Awareness article
HIPAA vs the New York SHIELD Act
New York clinics are subject to both HIPAA and the NY SHIELD Act. This article explains how the two frameworks differ on breach notification, data security requirements, and what NY clinics must do when the state law is stricter.
Short answer
New York clinics covered by HIPAA are also subject to the NY SHIELD Act, which extends data security and breach notification obligations beyond HIPAA's scope. The stricter requirement controls — and for NY clinics, that often means SHIELD Act breach notification requirements govern.
New York healthcare providers operate under two overlapping compliance frameworks: HIPAA (federal) and the New York SHIELD Act (state). An incident that does not trigger HIPAA’s federal notification obligations may still trigger SHIELD Act obligations — and the timelines are different.
What the NY SHIELD Act Is
The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), signed into law in 2019, expanded New York’s data breach notification law and added affirmative data security requirements. The law has two parts:
Expanded breach notification: The SHIELD Act amended New York’s breach notification law (NY General Business Law § 899-aa) to broaden the definition of a breach, expand the types of data covered, and add notification requirements beyond what the original law required.
Reasonable security standard: The SHIELD Act added NY General Business Law § 899-bb, which requires businesses that own, license, or maintain private information of New York residents to implement reasonable safeguards to protect it.
Who the SHIELD Act Covers
Unlike HIPAA, which applies specifically to covered entities in the healthcare industry, the SHIELD Act applies broadly: any person or business that owns, licenses, or maintains private information about New York residents is subject to its breach notification and security requirements.
This means:
- Healthcare providers covered by HIPAA are also subject to the SHIELD Act
- Healthcare providers NOT covered by HIPAA (some wellness businesses, non-covered health-adjacent services) are still subject to the SHIELD Act if they hold private information about NY residents
- Out-of-state businesses that maintain records of NY residents are subject to the SHIELD Act
Key Differences: Breach Notification
HIPAA Breach Notification
HIPAA requires covered entities to notify affected individuals, OCR, and (for large breaches) media when a breach of unsecured PHI occurs. Under HIPAA, a “breach” is defined using the four-factor risk assessment. An incident is not a reportable breach if the covered entity can demonstrate low probability that PHI was compromised.
HIPAA notification timeline: Individual notice within 60 days of discovering the breach. OCR notice: within 60 days for breaches affecting 500 or more individuals in a state; annually by March 1 for smaller breaches.
NY SHIELD Act Breach Notification
The SHIELD Act uses a different breach definition and triggers:
Definition of breach under SHIELD Act: Unauthorized access to private information that compromises the security, confidentiality, or integrity of the information. The SHIELD Act does not use HIPAA’s four-factor risk assessment. Its threshold is broader — an incident that passes HIPAA’s low-probability-of-compromise test may still constitute a breach under NY’s definition.
Notification under SHIELD Act: When a breach occurs:
- Affected individuals must be notified “in the most expedient time possible and without unreasonable delay.” NY’s standard is among the fastest in the country, shorter than HIPAA’s 60-day window.
- NY Attorney General’s office must be notified for breaches affecting 500+ NY residents. This is a direct obligation to the state AG, separate from HIPAA’s OCR notification.
- Three major credit reporting agencies must be notified if the breach affects 5,000 or more NY residents
- State-specific agencies (NYDFS for financial entities, NY Department of Health for health information) may have additional notification requirements
The Practical Interaction
| Scenario | HIPAA Requires | SHIELD Act Requires |
|---|---|---|
| Breach of ePHI affecting 200 NY patients | Individual notice + annual OCR report | Individual notice (expeditiously) + AG notice |
| Incident involving health data not meeting HIPAA’s four-factor test | No notification required | May still require notification under SHIELD Act |
| Breach affecting 1,000 NY residents | Individual + OCR + media notice | Individual + AG notice |
A NY clinic that runs a breach incident through HIPAA’s analysis and concludes “not reportable” must still run the same incident through the SHIELD Act analysis. Stopping at the HIPAA conclusion is the compliance gap.
Security Requirements: How They Interact
The SHIELD Act requires businesses to implement “reasonable safeguards” to protect private information. For small businesses, the law provides a simplified standard: reasonable security based on the size and complexity of the business. Larger organizations must meet more comprehensive requirements.
The SHIELD Act includes a compliance safe harbor: a covered entity under HIPAA that maintains a security program consistent with those regulations is “deemed to be in compliance” with the SHIELD Act’s reasonable security standard (§ 899-bb(2)(c)). NY clinics running a functional HIPAA Security Rule program — risk analysis, written policies, workforce training, access controls — satisfy the SHIELD Act’s security standard automatically.
The breach notification obligations are not covered by that safe harbor. HIPAA compliance does not eliminate NY’s distinct notification requirements.
What NY Clinics Should Do
-
Apply both frameworks to breach incidents. When a security incident occurs, run it through HIPAA’s four-factor breach assessment and NY’s SHIELD Act breach definition separately.
-
Build SHIELD Act notification into the incident response plan. The incident response procedure should include: if the incident triggers SHIELD Act obligations, notify the NY AG’s office and individuals on NY’s timeline (typically shorter than HIPAA’s 60-day window).
-
Maintain HIPAA-level security. The HIPAA Security Rule program satisfies the SHIELD Act’s security standard. No separate security program is required.
-
Consult NY-specific legal guidance for multi-state incidents. A breach affecting patients from multiple states may trigger different state notification requirements for each state. NY’s is among the most demanding.
-
Know the NY AG’s reporting portal. The NY AG’s office has a breach notification reporting mechanism. Know where it is before you need it.
NY clinics can manage HIPAA and SHIELD Act compliance within a single program. The critical piece is breach response: the procedure must explicitly account for both frameworks’ notification obligations, including the NY AG notification step that HIPAA does not require.
Compliance Operations
Audit trails, access controls, policy acknowledgements, evidence handling, and vendor workflows for clinics that need defensible follow-through.
The Anti-Kickback Statute: What Clinic Owners Need to Know
Anti-kickback statute explained for small clinics: what it prohibits, what 'remuneration' covers, safe harbor regulations, and how it differs from the Stark...
California's CMIA: When State Law Is Stricter Than HIPAA
California CMIA vs HIPAA: key differences in scope, enforcement, and liability. California clinics must comply with both — the stricter standard controls.
Sources
- NY SHIELD Act — NY General Business Law § 899-bb · NY State Senate
- HIPAA Breach Notification Rule — 45 CFR § 164.400-414 · eCFR
- NY Attorney General — Data Security · NY Attorney General