New York SHIELD Act for Medical Practices: The Reasonable Safeguards Standard
9 min read · Last reviewed May 23, 2026
The New York SHIELD Act (Stop Hacks and Improve Electronic Data Security Act), codified at New York General Business Law §§ 899-aa and 899-bb, imposes a "reasonable safeguards" data-security standard and expands breach-notification scope to include unauthorized access (not just acquisition). For HIPAA-covered medical practices, the single biggest divergence is the § 899-bb HIPAA safe harbor: if you are Security Rule compliant, you are deemed in compliance with the safeguards prong — but § 899-aa breach notice still runs on top.
What the SHIELD Act actually requires
The SHIELD Act took effect in two phases: the § 899-aa breach-notification expansion on October 23, 2019, and the § 899-bb data-security requirements on March 21, 2020. The statute is codified at N.Y. General Business Law Article 39-F. The Act amended the prior Information Security Breach and Notification Act and adds a forward-looking data-security obligation.
Core SHIELD obligations:
- Reasonable safeguards under § 899-bb(2)(b)(i) — the practice must develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of private information. The statute itemizes administrative (risk assessment, designated coordinator, training, vendor due diligence), technical (network security, software security, encryption), and physical (secure disposal, intrusion detection) elements.
- HIPAA compliance safe harbor under § 899-bb(2)(b)(ii) — a business in compliance with HIPAA's Security Rule is "deemed to be in compliance" with § 899-bb's safeguards requirement. The safe harbor reaches the safeguards prong only; breach notification under § 899-aa applies independently.
- Expanded breach trigger under § 899-aa(1)(c) — the 2019 amendments broadened "breach" from unauthorized acquisition to include unauthorized access. A ransomware attack where data was accessed but not exfiltrated is now a notifiable event in NY even if HIPAA's four-factor analysis at 45 CFR § 164.402 reaches a different conclusion.
- Expanded "private information" definition under § 899-aa(1)(b) — includes health information (medical history, condition, treatment, diagnosis), biometric data, username/email with password, and financial account numbers with security code.
- Notification within 30 days after discovery under § 899-aa(2)(a) — the 2024 amendment fixed the outer notice window at 30 days, subject to a law-enforcement-delay carve-out and to the time reasonably necessary to determine the scope of the breach and restore data-system integrity.
- AG, Department of State, and Consumer Protection notice under § 899-aa(8)(a) — for any breach affecting NY residents, the practice notifies the NY Attorney General, the Department of State Division of Consumer Protection, and the Division of State Police. For entities covered by 23 NYCRR Part 500 (DFS-regulated financial-services entities, including some healthcare-related business lines), notice to the NY Department of Financial Services is also required. Also report to consumer reporting agencies if 5,000+ NY residents are affected.
Where New York is stricter than HIPAA
The comparison table.
| Topic | HIPAA | SHIELD Act | Stricter | |---|---|---|---| | Breach trigger | Acquisition, access, use, or disclosure (45 CFR § 164.402) | Access OR acquisition (Gen. Bus. Law § 899-aa(1)(c)) | NY on access scenarios | | Breach-notice window | 60 days after discovery (45 CFR § 164.404(b)) | 30 days after discovery, subject to law-enforcement delay and scope-determination time (Gen. Bus. Law § 899-aa(2)(a)) | NY (fixed 30-day outer bound) | | Regulator notice on a breach | OCR notification per 45 CFR § 164.408 | NY AG + Dept of State + State Police, plus DFS for 23 NYCRR 500-covered entities (Gen. Bus. Law § 899-aa(8)(a)) | NY (multi-agency, parallel to OCR) | | Safeguards framework | Security Rule risk analysis + 18 specs | Reasonable administrative / technical / physical (Gen. Bus. Law § 899-bb(2)(b)(i)) | Tie; HIPAA safe harbor under § 899-bb(2)(b)(ii) | | Workforce training | Reasonable to job duties (45 CFR § 164.530(b)) | Workforce training on safeguards (Gen. Bus. Law § 899-bb(2)(b)(i)(A)) | Tie | | Vendor due diligence | BAA required (45 CFR § 164.504(e)) | Reasonable vendor diligence + contract (Gen. Bus. Law § 899-bb(2)(b)(i)(C)) | Tie | | AG penalty | None directly (state AG enforcement under 42 USC § 1320d-5(d)) | $5,000 per violation or $20 per failed notification, $250,000 cap (Gen. Bus. Law § 899-aa(6)) | NY for direct AG action | | Private right of action | None | None directly | Tie | | Covered "private information" | PHI focused (45 CFR § 160.103) | PHI + biometrics + credentials + financial (Gen. Bus. Law § 899-aa(1)(b)) | NY on non-PHI identity data |
What practices most often miss is the § 899-aa access-vs-acquisition distinction. A ransomware incident where the practice's HIPAA four-factor risk assessment concludes "low probability of compromise" can still be a SHIELD-notifiable event because the access threshold was triggered. The practice can be on a no-notify posture federally and a notify posture in NY at the same time. NY law controls the NY-resident notification.
Where HIPAA is stricter than SHIELD
Two areas favor the federal regime:
- Prescriptive safeguards. The HIPAA Security Rule at 45 CFR §§ 164.308, 164.310, and 164.312 lists 18 specific standards across administrative, physical, and technical safeguards. SHIELD's § 899-bb is structurally similar but more general. A HIPAA-compliant program inherits more granular requirements than SHIELD demands. This is why the § 899-bb(2)(b)(ii) safe harbor exists in the first place — NY recognized HIPAA's safeguards are at least as protective.
- Civil penalty exposure on a per-incident basis. HIPAA's tier-D willful neglect penalty under 45 CFR § 160.404, as 2026-adjusted under 45 CFR Part 102, reaches $73,011 per violation with a $2,190,294 annual cap per identical-violation type. SHIELD's $250,000 cap under § 899-aa(6)(a) is lower per incident, though it runs in parallel.
- Workforce training specificity. HIPAA at 45 CFR § 164.530(b) prescribes content and timing; SHIELD § 899-bb(2)(b)(i)(A) requires training but is silent on cadence.
Breach notification timeline
New York runs notification on two parallel tracks alongside HIPAA:
- § 899-aa(2)(a) — individual notice within 30 days after discovery, subject to the law-enforcement-delay carve-out and to the time reasonably necessary to determine the scope of the breach and restore data-system integrity. The 2024 amendment fixed the 30-day outer bound; HIPAA's 60-day window is overridden for NY residents.
- § 899-aa(8)(a) — agency notice to the NY Attorney General, Department of State Division of Consumer Protection, and Division of State Police "without delaying notice to affected NY residents," plus notice to the NY Department of Financial Services for entities covered by 23 NYCRR Part 500. The practice submits a Notice of Breach form to each.
- § 899-aa(8)(b) — consumer reporting agency notice if 5,000+ NY residents are affected.
- HIPAA parallel track — 45 CFR § 164.404 60-day individual notice and § 164.408 HHS notice apply on top.
The § 899-aa(2)(b) substitute-notice posture (email + website + statewide media) applies when individual notice would exceed $250,000, when the affected class exceeds 500,000 residents, or when the practice does not have sufficient contact information.
The encryption posture matters. § 899-aa(1)(b) carves encrypted data out of the breach definition if the encryption key was not also compromised — the same safe-harbor structure as Texas and most state breach statutes. Encryption is the highest-leverage SHIELD control.
Penalties and AG enforcement
The numbers:
- § 899-aa(6)(a) breach-notice penalty — up to $20 per instance of failed notification, with a maximum of $250,000. "Per instance" is per affected person, which compounds quickly on a large breach.
- § 899-bb(2)(d) safeguards-failure penalty — up to $5,000 per violation, structured as injunctive relief plus civil penalty.
- NY AG enforcement under § 899-bb(2)(d) — the AG brings actions in NY Supreme Court. Settlements typically include monetary penalty, a multi-year compliance program, and public consent decrees. Recent AG settlements with healthcare actors run between $100,000 and $1M.
- General Business Law § 349 deceptive-acts predicate. A SHIELD violation pleaded as a predicate in a § 349 claim opens a private right of action through that statute, with treble damages capped at $1,000 per claim. The exposure is indirect but real in NY consumer-litigation practice.
- HIPAA parallel exposure under 45 CFR § 160.404 runs on the same incident; OCR and NY AG often coordinate.
Compliance checklist for New York practices
A NY-specific overlay to a HIPAA program:
- Documented HIPAA Security Rule compliance to anchor the § 899-bb(2)(b)(ii) safe harbor — current Security Risk Analysis, risk-management plan, named Security Official, training log.
- NY-aware incident response protocol triggering § 899-aa notice within 30 days of discovery for NY residents, ahead of the HIPAA 60-day track.
- AG / Dept of State / State Police breach-notice templates ready to file, plus a DFS notice template for any business line covered by 23 NYCRR Part 500; counsel review every NY-resident breach for filing posture.
- Encryption on every workstation, portable medium, and ePHI-bearing device — the § 899-aa(1)(b) encryption safe harbor materially narrows the breach surface.
- Vendor diligence under § 899-bb(2)(b)(i)(C) — beyond the HIPAA BAA, document the vendor's security posture (SOC 2, HITRUST, or equivalent attestation) and contract for reasonable safeguards.
- Workforce training that includes the SHIELD access-vs-acquisition distinction and the NY breach-notice triggers, layered on the standard HIPAA training.
- 5,000+ NY-resident class awareness — substitute-notice and consumer-reporting-agency procedures pre-staged for large breaches.
- Identity-data review. SHIELD's "private information" definition reaches beyond PHI to staff biometrics, credentialing data, and patient credentials. Map where each category lives and confirm it sits under reasonable safeguards.
The d3rx compliance binder state-overlay branches on New York and produces the § 899-aa breach-notification workflow, the § 899-bb safeguards documentation anchored to the HIPAA Security Rule safe harbor, and the AG/Dept of State/State Police filing structure a NY practice runs alongside its federal HIPAA backbone. It is an administrative documentation aid; the practice and its counsel remain responsible for actually executing the controls and responding to any NY AG inquiry.
Step 1 · Get the binder
Get the d3rx compliance binder for your practice
Pre-filled to address the gaps this guide covers — New York SHIELD Act for Medical Practices: The Reasonable Safeguards Standard. We will email you the section preview and your binder intake link.
No PHI required. We use your email to send the binder preview and intake link only.
Frequently asked
Is a stolen-laptop notification 15 days or 60 in New York?
Thirty days outer bound in New York. New York General Business Law § 899-aa, as amended in 2024, requires notice to affected New York residents within 30 days after discovery, subject to a law-enforcement-delay carve-out and to the time reasonably necessary to determine the scope of the breach. HIPAA's outer bound is 60 days at [45 CFR § 164.404(b)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404), so for NY residents the 30-day window is the binding deadline. A laptop without encryption that contained patient data triggers both HIPAA breach analysis and § 899-aa notification on the same incident.
Does SHIELD Act create a private right of action against my practice?
No. NY General Business Law § 899-bb does not create an individual cause of action against a covered business. Enforcement is by the New York Attorney General under § 899-bb(2)(d), with penalties up to $5,000 per violation under § 899-aa(6)(a) and additional injunctive remedies. Some NY plaintiffs' firms have pleaded SHIELD violations as predicates in General Business Law § 349 deceptive-acts claims, which do carry a private right of action; that route is indirect but real.
If I already comply with HIPAA, am I exempt from SHIELD?
Partially. NY Gen. Bus. Law § 899-bb(2)(b)(ii) provides a compliance-by-equivalence safe harbor: a practice that is in compliance with the HIPAA Security Rule's safeguards under [45 CFR Part 164 Subpart C](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C) is 'deemed to be in compliance' with the SHIELD reasonable-safeguards requirement. The HIPAA program does not exempt the practice from § 899-aa breach-notification expansion — notification obligations apply on top of HIPAA. So HIPAA compliance carries the safeguards layer; the breach-notice posture is separate.
Does SHIELD apply if my practice is in NJ but I treat NY residents?
Yes. NY Gen. Bus. Law § 899-bb(2)(a) reaches any person or business that 'owns or licenses' computerized data containing the private information of a New York resident, regardless of where the business is located. A New Jersey practice that holds chart data on any NY patient is a SHIELD covered business. The AG has brought enforcement against out-of-state actors. Telehealth into NY counts.
What is 'private information' under SHIELD compared to HIPAA's PHI?
Broader in some respects, narrower in others. Gen. Bus. Law § 899-aa(1)(b) defines private information to include Social Security number, driver's license, financial account with security code, biometric data, and (added in 2019) username/email with password, plus health information that includes a person's medical history, mental or physical condition, treatment, or diagnosis. The health-info expansion is the SHIELD nexus to medical practices. HIPAA's PHI definition at [45 CFR § 160.103](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-A/section-160.103) is medically focused; SHIELD's category is broader on the identity-data axis.
What does 'reasonable safeguards' actually require?
Gen. Bus. Law § 899-bb(2)(b)(i) lists administrative, technical, and physical safeguards a practice 'shall' implement — designated coordinator, risk assessment, employee training, vendor due diligence, encryption decision, incident response, secure disposal. The structure tracks the HIPAA Security Rule deliberately, so a HIPAA-compliant practice generally meets it. The standard is 'reasonable' — calibrated to the size, scope, and resources of the practice. A two-provider clinic and a 200-provider group can implement different controls and both satisfy § 899-bb if the choices are documented and defensible.
Turn this into a review-ready binder
The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.
Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- N.Y. General Business Law Article 39-Fhttps://www.nysenate.gov/legislation/laws/GBS/A39-F
- 45 CFR § 164.402https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-A/section-164.402
- 45 CFR § 164.408https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.408
- 45 CFR §§ 164.308, 164.310, and 164.312https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C
- 45 CFR § 160.404https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-D/section-160.404
- 45 CFR § 164.530(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530
- 45 CFR § 164.404https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404
Sources verified as of May 23, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
California Healthcare Compliance: CMIA + HIPAA — Where They Diverge
9 min readState ComplianceTexas HB 300 for Medical Practices: Training, Audits, and What Differs from HIPAA
8 min readState ComplianceMassachusetts 201 CMR 17.00 for Healthcare: The Written Information Security Program
9 min readRelated across the archive
- ComplianceCalifornia Healthcare Compliance: CMIA + HIPAA — Where They DivergeCalifornia's CMIA (Civ. Code §§ 56–56.37) vs HIPAA: stricter consent, 5-working-day inspection / 15-day copy access, private right of action, up to $25k per knowing-and-willful violation + misdemeanor exposure.
- ComplianceMassachusetts 201 CMR 17.00 for Healthcare: The Written Information Security ProgramMassachusetts 201 CMR 17.00 vs HIPAA for medical practices: mandatory WISP, encryption requirements, M.G.L. c. 93H breach notice, 93A private right of action.
- ComplianceTexas HB 300 for Medical Practices: Training, Audits, and What Differs from HIPAATexas HB 300 (Health & Safety Chapter 181) vs HIPAA: broader covered entities, mandatory 90-day training, 15-day EHR access, $1.5M/year AG penalty cap.
- SRAThe HIPAA Breach Notification Rule, ExplainedThe four-factor risk assessment at 45 CFR 164.402, the 60-day individual notice clock at 164.404, the HHS/media notice paths, and the small-practice annual report under 164.408(c).
- GlossaryePHI (Electronic Protected Health Information)PHI that is created, received, maintained, or transmitted in electronic form.
- RegulationHIPAA Privacy Rule Administrative Requirements (45 CFR 164.530)Designated privacy official, workforce training, safeguards, complaint process, sanctions, mitigation, anti-retaliation, anti-waiver, documentation, and policies and procedures.
- BillingWhat to Do When a Payer Says You're UnderbillingGot a letter saying you're underbilling? Here's what it actually means, whether you should worry, and what action to take.
- StateAlaska healthcare compliance overlayAlaska has no state-specific medical-information privacy statute beyond HIPAA, and no health-data-only breach rule.