On April 10, 2018, the New York State Department of Health (NYS DOH) released Version 3.5 of the SHIN-NY Privacy and Security Policies and Procedures for Qualified Entities and their Participants in New York State under 10 NYCRR § 300.3(b)(1) (the SHIN-NY Policies and Procedures). The revisions follow the changes recommended by the Policy Committee and the NYeC Board in 2017. The most significant changes to the SHIN-NY Policies and Procedures are in regards to cybersecurity.
Version 3.5 of the SHIN-NY Policies and Procedures includes a new Section 10 dedicated to cybersecurity. The cybersecurity section imposes several new requirements on QEs. In particular:
- QEs must be certified by a certification body approved by NYS DOH. Although QEs were already subject to certification, this had not been previously mandated in the Policies.
- QEs must collaborate with the statewide Chief Information Security Officer (CISO) employed by NYeC in managing security technologies, responding to incidents, and other areas related to cybersecurity.
- QEs must develop their own Cybersecurity Policy and Procedures (CSPP). Each CSPP must address several different areas, including cybersecurity governance, identification of assets subject to vulnerabilities, protection of those assets, detection of cybersecurity intrusions, responses to cybersecurity incidents, and recovery from such incidents.
- QEs must maintain cybersecurity insurance.
The new cybersecurity section also describes the role of the Statewide CISO, who oversees all of the QEs, as well as the SHIN-NY Hub, in regards to cybersecurity issues. While the Statewide CISO provides guidance to all of the QEs, the Statewide CISO is not responsible for the day-to-day operations or supervision of the QE CISOs.
The new cybersecurity section of the Policies addresses several new concepts, and as a result, the Policies have added new definitions to address those concepts. Version 3.5 includes definitions for Cybersecurity Policies and Procedures (CSPP), the National Institute of Standards and Technology Cybersecurity Framework, the Qualified Entity Participant Agreement, the SHIN-NY Enterprise, the SHIN-NY Hub, and the Statewide Chief Information Security Officer (CISO). In addition, a definition of the “State Designated Entity” has been added to mean the public/private partnership that has been designated by NYS Commissioner of Health as eligible to receive federal and state grants to promote health information technology.
In addition to the cybersecurity changes, Version 3.5 of the Policies liberalizes the circumstances under which de-identified data can be shared. Previously, the Policies had stated that de-identified data could be shared for purposes of research so long as the research was approved or deemed exempt by an Institutional Review Board (IRB). However, in some cases, a researcher may be designing a clinical study and is seeking to determine the number of individuals who meet certain inclusion or exclusion criteria, and this study design phase can occur prior to IRB review.
Section 1.6.1(e) of the amended Policies now allows a QE to disclose a count of the number of patients who fit into research criteria to a researcher so long as the count cannot be combined with other data to identify an individual.