New York’s Stop Hacks and Improve Electronic Data Security Act, or SHIELD Act, which makes significant changes to the state’s data breach notification requirements, impacts healthcare organizations that hold computerized data with private information from New York residents. In this LawFlash, our privacy and cybersecurity team analyzes the law’s expanded definition of “private information” and offers key business takeaways for assessing compliance with the SHIELD Act, which becomes effective October 23, 2019.
In an opinion with significant implications for the healthcare industry, the US Supreme Court has held that information that is both customarily and actually treated as private by its owner—and that is provided to the government under an assurance of privacy—is exempt from disclosure under the Freedom of Information Act (FOIA). As a result, federal agencies may refuse to disclose a much broader swath of proprietary commercial and financial information obtained from healthcare organizations under federal regulation, or as part of an investigation, or otherwise. There may be interesting interplay between this broader definition of “confidential” in the FOIA release context and the varying federal government policies under consideration for promoting or imposing greater transparency in pricing and quality reporting among healthcare providers. Ultimately, Congress will have the final say.