NYS HIPAA Compliance: What You Need to Know About New York Requirements and Patient Privacy

NYS HIPAA compliance means meeting federal HIPAA standards and layering in New York–specific rules that are more protective of patients. This guide maps the major state requirements you must track—privacy, cybersecurity, incident reporting, and breach notification—so you can align policies, train staff, and reduce enforcement risk.

HIPAA Compliance in New York

How HIPAA and New York law work together

HIPAA sets the floor for privacy and security; New York laws can be stricter and must also be followed. Key overlays include patient access rights under Public Health Law § 18, heightened confidentiality for mental health and HIV information, and professional conduct rules that treat unauthorized disclosures as misconduct. Together, these rules shape what you can share, with whom, and on what legal basis. ([nysenate.gov](https://www.nysenate.gov/legislation/laws/PBH/18?utm_source=openai))

Stricter confidentiality you must honor

New York’s Mental Hygiene Law § 33.13 tightly restricts disclosure of clinical records from mental health services, and Article 27‑F (PHL § 2782 et seq.) imposes detailed consent and redisclosure limits for HIV‑related information. These provisions are stricter than HIPAA in many scenarios, so your workflows should default to the state rules when they apply. ([nysenate.gov](https://www.nysenate.gov/legislation/laws/MHY/33.13?utm_source=openai))

Patient access and records handling

Under PHL § 18, patients and other qualified persons have a right to inspect and obtain copies of their medical records, with defined procedures for limited denials and appeals through the Medical Record Access Review Committee. Ensure your release-of-information process tracks the statute’s timelines and form requirements. ([healthweb-back.health.ny.gov](https://healthweb-back.health.ny.gov/professionals/patients/patient_rights/access_to_patient_information.htm?utm_source=openai))

“Ex-parte Interview Prohibition” in litigation

New York generally restricts ex‑parte contact with treating clinicians about a litigant’s care unless the patient provides a HIPAA‑compliant authorization or a court order. The state’s highest court confirmed that informal defense interviews are permissible only with proper HIPAA authorization, so train staff to decline unsanctioned outreach. ([law.cornell.edu](https://www.law.cornell.edu/nyctap/I07_0160.htm?utm_source=openai))

Policy signal: Public Health Law § 2997

PHL § 2997, titled “Patient Privacy,” directs the NYS Department of Health (DOH) to examine state privacy protections and assess whether additional safeguards are needed—an indicator of New York’s ongoing focus on strengthening patient privacy beyond HIPAA. ([law.justia.com](https://law.justia.com/codes/new-york/pbh/article-29-d/title-1/2997/?utm_source=openai))

New York State Cybersecurity Regulations

10 NYCRR 405.46 for general hospitals

New York adopted hospital‑specific cybersecurity requirements effective October 2, 2024. General hospitals must maintain a risk‑based cybersecurity program, designate a qualified CISO (employee or approved third party), conduct testing (including annual penetration tests), use MFA for external access, keep six years of program and audit‑trail records, and follow a written incident response plan. ([law.cornell.edu](https://www.law.cornell.edu/regulations/new-york/10-NYCRR-405.46))

Cybersecurity incident reporting

Hospitals must notify DOH “as promptly as possible, but no later than 72 hours” after determining that a reportable cybersecurity incident has occurred; this DOH notice does not replace other required notifications under state or federal law. Maintain required documentation for six years. ([law.cornell.edu](https://www.law.cornell.edu/regulations/new-york/10-NYCRR-405.46))

Other New York frameworks you may trigger

• DFS 23 NYCRR 500 (for DFS‑regulated entities such as health insurers) requires 72‑hour incident notices and separate 24‑hour ransom payment reporting, plus a 30‑day post‑payment explanation. Coordinate these with HIPAA and DOH obligations. ([dfs.ny.gov](https://www.dfs.ny.gov/industry_guidance/cybersecurity?utm_source=openai))
• Municipal corporations and public authorities in New York must report cyber incidents within 72 hours and ransom payments within 24 hours to DHSES; public‑sector hospitals should confirm applicability. ([dhses.ny.gov](https://www.dhses.ny.gov/cybersecurity-incident-and-ransom-payment-reporting?utm_source=openai))

Patient Privacy Laws in New York

Core state rules that sit on top of HIPAA

• PHL § 18: Patient access rights and MRARC appeals for denials. ([nysenate.gov](https://www.nysenate.gov/legislation/laws/PBH/18?utm_source=openai))
• Mental Hygiene Law § 33.13: Strict confidentiality for mental health clinical records. ([nysenate.gov](https://www.nysenate.gov/legislation/laws/MHY/33.13?utm_source=openai))
• PHL Article 27‑F (§ 2782 et seq.): Detailed consent and redisclosure rules for HIV‑related information. ([law.justia.com](https://law.justia.com/codes/new-york/pbh/article-27-f/2782/?utm_source=openai))
• Education Law § 6530(23): Professional misconduct for revealing personally identifiable patient facts without consent, except as authorized or required by law. ([nysenate.gov](https://www.nysenate.gov/legislation/laws/EDN/6530?utm_source=openai))

For substance use disorder records created in federally assisted programs, also account for 42 CFR Part 2’s heightened consent and redisclosure limits in addition to New York law. (General principle noted here; verify program status during intake.)

Personal Privacy Protection Law

New York’s Personal Privacy Protection Law (Public Officers Law, Art. 6‑A) governs how state agencies collect, use, disclose, and allow access to personal information. If you operate within, or on behalf of, a NYS agency (including certain state‑run clinics or programs), you must provide access and correction rights and limit collection to what is “relevant and necessary.” This statute does not generally apply to private hospitals but is critical for state entities handling patient data. ([opengovernment.ny.gov](https://opengovernment.ny.gov/what-you-should-know-nys-personal-privacy-protection-law-pppl?utm_source=openai))

Family Health Care Decisions Act

The Family Health Care Decisions Act (PHL Article 29‑CC) authorizes a prioritized surrogate—such as a spouse, domestic partner, family member, or close friend—to make health care decisions when a patient lacks capacity and has no agent. In practice, this means you may disclose the minimum necessary information to the patient’s lawful surrogate to support informed consent and care coordination. ([nysba.org](https://nysba.org/fhcda-resource-center/?utm_source=openai))

Restrictions on Broadcasting Patient Information

Media access and filming inside facilities

HIPAA prohibits inviting or allowing media (including film crews) into treatment areas where PHI is accessible without prior written authorization from every identifiable patient. Post‑filming blurring is not a substitute for authorization; the NewYork‑Presbyterian “NY Med” case led to a $2.2 million OCR settlement and a corrective action plan reinforcing this point. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/2023/film-and-media/index.html?utm_source=openai))

Privacy and publicity rights under New York law

New York recognizes statutory privacy/publicity protections: Civil Rights Law §§ 50–51 bar using a living person’s name, picture, likeness, or voice for advertising or trade without written consent, exposing violators to injunctions and damages. This sits alongside hospital patient‑rights regulations requiring privacy and confidentiality during care. ([nysenate.gov](https://www.nysenate.gov/legislation/laws/CVR/51?utm_source=openai))

Data Breach Notification Requirements

The SHIELD Act and GBL § 899‑aa

New York’s SHIELD Act (GBL § 899‑aa) requires notice to affected residents “in the most expedient time possible and without unreasonable delay,” and in all cases within 30 days of discovery, with narrow exceptions. You must also notify the NY Attorney General, Department of State, and State Police; if more than 5,000 NY residents are notified, inform consumer reporting agencies as well. Maintain a written determination for inadvertent disclosures and submit it to the AG if over 500 residents are affected. ([law.justia.com](https://law.justia.com/codes/new-york/gbs/article-39-f/899-aa/?utm_source=openai))

When HIPAA also applies

If a breach triggers HIPAA breach notification, you must still file state notices (and DFS notices if you are a covered entity under 23 NYCRR 500). The AG’s guidance details obligations and penalties, including up to $250,000 for untimely consumer notice and up to $5,000 per violation for failure to maintain reasonable safeguards. ([ag.ny.gov](https://ag.ny.gov/resources/organizations/data-breach-reporting/shield-act?utm_source=openai))

Conclusion

NYS HIPAA compliance means operationalizing HIPAA’s floor plus New York’s stricter privacy and cybersecurity rules. Build policies that honor specialty confidentiality (mental health, HIV), harden systems under 10 NYCRR 405.46, prepare 72‑hour Cybersecurity Incident Reporting to DOH, and meet SHIELD Act breach‑notice timelines. Doing so protects patients—and your organization.

FAQs.

What are the key HIPAA compliance requirements in New York State?

Start with HIPAA privacy, security, and breach‑notification standards, then add New York’s overlays: PHL § 18 access rights, Mental Hygiene Law § 33.13 for mental health records, and PHL Article 27‑F for HIV‑related information. Train clinicians on New York’s limits for ex‑parte interviews and require HIPAA‑compliant authorizations before any informal outreach about a patient’s care. ([nysenate.gov](https://www.nysenate.gov/legislation/laws/PBH/18?utm_source=openai))

How does the Personal Privacy Protection Law affect patient data handling?

PPPL applies to New York State agencies, not most private providers. If you are part of, or acting for, a state agency, you must follow PPPL rules on notice, access, correction, and limits on collection and disclosure of personal information—on top of HIPAA and other health‑privacy laws. ([opengovernment.ny.gov](https://opengovernment.ny.gov/what-you-should-know-nys-personal-privacy-protection-law-pppl?utm_source=openai))

What are the penalties for HIPAA violations in New York?

Enforcement can come from multiple fronts. Federally, HIPAA carries tiered civil penalties (inflation‑adjusted; caps can reach into the millions per year for identical violations) and criminal penalties for wrongful disclosures. In New York, the Attorney General can seek penalties under the SHIELD Act (e.g., up to $250,000 for untimely consumer notice) and DOH can fine hospitals under PHL § 12 for violating state health regulations, with higher amounts for repeat or harmful violations. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.404?utm_source=openai))

How must hospitals report cybersecurity incidents under NYS regulations?

Under 10 NYCRR 405.46, general hospitals must notify the NYS Department of Health as promptly as possible, but no later than 72 hours after determining a reportable cybersecurity incident, and retain related documentation for six years. This does not replace other notices (e.g., SHIELD Act or, if applicable, DFS 23 NYCRR 500). Public‑sector hospitals should also check DHSES reporting rules for municipal entities. ([law.cornell.edu](https://www.law.cornell.edu/regulations/new-york/10-NYCRR-405.46))