NYSHIELDActforHealthcare:MedicalPHIReportingvs.HIPAA

The Stop Hacks and Improve Electronic Data Security (SHIELD) Act took effect in March 2020 and substantially expanded New York's data breach notification and security requirements. For healthcare organizations already subject to HIPAA, SHIELD adds a parallel state compliance regime with its own definitions, obligations, and enforcement. Understanding where SHIELD overlaps, where it diverges, and where it adds obligations on top of HIPAA is essential for any practice serving New York residents — whether based in NYC, upstate, or out of state with New York patients.

Who SHIELD Applies To

SHIELD applies to any person or business that owns or licenses computerized data containing the private information of a New York resident, regardless of where the business is located. There is no healthcare carve-out — healthcare organizations are covered in full.

A Dallas-based telehealth company serving New York patients is subject to SHIELD. A New Jersey specialty practice with New York referrals is subject to SHIELD. A Manhattan-based physician group is squarely subject to SHIELD.

What Counts as "Private Information"

SHIELD defines private information broadly:

• Social Security numbers
• Driver's license or non-driver ID numbers
• Account, credit card, or debit card numbers (with or without security codes)
• Biometric information
• Username or email in combination with a password or security question/answer
• Username or email in combination with information that would permit access to an online account

Importantly for healthcare, SHIELD includes medical information and health insurance information within its broader definition of "private information" via the 2019 amendment. Any data breach involving a New York resident's medical records falls under SHIELD's breach notification provisions.

How SHIELD and HIPAA Interact

HIPAA preempts state law only to the extent the state law is contrary. SHIELD and HIPAA are generally not contrary — they are complementary, with SHIELD adding state obligations that HIPAA does not cover.

When a breach of health information occurs, a HIPAA-covered entity typically must:

• Comply with HIPAA's Breach Notification Rule (HHS, affected individuals, and media for 500+)
• Comply with SHIELD's breach notification requirements (affected NY residents, NY Attorney General, NY Department of State, and consumer reporting agencies for larger breaches)
• Comply with any other overlapping state breach laws (if the breach affects residents of other states)

SHIELD's notification to NY Attorney General is due "as expediently as possible." In practice, align notification with HIPAA's 60-day outer limit, but treat anything beyond 30 days as high-scrutiny.

Reasonable Security Requirements

This is where SHIELD most meaningfully extends state obligations for healthcare. SHIELD requires any business handling private information of New York residents to implement a data security program with:

Administrative Safeguards

• Designate employees to coordinate the program
• Identify reasonably foreseeable risks
• Assess existing safeguards
• Train employees in security practices
• Select service providers capable of maintaining appropriate safeguards and require those safeguards by contract
• Adjust the program in light of business changes or new circumstances

Technical Safeguards

• Assess risks in network and software design
• Assess risks in information processing, transmission, and storage
• Detect, prevent, and respond to attacks or system failures
• Regularly test and monitor the effectiveness of key controls

Physical Safeguards

• Assess risks of information storage and disposal
• Detect, prevent, and respond to intrusions
• Protect against unauthorized access to or use of private information during or after collection, transport, and destruction or disposal
• Dispose of private information within a reasonable amount of time after it is no longer needed for business purposes

For HIPAA-covered entities, full compliance with HIPAA's Security Rule generally satisfies SHIELD's reasonable security requirements. But "generally" matters — SHIELD's emphasis on service provider due diligence, employee training, and disposal go beyond some HIPAA implementations. The "train employees in security practices" requirement specifically is where we find New York practices under-documented.

Service Provider Due Diligence

SHIELD requires covered businesses to "select service providers capable of maintaining appropriate safeguards" and to require those safeguards by contract. For healthcare, this overlaps heavily with HIPAA Business Associate obligations — but SHIELD reaches non-HIPAA vendors too.

A New York practice that uses a non-HIPAA-covered marketing vendor, a general IT managed services provider, or an email marketing platform must ensure those vendors provide appropriate safeguards, even if they are not HIPAA business associates.

Small Business Safe Harbor

SHIELD provides a limited safe harbor for small businesses — those with fewer than 50 employees, less than $3 million in gross annual revenue for each of the last three fiscal years, and less than $5 million in year-end total assets. Small businesses may implement a data security program that is "appropriate" for the size and complexity of the business.

For healthcare, this safe harbor rarely applies — most covered practices exceed these thresholds by headcount or revenue. Rely on full compliance, not the small-business provision.

Breach Notification Specifics

SHIELD's breach notification requirements include:

• Notify affected New York residents in writing, by email, or by phone (depending on contact method and feasibility)
• Notify the NY Attorney General, NY Department of State, and NY State Police
• If more than 5,000 NY residents are affected, notify consumer reporting agencies
• Content requirements include the nature of the breach, type of information involved, and contact information for further inquiry

Notification substitutes are permitted if direct notification costs exceed $250,000, more than 500,000 residents are affected, or the business lacks sufficient contact information. Substitute notification includes email, conspicuous website posting, and statewide media notification.

Enforcement

The New York Attorney General enforces SHIELD. Penalties can reach $20 per instance of failed notification (up to $250,000) and up to $5,000 per violation for reasonable security failures. Class action risk also exists under New York state consumer protection law.

Action Items for a New York Healthcare Practice

• Document a written information security program that addresses administrative, technical, and physical safeguards per SHIELD's specific language
• Map vendor relationships to ensure service provider due diligence is documented for SHIELD, not just HIPAA
• Update breach notification playbook to include NY AG, DoS, and State Police notification
• Confirm employee security training is documented on a cadence that satisfies both HIPAA and SHIELD
• Review disposal procedures for private information "no longer needed for business purposes"
• Verify that the breach notification workflow handles non-HIPAA SHIELD-covered private information (driver's licenses, financial information) in addition to PHI

For a New York-specific compliance assessment addressing SHIELD alongside HIPAA, see our healthcare compliance services or schedule a consultation. We support NYC-area and statewide practices with the regulatory overlay that matters.