US-New York

What obligations do health care providers have regarding patient data in NY?

72 hours
Breach report deadline
5 years
Record retention
Encryption requ
Data security standard
Written consent
For PHI disclosure
The Short Answer

Health care providers in New York must safeguard patient data under state and federal law, including HIPAA, the NY Public Health Law, and the NY General Business Law, with strict requirements for breach notification, consent, and security safeguards.

What the Law Says

New York imposes specific, enforceable obligations on health care providers to protect patient data—going beyond federal HIPAA requirements in several key areas.

Under New York Public Health Law §18, health care providers must maintain the confidentiality of patient information and may only disclose protected health information (PHI) with written patient consent or as permitted by law. This includes electronic, paper, and oral records.

The New York General Business Law §899-aa (part of the SHIELD Act) requires any person or business—including health care providers—that owns or licenses computerized data containing private information of New York residents to implement and maintain reasonable administrative, technical, and physical safeguards. These include encryption of private information both in transit and at rest.

Section 899-aa also mandates that providers notify affected individuals of a data breach involving private information within 72 hours of discovering the breach—unless a longer period is justified by law enforcement. 'Private information' includes personal identifying information combined with health information, biometric data, or account numbers.

Additionally, NY Comp. Codes R. & Regs. tit. 10, §405.9 requires hospitals and certain licensed facilities to adopt written policies governing the use and disclosure of patient information, including staff training and audit procedures.

Statutory Text

Every health care provider shall maintain the confidentiality of all patient information in its possession or control.

Public Health Law §18(1)
Statutory Text

Any person or business that owns or licenses computerized data which includes private information shall... implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.

General Business Law §899-aa(2)
Statutory Text

Notice must be provided to affected persons within seventy-two hours after the discovery of the breach...

General Business Law §899-aa(5)(a)

What to Do

1

Implement written privacy and security policies compliant with PH L §18 and GBL §899-aa

2

Encrypt all electronic protected health information (ePHI) both at rest and in transit

3

Train staff annually on data handling, breach identification, and reporting protocols

4

Report breaches affecting NY residents to the NY State Attorney General, Department of State, and affected individuals within 72 hours

5

Maintain records of disclosures, security assessments, and training for at least 5 years

Sources

statutePublic Health Law §18 — Confidentiality of patient informationstatuteGeneral Business Law §899-aa — Security breach notificationregulation10 NYCRR §405.9 — Hospital patient information policies

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.