New York state’s attorney general, Eric Schneiderman, is pushing for changes to the state’s data security and breach notification regulations and has also announced a $575,000 settlement in a case involving HIPAA violations.

In an in-depth interview with Information Security Media Group, privacy attorney Kirk Nahra discusses the significance of these developments.

Schneiderman’s office recently announced that it signed a settlement and corrective action plan with EmblemHealth after the insurer admitted to a 2016 mailing error that resulted in Social Security numbers being visible on envelope labels of mailings sent to more than 81,000 individuals.

The state AG’s office said the insurer had not only violated New York regulations, but also violated HIPAA provisions related to safeguarding protected health information. Under the HITECH Act, state attorneys general have the right to take HIPAA enforcement actions.

“The states have various authority to do HIPAA enforcement … but we really haven’t really seen very much of this,” Nahra says. “I have lots of potential concerns about state AGs in this area. We know that the main federal office – the Department of Health and Human Services’ Office for Civil Rights – that deals with HIPAA is knowledgeable and thoughtful about how they do their enforcement. What we don’t know about the state AGs is … how they are … going to look at these violations.”

Proposed Legislation

Schneiderman’s office used the occasion of the Emblem settlement to promote the Stop Hacks and Improve Electronic Data Security Act, or SHIELD Act, which he proposed late last year in the wake of the Equifax breach. The proposal calls for updating New York’s “weak” data security laws, Schneiderman says in a statement.

Among other provisions, the measure calls for requiring that all businesses in New York implement “reasonable” security technical, administrative and physical safeguards.

The thinking behind the new provision, Nahra says, is that “if you have better security, you’re not going to have data breaches.”

A handful of other states have similar provisions in their data security and breach notification laws, he notes. Still, compared with more detailed federal HIPAA requirements in the healthcare sector, those states typically have more general provisions related to data security practices, Nahra says.

In addition, the legislation proposes “additional kinds of information that would be subject to data breach notification requirements,” Nahra says.

The bill, now being considered in the state legislature, is sponsored by state senator David Carlucci and assembly member Brian Kavanagh.

In the interview, Nahra also discusses:

  • How the European Union’s General Data Protection Regulation, or GDPR, applies to U.S.-based healthcare providers;
  • Lessons from recent privacy breach cases involving mailing snafus;
  • Other trends involving breach regulatory and enforcement actions.

As a partner at the law firm Wiley Rein LLP, Nahra specializes in privacy and information security issues, as well as other healthcare, insurance fraud and compliance issues. He’s a member of the board of directors of the International Association of Privacy Professionals and was co-chair of the Confidentiality, Privacy and Security Workgroup, a former panel of government and private-sector privacy and security experts advising the American Health Information Community.