities that are required to report Minor HHS Breaches to NY regulators under the SHIELD Act, should also be prepared for potential further inquiry from the NY regulators who may be learning about such breaches that occurred prior to the Effective Date of the notification provisions under the SHIELD Act.

Back to Health Law Advisor Blog

Search This Blog

Blog Editors


Related Services



Jump to Page


Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.