From: Bloomberg/BNA
New York’s new cybersecurity regulation will regulate the data security practices of health-care insurers with a set of rules that are the most comprehensive in the U.S. These rules will require many health-care insurers to take a fresh and comprehensive look at their cybersecurity programs, governance and defenses to meet the deadlines, the author writes.
By Craig A. Newman
Data security regulation for health-care insurers that operate in New York just got more complicated. For years, the U.S. Department of Health and Human Services’ Office for Civil Rights—the industry’s primary data security regulator—has zealously policed the health care field. In fact, so far in 2017, the agency has already brought four data security enforcement actions. The most recent was the February 2017 $5.5 million settlement with Memorial Healthcare System—matching the largest civil monetary fine ever imposed against a single organization—because of weak internal controls that permitted employees to improperly access more than 100,000 patient records.
And now New York has gotten into the act with a completely different set of rules that are the most comprehensive of any U.S. state. Earlier this month, New York’s top banking and insurance regulator threw down the proverbial gauntlet—or, perhaps more of a sledgehammer— with its new cybersecurity regulation which has broad implications for health-care insurers that operate in New York. The regulation will force health-care insurers to navigate a minefield of new and far more exacting technical, legal and governance requirements than the industry specific regulations already in place including those under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH). The New York rules just took effect on March 1 and will phase in over two years but many detailed requirements must be put in place within the first 180 days.
Leave a Reply