New York healthcare providers follow two compliance frameworks: federal HIPAA and state laws. The state laws go further in several important areas. The NY SHIELD Act, Public Health Law §18, the Mental Hygiene Law, and the statewide SHIN-NY health information network each add duties that a HIPAA-only checklist can miss. This guide breaks down each layer so you can build a program that satisfies both.
Federal HIPAA in New York: The Baseline
HIPAA (Health Insurance Portability and Accountability Act) sets the federal floor for protected health information (PHI) across all 50 states. In New York, that floor covers the same three rules it does everywhere else:
- Privacy Rule (45 CFR Part 164, Subpart E): Controls how covered entities and business associates use and disclose PHI.
- Security Rule (45 CFR Part 164, Subpart C): Requires administrative, physical, and technical safeguards for electronic PHI (ePHI).
- Breach Notification Rule (45 CFR Part 164, Subpart D): Requires individual notice within 60 days of discovering a breach, and HHS notification on the same timeline (or annual summary for breaches affecting fewer than 500 individuals).
New York state law does not replace these requirements — it stacks on top of them. Wherever state law is stricter than HIPAA, the stricter standard controls.
New York State Privacy Laws That Apply to Healthcare
Four state laws create the most significant HIPAA overlap for New York providers. Each one is addressed below.
New York SHIELD Act (2019)
The Stop Hacks and Improve Electronic Data Security (SHIELD) Act took effect March 21, 2020. It made two major changes relevant to healthcare:
- Expanded scope: Any business that owns or licenses computerized data containing private information of New York residents must comply — regardless of where the business is physically located. An out-of-state telehealth platform treating NY patients is subject to the SHIELD Act.
- Expanded definition of “private information”: The SHIELD Act added biometric data, account credentials (username plus password or security questions), and medical and health information to the categories that trigger breach notification. PHI under HIPAA qualifies as private information under the SHIELD Act.
For HIPAA-covered entities, the SHIELD Act adds one key duty. If you notify HHS of a breach affecting 500 or more people, you must also notify the New York Attorney General within 5 business days of that HHS notice. That deadline runs from the HHS notice, not from breach discovery. No other state has a faster AG notice window.
The SHIELD Act also requires covered businesses to maintain a “reasonable security program.” This program must include documented administrative, technical, and physical safeguards. HIPAA compliance generally satisfies this rule, but the documentation must exist. A policy binder in a drawer is not enough. You need proof that the safeguards are in use.
New York Public Health Law §18: Patient Record Rights
Public Health Law §18 governs patient access to medical records in New York. Key differences from HIPAA:
- Access timeline: Providers must respond to a patient record request within 10 days (compared to HIPAA’s 30-day standard, extendable once to 60 days).
- Permitted fees: Providers may charge a reasonable fee for copies, but the fee schedule is set by state regulation rather than left entirely to the provider’s discretion.
- Mental health carve-out: Records governed by the Mental Hygiene Law are excluded from §18 and follow their own access rules (see below).
The 10-day response window is the most operationally significant difference. Front desk staff and health information teams need a workflow that can meet both the federal and state deadlines without treating them as the same number.
New York Mental Hygiene Law: Mental Health Record Protections
New York’s Mental Hygiene Law applies to records created in connection with mental health, developmental disability, and substance use disorder services. The protections are significantly more restrictive than HIPAA:
- Disclosure generally requires explicit written patient consent, even between treating providers in different organizations.
- HIPAA’s treatment, payment, and healthcare operations (TPO) exception does not automatically apply under state law. A mental health provider cannot share records with a referring physician simply because both are treating the same patient.
- Emergencies that justify disclosure without consent are narrowly defined by statute and do not map cleanly onto HIPAA’s emergency exception.
Providers in behavioral health, psychiatry, addiction medicine, and integrated care settings must train staff on both frameworks and maintain separate authorization workflows for mental health records. Routine HIPAA disclosures that are legally permissible for medical records may be unlawful for mental health records under state law.
New York HIV/AIDS Confidentiality Law
New York Public Health Law Article 27-F imposes strict confidentiality requirements on HIV-related information — far stricter than HIPAA’s general PHI protections. Key rules:
- HIV-related information may only be disclosed with written authorization using a specific statutory form.
- The authorization cannot be a general medical release. It must specifically reference HIV-related information.
- Even between treating providers, disclosure requires a separate HIV authorization unless the patient has signed one as part of care coordination.
- Violations can result in civil liability and referral to the NY Department of Health.
New York City providers in particular encounter this law frequently given the patient populations served. Electronic health record systems must be configured to flag HIV-related records and require a separate authorization before they can be shared.
SHIN-NY: The Statewide Health Information Network for New York
SHIN-NY (Statewide Health Information Network for New York) is the state’s health information exchange infrastructure. Providers who participate in SHIN-NY — which includes most hospitals, many large practices, and a growing number of community health centers — take on additional obligations:
- Participation agreements: Providers must execute a SHIN-NY participation agreement that incorporates state data governance policies governing how ePHI moves through the network.
- Patient consent requirements: SHIN-NY uses a consent model that differs from HIPAA’s notice-based approach. Some data sharing through the network requires affirmative patient consent, not just an opportunity to opt out.
- Audit obligations: SHIN-NY participation agreements typically require that providers maintain access logs and submit to periodic audits of their data access practices.
Compliance officers at SHIN-NY-participating organizations manage three cybersecurity and privacy layers: federal HIPAA, the NY SHIELD Act, and SHIN-NY data rules. Each layer has different documentation rules, breach timelines, and enforcement paths.
New York SHIELD Act vs. HIPAA: Key Differences
The table below summarizes the most operationally significant differences between federal HIPAA and the NY SHIELD Act for healthcare organizations:
| Requirement | HIPAA | NY SHIELD Act |
|---|---|---|
| Who is covered | Covered entities and business associates in healthcare | Any business holding private information of NY residents |
| Breach notification to individuals | Within 60 days of discovery | In the most expedient time possible (generally same as HIPAA) |
| Breach notification to state AG | Not required separately | Within 5 business days of notifying HHS (large breaches) |
| Security program requirement | Risk-based safeguards documented in policies | Documented “reasonable security program” (HIPAA compliance satisfies this) |
| Definition of protected data | PHI (health information linked to an individual) | Broader: includes biometric data, credentials, medical information |
| Enforcement authority | HHS Office for Civil Rights (OCR) | New York Attorney General |
New York Breach Notification Requirements
New York healthcare providers face a multi-step breach notification process. Several steps run at the same time. Missing any step creates its own legal risk.
SHIELD Act: 5-Business-Day AG Notice After HHS Notification
For breaches affecting 500 or more people, the NY SHIELD Act requires notice to the NY Attorney General within 5 business days after the HHS notice is submitted. The AG notice must include:
- The nature of the breach
- The number of New York residents affected
- The types of private information involved
- The date of the breach and date of discovery
- Remediation steps taken or planned
This 5-business-day window is the fastest required government notice in the country for healthcare breaches. Your breach response plan must address the AG notice step. It cannot cover only HHS and individual notice.
Individual Notification Requirements
Individual notice under the SHIELD Act follows a standard similar to HIPAA. Notice must be provided “in the most expedient time possible and without unreasonable delay.” For practical compliance, use the federal 60-day clock and build in buffer time. That helps you meet the state deadline at the same time. Notice must be provided by:
- Written notice to the last known address of the affected individual
- Electronic notice if the person has consented to electronic communications
- Telephone notice is permissible if supplemented by written notice
- Substitute notice (email to the general public, conspicuous website posting, or statewide media) when contact information for 10 or more individuals is out of date
Timing: Aligning Federal and State Deadlines
A practical New York breach response timeline looks like this:
- Day 0: Breach discovered and confirmed
- Within 72 hours (2026 HIPAA Security Rule): Internal escalation and preliminary incident report completed
- Within 60 days: Individual notifications sent; HHS notification filed
- Within 5 business days of HHS notification: NY AG notification filed
- Ongoing: Media notice if breach affects 500+ residents of a state (federal requirement); maintain documentation of all notifications
HIPAA Penalties in New York (2025)
Federal OCR Enforcement in New York
The HHS Office for Civil Rights enforces HIPAA in New York as it does in every state. Federal penalty tiers range from $100 to $50,000 per violation, with annual maximums of $1.9 million per violation category. OCR has taken enforcement action against several prominent New York health systems over the past decade, including cases involving:
- Unauthorized disclosures to media organizations filming on hospital premises
- Missing business associate agreements with major health IT vendors
- Failure to provide patients timely access to their medical records under the Patient Access standard
The 2026 HIPAA Security Rule update took effect in 2025. It adds new rules for multi-factor authentication, encryption of ePHI at rest and in transit, and annual technology asset inventories. OCR is actively enforcing these updated rules.
NY AG Privacy Enforcement Authority
The New York Attorney General enforces the SHIELD Act independently of OCR. The AG has broad authority to investigate data breaches and impose civil penalties:
- Up to $5,000 per violation for SHIELD Act failures (each affected individual can constitute a separate violation)
- Up to $20 per failed notification for improper breach notice, capped at $250,000 per breach event
- Injunctive relief requiring the organization to implement specific security controls
The AG has shown a willingness to pursue healthcare organizations and technology companies. Review any breach affecting NY residents for SHIELD Act duties. Do this even if you do not expect an OCR investigation.
HIPAA Compliance for New York Healthcare Providers
While the compliance framework is the same across provider types, certain New York provider categories face additional considerations.
NYC Hospitals and Health Systems (NYC Health + Hospitals)
New York City’s public hospital system, NYC Health + Hospitals, is the largest municipal health system in the United States. As a covered entity, it operates under HIPAA, the SHIELD Act, and SHIN-NY at the same time. Large New York health systems often have dedicated Privacy Officers, Security Officers, breach response teams, and annual third-party risk assessments. Smaller independent hospitals may not. If you are a vendor or business associate serving NYC-area hospitals, expect BAA terms that reference SHIN-NY data rules along with standard HIPAA language.
New York Dental Practices
Dental practices in New York are covered entities under HIPAA. They are also subject to the SHIELD Act if they hold electronic patient data, which most modern practices do. Common gaps include missing or outdated BAAs with dental software vendors, weak encryption on practice systems, and missing annual risk assessments. New York dental practices that treat patients with HIV or mental health conditions also need separate authorization workflows for those records.
New York Mental Health and Substance Abuse Providers
Behavioral health providers in New York face a complex compliance setting. They may need to satisfy HIPAA Privacy and Security Rules, New York Mental Hygiene Law, 42 CFR Part 2, and SHIN-NY data rules. Staff training must cover each framework that applies. EHR systems must apply the most restrictive rule for each record type.
New York Telehealth Providers
Out-of-state telehealth providers that treat New York patients are subject to the NY SHIELD Act, even without a physical office in the state. They must maintain a reasonable security program. They must also notify the NY AG within 5 business days of HHS notice for covered breaches. If a platform stores session recordings, treatment notes, or prescription data for NY patients, counsel should review both HIPAA and NY state law duties.
New York HIPAA Compliance Checklist
- Conduct an annual HIPAA security risk assessment and document findings and remediation actions
- Maintain a written SHIELD Act “reasonable security program” with administrative, technical, and physical safeguards
- Execute signed BAAs with all vendors that handle PHI. Review and renew them each year
- Build a breach response plan with an explicit NY AG notification step (5 business days from HHS notification)
- Train staff on both HIPAA and the NY Mental Hygiene Law if treating behavioral health patients
- Maintain separate HIV-specific authorization forms per Public Health Law Article 27-F
- Configure EHR systems to enforce the 10-day patient records access window required by Public Health Law §18
- If participating in SHIN-NY, sign the participation agreement and document consent workflows that differ from HIPAA’s notice-based approach
- Implement MFA and encryption for all ePHI systems per the 2026 HIPAA Security Rule
- Maintain annual training records with completion evidence for all workforce members
Frequently Asked Questions
What is the New York SHIELD Act and how does it affect HIPAA-covered entities?
The SHIELD Act (Stop Hacks and Improve Electronic Data Security Act, 2019) expanded New York’s breach notice and data security rules. For HIPAA-covered entities, the key added duties are: (1) notify the NY Attorney General within 5 business days of notifying HHS about a large breach, and (2) maintain a documented “reasonable security program” with administrative, technical, and physical safeguards. HIPAA compliance generally satisfies the security program rule. The 5-business-day AG notice timeline is separate. It runs from HHS notice, not breach discovery.
How quickly must New York healthcare providers notify the state AG of a breach?
New York’s SHIELD Act requires healthcare organizations to notify the NY Attorney General within 5 business days of notifying HHS about a breach affecting 500 or more people. This is the fastest required government notice timeline for healthcare breaches in the country. It is separate from the 60-day individual notice window under federal HIPAA. Your breach response plan must include the AG notice step clearly.
Are New York mental health records treated differently under state law?
Yes. New York’s Mental Hygiene Law gives stronger protection to mental health, developmental disability, and substance abuse records than standard HIPAA PHI. These records usually cannot be shared without written patient consent, even between treating providers. Narrow emergency exceptions may apply. HIPAA’s treatment, payment, and healthcare operations exception does not apply automatically. Providers treating these groups need separate authorization workflows.
Does the SHIELD Act apply to out-of-state healthcare providers treating New York patients?
Yes. The SHIELD Act applies to any business that owns or licenses computerized data with private information about New York residents. Location does not control. An out-of-state telehealth provider treating NY residents must comply with SHIELD Act rules. That includes maintaining a reasonable security program and notifying the NY AG within 5 business days of any HHS breach notice involving NY residents.
What is SHIN-NY and does it create additional compliance requirements?
SHIN-NY (Statewide Health Information Network for New York) is New York’s statewide health information exchange. Providers that participate in SHIN-NY must sign participation agreements and follow SHIN-NY data rules. Those rules govern how ePHI is shared through the network. Unlike HIPAA’s notice-based approach, some SHIN-NY sharing requires affirmative patient consent. This adds a compliance layer on top of HIPAA and SHIELD Act duties for participating providers.
Conclusion
New York is one of the most demanding states for healthcare privacy compliance. Federal HIPAA sets the floor. The NY SHIELD Act, Mental Hygiene Law, HIV confidentiality law, and SHIN-NY participation rules each add duties that need dedicated policy and training work. The 5-business-day AG notice window alone sets New York apart. Your breach response plan should address it directly.
One Guy Consulting helps covered entities and business associates build HIPAA programs that account for state-specific rules. Our policy library, risk assessment tools, and compliance platform are built for teams that need to get it right the first time. Book a consultation to discuss your New York compliance duties.
Key stat: New York's SHIELD Act requires any business handling private information of New York residents to implement reasonable data security safeguards - regardless of whether the business is a HIPAA-covered entity. Non-healthcare companies processing health data may face SHIELD Act requirements even when HIPAA does not apply to them.
Key stat: New York's SHIELD Act requires any business handling private information of New York residents to implement reasonable data security safeguards - regardless of whether the business is a HIPAA-covered entity. Non-healthcare companies processing health data may face SHIELD Act requirements even when HIPAA does not apply to them.
Sources
- New York SHIELD Act — NY Senate (Gen. Bus. Law §899-AA)
- New York Public Health Law §18 — Patient Record Access
- NY Mental Hygiene Law — Record Confidentiality Overview (NY DOH)
- New York HIV/AIDS Confidentiality Law — Article 27-F (NY DOH)
- SHIN-NY — Statewide Health Information Network for New York
- HHS HIPAA Security Rule Overview
- NY Attorney General — Data Breach Protection
Related: State privacy laws vs. HIPAA · California HIPAA requirements · Illinois HIPAA requirements · HIPAA Breach Notification Rule
Need compliance help? One Guy Consulting provides practical HIPAA guidance for covered entities and business associates in New York and nationwide. Book a consultation · HIPAA consulting services
Related Reading:
HIPAA compliance requirements in Florida ·
HIPAA compliance requirements in Texas
Related Reading:
HIPAA compliance requirements in Florida ·
HIPAA compliance requirements in Texas