HIPAA Compliance for New York Medical Clinics

New York layers significant state law obligations on top of HIPAA. Public Health Law §18 gives you 10 days — not 30 — to respond to a patient record request. The NY SHIELD Act extends breach notification to unauthorized access events that HIPAA may not reach. And the Mental Hygiene Law, the HIV Confidentiality Law, and several other statutes restrict specific health information categories more tightly than HIPAA’s TPO exceptions allow. Each of these requires action beyond what your federal HIPAA program covers.

HIPAA Baseline Requirements

Every New York clinic transmitting health information electronically in connection with covered transactions is a HIPAA-covered entity. Core HIPAA requirements include:

• Risk analysis and risk management program under 45 CFR § 164.308(a)(1)
• Administrative, physical, and technical safeguards under 45 CFR §§ 164.308–164.316
• Business associate agreements with all business associates
• Notice of Privacy Practices provided at first service delivery
• Patient rights implementation — access within 30–60 days, amendment, accounting of disclosures
• Workforce training on privacy and security policies

For the administrative safeguard components of HIPAA that form the baseline of a New York compliance program, see HIPAA administrative safeguards.

New York Public Health Law §18: 10-Day Access Deadline

PHL §18 is one of New York’s most operationally significant state-law additions to the HIPAA baseline. Under §18(2)(e), a health provider must respond to a patient’s request for access to their health information within 10 days when the records are maintained on site. For records stored off site, the response must occur as soon as reasonably possible.

Comparison with HIPAA

HIPAA’s access right at 45 CFR § 164.524(b)(2) gives covered entities 30 days to act on a patient access request, with one 30-day extension available when records are not maintained or accessible on site. New York’s 10-day standard provides no comparable extension for on-site records. For New York patients, a clinic must treat the 10-day deadline as the operative standard and build its records release process accordingly.

Fee limitations

PHL §18(2)(e) also restricts the fees a provider may charge for providing access to health information. New York has statutory fee cap language that may limit per-page charges. Clinics must apply whichever standard — HIPAA’s cost-based fee or New York’s cap — results in a lower charge to the patient.

Enforcement

PHL §18 is enforced by the New York Department of Health, which oversees healthcare provider licensing and can take action for systematic violations of the patient access requirements. The NY AG also has authority to investigate consumer protection violations that may include access violations affecting New York residents broadly.

For a comprehensive overview of HIPAA vs. the NY SHIELD Act, see HIPAA vs New York SHIELD Act.

NY SHIELD Act: Broader Security and Breach Notification

The Stop Hacks and Improve Electronic Data Security (SHIELD) Act, enacted in 2019 and codified at N.Y. Gen. Bus. Law § 899-aa et seq., significantly expanded New York’s data security and breach notification requirements.

Expanded breach definition

The SHIELD Act uses an access-based breach definition: a breach of the security of a system is an unauthorized access to or acquisition of, or disclosure of, computerized private information that compromises the security, confidentiality, or integrity of the private information. The access-only trigger — without requiring acquisition — means that unauthorized viewing of patient records, even without downloading or copying, may constitute a breach requiring notification under the SHIELD Act.

HIPAA guidance from OCR has increasingly emphasized that unauthorized access (viewing) can constitute a breach, but the HIPAA regulatory text focuses on acquisition. Treat any unauthorized access to records involving New York residents as a potential SHIELD Act breach — requiring investigation and possible notification — even if your HIPAA breach assessment concludes no acquisition occurred.

Notification requirements

Under N.Y. Gen. Bus. Law § 899-aa(2), notification must be provided in the most expedient time possible and without unreasonable delay following the determination that a breach occurred. New York does not set a specific maximum number of days for notification in the statute. The New York AG must be notified when more than 500 New York residents are affected.

Reasonable safeguards requirement

N.Y. Gen. Bus. Law § 899-bb requires businesses to implement a data security program containing reasonable administrative, technical, and physical safeguards. For HIPAA-covered entities, compliance with the HIPAA Security Rule is deemed to satisfy the reasonable safeguards requirement — but only for PHI. For personal data outside HIPAA’s scope, the SHIELD Act’s reasonable safeguards standard applies directly.

Mental Hygiene Law §33.13: Mental Health Records

New York Mental Hygiene Law §33.13 governs the confidentiality of clinical records of patients receiving mental health, developmental disability, or chemical dependency services. Under §33.13(a), such records are confidential and may not be disclosed without patient authorization except in specified circumstances.

The permitted exceptions include disclosures necessary to provide treatment, disclosures required for payment, and disclosures as required by law — a framework that partially overlaps with HIPAA’s TPO exception. However, §33.13’s authorization requirements for many disclosures are more specific than HIPAA’s general authorization form requirements, particularly for disclosures to third parties outside the immediate treatment relationship.

New York clinics providing mental health services, substance use disorder treatment, or developmental disability services must implement §33.13-compliant authorization procedures alongside their HIPAA authorization forms.

HIV Confidentiality Law: Public Health Law §27-F

New York’s HIV confidentiality law at Public Health Law §27-F applies to any person who receives HIV-related information in the course of providing health or social services, or pursuant to a court order. The statute defines “HIV-related information” broadly to cover any information about HIV testing, HIV status, HIV-related illness, or AIDS.

Under §2782, HIV-related information may not be disclosed without written informed consent from the protected individual, except in enumerated circumstances: to the patient’s treating physician or to persons providing care to the patient when those persons have a clinical need to know, to emergency medical personnel, for certain public health reporting, and for specific research and data purposes with appropriate protections.

The consent form must meet specific requirements under §2780, including identifying the name of the person or organization to whom disclosure will be made, the purpose of the disclosure, and the time period of consent. Standard HIPAA authorizations do not automatically satisfy these requirements — New York HIV-specific consent forms are required for disclosures covered by §27-F.

Five Action Items for New York Clinics

1. Update record access procedures to 10-day PHL §18 deadline. Build your records release process to target response within 10 business days for all New York patients. Do not rely on HIPAA’s 30-day window. Train medical records staff on the New York standard.

2. Update breach response to include SHIELD Act’s access-based trigger. Review your incident classification procedures to treat unauthorized access to records — even without acquisition — as a potential SHIELD Act breach requiring investigation and potential notification. Update your incident response plan accordingly.

3. Implement HIV-specific consent and disclosure procedures. Create PHL §27-F-compliant consent forms for HIV-related information disclosures. Train records release staff that standard HIPAA authorizations are not sufficient for HIV information. Build a disclosure review step specifically for HIV-containing records.

4. Review mental health records access controls. If providing mental health services, implement Mental Hygiene Law §33.13-compliant disclosure procedures. Segregate mental health records within the EHR and require a specific authorization review before any disclosure.

5. Confirm SHIELD Act coverage for non-PHI personal data. Audit your data handling for non-PHI personal information about New York residents — financial data, employee data, website user data. Confirm your security program addresses the SHIELD Act’s reasonable safeguards requirement for these categories.

For background on breach notification process design, see HIPAA breach notification templates. For vendor management under both HIPAA BAA and SHIELD Act security requirements, see how small clinics track vendor BAAs.

PHIGuard supports New York clinics in managing the documentation and audit trails that HIPAA and New York state law require — including the 10-day access response tracking and breach notification timelines that PHL §18 and the SHIELD Act impose. See PHIGuard’s compliance tools or review pricing.