New York Healthcare Breach Notification Law: HIPAA and SHIELD Act Requirements and Deadlines

SHIELD Act Overview

The SHIELD Act modernizes New York’s Information Security Breach Notification Act and sets statewide, sector-agnostic rules for reporting data breaches involving New York residents—healthcare entities included. It also expands who is covered and strengthens deadlines, creating a unified baseline you must follow in addition to any federal obligations. ([ag.ny.gov](https://ag.ny.gov/resources/organizations/data-breach-reporting/shield-act?utm_source=openai))

Beyond notification, the SHIELD Act requires a data security program with reasonable safeguards—administrative, technical, and physical—to protect private information. If you already comply with regimes like HIPAA or NYDFS Part 500, you are generally deemed compliant, but you still must satisfy New York’s breach notice mechanics. ([nysenate.gov](https://www.nysenate.gov/legislation/laws/GBS/899-BB))

Definition of Private Information

Under New York law, “private information” means personal information combined with specific data elements when unencrypted (or encrypted but the key was compromised). For healthcare, this includes Social Security numbers, driver’s license or ID numbers, bank or card details (including certain account numbers even without a security code), biometric identifiers, medical information, health insurance information, and online credentials (username or email plus password/security answers). ([nysenate.gov](https://www.nysenate.gov/legislation/laws/GBS/899-AA))

Good-faith access by an authorized workforce member that does not lead to misuse is not a “breach,” and encrypted data generally benefits from a safe harbor if the encryption key was not accessed. These definitions drive whether notification is required. ([nysenate.gov](https://www.nysenate.gov/legislation/laws/GBS/899-AA))

Breach Notification Requirements

Who you must notify

• Affected New York residents: notify “in the most expedient time possible and without unreasonable delay,” and in all cases within 30 days after discovery. ([nysenate.gov](https://www.nysenate.gov/legislation/laws/GBS/899-AA))
• State regulators: when New Yorkers will be notified, you must also notify the New York Attorney General, Department of State (Division of Consumer Protection), and the New York State Police; DFS must also be notified if you are a 23 NYCRR 500 “covered entity.” ([nysenate.gov](https://www.nysenate.gov/legislation/laws/GBS/899-AA))
• Consumer reporting agencies: if notice goes to more than 5,000 New York residents, notify the major consumer reporting agencies about timing, content, and distribution. ([nysenate.gov](https://www.nysenate.gov/legislation/laws/GBS/899-AA))
• Data owners: if you maintain (but do not own) the data, notify the owner or licensee “immediately,” and in all cases within 30 days of discovery. ([nysenate.gov](https://www.nysenate.gov/legislation/laws/GBS/899-AA))

How to notify, and what to include

Permitted methods include written, electronic (with consent), or telephone notice. Notices must include your contact information, identity-theft resources from relevant agencies, and a description of the categories of information reasonably believed to have been accessed or acquired. ([nysenate.gov](https://www.nysenate.gov/legislation/laws/GBS/899-AA))

New York also asks you to share copies of your consumer notice template and details on timing, content, distribution, and approximate affected counts with the required state offices—without delaying consumer notice. ([nysenate.gov](https://www.nysenate.gov/legislation/laws/GBS/899-AA))

Notice may be delayed only if law enforcement determines it would impede a criminal investigation; once that determination changes, you must proceed. ([nysenate.gov](https://www.nysenate.gov/legislation/laws/GBS/899-AA))

30-Day Notification Timeline

New York now sets a hard outer limit: you must notify affected residents within 30 days of discovering a qualifying breach. Entities that merely maintain data must alert the data owner within the same 30-day window. This 30-day clock runs from discovery, subject only to a documented law‑enforcement delay. ([nysenate.gov](https://www.nysenate.gov/legislation/laws/GBS/899-AA))

Practical countdown for healthcare entities

• Days 0–1: Triage, contain, preserve logs, and open your incident record.
• Days 2–7: Determine scope, affected data elements (e.g., PHI, online credentials), and whether encryption keys were accessed.
• Days 8–14: Draft resident notices; prepare regulator notifications and, if >5,000 residents, line up consumer reporting agency notifications. ([nysenate.gov](https://www.nysenate.gov/legislation/laws/GBS/899-AA))
• Days 15–20: Finalize recipient lists; secure legal review, especially if HIPAA also applies.
• Days 21–30: Send resident notices; file with the Attorney General, Department of State, and State Police (and DFS if covered), ensuring you do not delay resident notice. ([nysenate.gov](https://www.nysenate.gov/legislation/laws/GBS/899-AA))

If you conclude notice is not required due to an inadvertent, low‑risk exposure by an authorized person, document that determination and keep it for five years; if 500+ New York residents were affected, send the determination to the Attorney General within 10 days. ([nysenate.gov](https://www.nysenate.gov/legislation/laws/GBS/899-AA))

Exceptions to Notification Requirements

Exceptions include: (1) documented, inadvertent exposure by an authorized person that is not likely to result in misuse or financial/emotional harm (with 5‑year retention of the determination and 10‑day AG notice if 500+ residents were affected); (2) law‑enforcement delay; and (3) encryption safe harbor when the key was not accessed. ([nysenate.gov](https://www.nysenate.gov/legislation/laws/GBS/899-AA))

If you already notify individuals under HIPAA, GLBA, NYDFS Part 500, or comparable rules, New York does not require duplicative individual notices. However, you still must notify the New York Attorney General, Department of State, State Police, and (if applicable) consumer reporting agencies as described above. ([nysenate.gov](https://www.nysenate.gov/legislation/laws/GBS/899-AA))

Penalties for Violations

The Attorney General can seek injunctive relief and damages for actual costs or losses if required notification was not provided. Knowing or reckless violations can trigger civil penalties: the greater of $5,000 or up to $20 per instance of failed notification, capped at $250,000. ([newyork.public.law](https://newyork.public.law/laws/n.y._general_business_law_section_899-aa))

Separately, failing to maintain reasonable safeguards under the SHIELD Act is deemed a violation of GBL §349 and may carry civil penalties under §350‑d (up to $5,000 per violation), in addition to injunctive relief. This makes administrative safeguards and other reasonable safeguards a compliance priority for healthcare organizations. ([nysenate.gov](https://www.nysenate.gov/legislation/laws/GBS/899-BB))

Interaction with HIPAA

HIPAA’s Breach Notification Rule requires notice to affected individuals without unreasonable delay and no later than 60 days from discovery, plus notice to HHS (immediately for 500+ individuals; annually for fewer than 500) and, for 500+ residents of a state, notice to prominent media. These federal clocks can run concurrently with New York’s 30‑day state requirement. ([ecfr.io](https://ecfr.io/Title-45/Section-164.404?utm_source=openai))

Under New York law, if you provide HIPAA notices to individuals, you generally do not need to send a second individual notice under the SHIELD Act. But you must still notify New York regulators (AG, Department of State, and State Police), and—newly—if you must report a breach to HHS under HIPAA, you must notify the New York Attorney General within five business days after notifying HHS. ([nysenate.gov](https://www.nysenate.gov/legislation/laws/GBS/899-AA))

Conclusion

For healthcare entities, New York’s SHIELD Act sets a 30‑day resident‑notice clock and clear regulator‑notice duties that sit alongside HIPAA’s 60‑day framework. Build your response plan around the shortest applicable deadline, document any exceptions, and maintain reasonable administrative safeguards to reduce risk and penalties. ([nysenate.gov](https://www.nysenate.gov/legislation/laws/GBS/899-AA))

FAQs

What are the notification deadlines under the SHIELD Act?

You must notify affected New York residents without unreasonable delay and, in all cases, within 30 days of discovering a qualifying breach. If you only maintain (but don’t own) the data, you must notify the data owner within the same 30‑day period. Law‑enforcement delay is allowed when required. ([nysenate.gov](https://www.nysenate.gov/legislation/laws/GBS/899-AA))

How does the SHIELD Act interact with HIPAA notification requirements?

Sending HIPAA notices to individuals generally satisfies New York’s individual‑notice obligation, but you still must notify New York regulators. In addition, if you report a breach to HHS under HIPAA, you must notify the New York Attorney General within five business days after notifying HHS. Remember, HIPAA has a 60‑day outer limit to notify individuals; New York’s 30‑day rule is shorter, so plan for the earliest deadline. ([nysenate.gov](https://www.nysenate.gov/legislation/laws/GBS/899-AA))

What exemptions exist for breach notifications under the SHIELD Act?

No resident notice is required when an authorized person inadvertently exposes information and you reasonably determine misuse or harm is unlikely; keep that determination for five years, and submit it to the Attorney General within 10 days if 500+ residents were affected. Encrypted data (without key exposure) and law‑enforcement delay are also recognized. ([nysenate.gov](https://www.nysenate.gov/legislation/laws/GBS/899-AA))

What penalties apply for non-compliance with New York breach notification laws?

The Attorney General may seek injunctive relief and damages; civil penalties can be the greater of $5,000 or up to $20 per failed notification, capped at $250,000. Separately, failing to implement reasonable safeguards can trigger penalties under GBL §350‑d of up to $5,000 per violation. ([newyork.public.law](https://newyork.public.law/laws/n.y._general_business_law_section_899-aa))