Comparison · Privacy

SHIELD vs CCPA on health (NY vs CA)

New York's SHIELD Act sets data-security and breach-notification obligations for personal information of NY residents. CCPA/CPRA grants California residents privacy rights — but exempts most PHI handled under HIPAA.

Last reviewed May 24, 2026

Side by side

Option A

SHIELD (New York)

Stop Hacks and Improve Electronic Data Security Act — New York statute imposing data-security and breach-notification duties on any business holding the private information of NY residents.

N.Y. Gen. Bus. Law §§ 899-aa, 899-bb
  • N.Y. Gen. Bus. Law § 899-aa, 899-bb.
  • Reasonable safeguards requirement applies even to entities not domiciled in NY.
  • Breach notification triggered by unauthorized access (not just acquisition).
Option B

CCPA / CPRA (California, on health)

California Consumer Privacy Act (as amended by CPRA) — grants California consumers rights of access, deletion, correction, and opt-out for personal information held by businesses. Mostly exempts PHI handled by HIPAA covered entities and BAs.

Cal. Civ. Code § 1798.100 et seq.
  • Cal. Civ. Code §§ 1798.100 et seq.
  • PHI handled by HIPAA covered entities/BAs in their HIPAA capacity is exempt.
  • Patient-facing apps not covered by HIPAA still fall under CCPA.
Primary focus
SHIELDSecurity + breach notification
CCPAConsumer privacy rights (access, deletion, opt-out)
Applies to PHI
SHIELDYes — overlays HIPAA
CCPAMostly exempts PHI in HIPAA-handler capacity; applies to non-HIPAA consumer-health data
Geographic reach
SHIELDAny entity holding NY-resident personal information
CCPABusinesses meeting CCPA thresholds collecting personal info of CA residents
Private right of action
SHIELDLimited (data-breach context)
CCPAYes — limited to breach of specific categories with reasonable-security failure

When to use SHIELD (New York)

  • Any practice holding NY-resident PII — implement the SHIELD safeguards program and integrate the breach-notification triggers.

When to use CCPA / CPRA (California, on health)

  • Patient-facing app or service holding consumer health info outside HIPAA — CCPA rights apply.
  • Vendor providing consumer-health services to CA residents that does not also operate as a BA — CCPA applies.

Common mistakes

  • Assuming HIPAA preempts CCPA — only the HIPAA-capacity PHI is exempt; the rest of the business may still be covered.
  • Assuming SHIELD only applies to NY-domiciled businesses — it follows the resident.
  • Mapping SHIELD's breach trigger to HIPAA's — SHIELD includes unauthorized access without acquisition.

Sources

Take it into the workspace

Track state coverage in the SRA readiness check

Open sra studio
Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

This comparison is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at CMS, HHS, OCR, eCFR, NIST, and the relevant payer or state regulator. Last reviewed May 24, 2026.