SHIELD vs CCPA on health (NY vs CA)
New York's SHIELD Act sets data-security and breach-notification obligations for personal information of NY residents. CCPA/CPRA grants California residents privacy rights — but exempts most PHI handled under HIPAA.
Last reviewed May 24, 2026
Side by side
SHIELD (New York)
Stop Hacks and Improve Electronic Data Security Act — New York statute imposing data-security and breach-notification duties on any business holding the private information of NY residents.
N.Y. Gen. Bus. Law §§ 899-aa, 899-bb- N.Y. Gen. Bus. Law § 899-aa, 899-bb.
- Reasonable safeguards requirement applies even to entities not domiciled in NY.
- Breach notification triggered by unauthorized access (not just acquisition).
CCPA / CPRA (California, on health)
California Consumer Privacy Act (as amended by CPRA) — grants California consumers rights of access, deletion, correction, and opt-out for personal information held by businesses. Mostly exempts PHI handled by HIPAA covered entities and BAs.
Cal. Civ. Code § 1798.100 et seq.- Cal. Civ. Code §§ 1798.100 et seq.
- PHI handled by HIPAA covered entities/BAs in their HIPAA capacity is exempt.
- Patient-facing apps not covered by HIPAA still fall under CCPA.
When to use SHIELD (New York)
- Any practice holding NY-resident PII — implement the SHIELD safeguards program and integrate the breach-notification triggers.
When to use CCPA / CPRA (California, on health)
- Patient-facing app or service holding consumer health info outside HIPAA — CCPA rights apply.
- Vendor providing consumer-health services to CA residents that does not also operate as a BA — CCPA applies.
Common mistakes
- Assuming HIPAA preempts CCPA — only the HIPAA-capacity PHI is exempt; the rest of the business may still be covered.
- Assuming SHIELD only applies to NY-domiciled businesses — it follows the resident.
- Mapping SHIELD's breach trigger to HIPAA's — SHIELD includes unauthorized access without acquisition.
Sources
- NY OAG — SHIELD Act Resourceshttps://ag.ny.gov/internet/data-breach
- California OAG — CCPAhttps://oag.ca.gov/privacy/ccpa
Related
Track state coverage in the SRA readiness check
Open sra studio →D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
This comparison is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at CMS, HHS, OCR, eCFR, NIST, and the relevant payer or state regulator. Last reviewed May 24, 2026.