The New York healthcare network is dense. According to the NY State Department of Health, there are 219 licensed hospitals statewide, with 595 nursing homes registered to the NYS Health Profiles system.
New York also ranks 4th nationally by number of physician group practices. As of April 2025, there were 50,606 active specialty physicians in the state.
With so many organizations and millions of patients, the challenges faced by New York’s healthcare IT security are daunting.
Research by the cybersecurity firm Bridewell ranks New York third in the country for healthcare data breaches, with 159 incidents affecting 13 million individuals.
With such challenges, it explains why New York has additional regulations apart from HIPAA’s federal compliance.
For New York healthcare organizations specifically, the compliance requirements consist of the New York SHIELD Act, NYDFS 23 NYCRR Part 500, and the proposed New York Health Information Privacy Act (NYHIPA).
Each of these compliances go beyond what cybersecurity New York healthcare organizations need to meet, as they also need to meet them to avoid penalties from regulatory bodies.
In 2025, the New York Attorney General imposed a $500,000 penalty on Orthopedics NY LLP, citing violations of both HIPAA and state cybersecurity laws following a breach affecting more than 656,000 individuals.
So, you need to get familiar with all four compliance layers to protect sensitive information of both your patients and employees. Let’s talk about each of the compliances in detail in the following segments.
Why Is HIPAA Stricter in 2026 Than It Has Ever Been?
Enacted in 1996, the Health Insurance Portability and Accountability Act (HIPAA) established the federal baseline for how healthcare organizations handle PHI.
HIPAA is organized around three core rules. The Privacy Rule governs who can access and manage the PHI, while the Security Rule sets the administrative, physical, and technical safeguards required to protect ePHI.
Meanwhile, the Breach Notification Rule mandates timely notification to affected individuals, the HHS, and, in some cases, the media when a data breach affects more than 500 individuals.
In 2026, the New York HIPAA baseline is poised to move significantly. The proposed update to the Security Rule makes certain requirements mandatory that were previously optional.
For New York healthcare IT teams, the practical changes are:
- Encryption at rest and in transit will be requirements. The 2026 rule makes it so that no organization can get away without implementing encryption measures.
- Multi-factor authentication now applies to every account that can access PHI, including clinicians, nurses, billing staff, and vendor accounts used by business associates. Most organizations have MFA capability already deployed in Microsoft 365 or Epic.
- Annual pentesting will become a mandate, something that healthcare organizations do not usually concern themselves with.
- Breach reporting to HHS tightens to 72 hours, down from the previous 60-day window for most incidents.
The Security Risk Assessment (SRA) is vital for HIPAA compliance documentation. You should produce four documentations for the auditor, one of which is the SRA.
The others are a threat model naming your business associates, a remediation plan, and a risk-acceptance log for anything left unremediated, signed by a named executive.
Although HIPAA has the 72-hour HHS window for breach notification, the SHIELD Act adds to the responsibilities of New York healthcare. Let’s see how.
How is the New York SHIELD Act Stricter Than HIPAA?
The New York Stop Hacks and Improve Electronic Security Act was enacted in 2019. Healthcare organizations often assume that HIPAA compliance covers their SHIELD Act obligations, but it does not.
The difference between HIPAA and SHIELD is in their scope. While HIPAA covers PHI only, the SHIELD Act extends to private information such as Social Security numbers, biometric data, driver’s license numbers, and financial account details.
For New York’s healthcare organizations, this means employee records, vendor payment data, and administrative systems all carry SHIELD Act obligations that HIPAA does not address.
The SHIELD Act also adds a separate obligation for data breach.
Alongside notifying HHS, you’ll also need to notify the New York State Attorney General within five business days. If you miss that window, you’ll have to face state-level enforcement.
If you own or license data containing private information of a New York resident, irrespective of whether your business operates in New York or not, you are still subject to the Act’s breach and security requirements.
While HIPAA governs business associates through BAAs, the SHIELD Act requires even vendors, even if they are handling non-PHI data, need to follow New York cybersecurity regulations.
Why 23 NYCRR Part 500 Is Related to Healthcare More Than You Expect?
This is especially relevant for the business associates in healthcare that touch PHI in any manner
The 23 New York Codes, Rules and Regulations Part 500, also known as the New York State Department of Financial Services Part 500, was enacted in 2017. Most healthcare IT teams think of it as a financial services regulation, but that couldn’t be further from the truth.
Because any healthcare business associate that handles payment processing, insurance billing, or financial data alongside PHI may also fall within Part 500’s scope.
The regulation’s Second Amendment, which became fully effective November 1, 2025, raised the compliance bar substantially:
- Universal MFA: All individuals accessing any information system of a covered entity must use multi-factor authentication, regardless of role, location, or whether access is remote or otherwise.
- Asset inventory policies: Covered entities must maintain a complete asset inventory, including its owner, location, classification, and other relevant details.
- 72-hour incident notification: Cybersecurity incidents must be reported to NYDFS within 72 hours of determination. Ransomware payments must be reported within 24 hours.
- Annual certification: Every covered entity must file either a Certification of Material Compliance or an Acknowledgment of Noncompliance with the NYDFS, which must be co-signed by both the CISO and a senior executive. It has to be done by April 15 each year.
Since 2021, NYDFS has enforced Part 500 violations, collecting over $144 million in penalties. In 2025, the NYDFS settled a civil suit with the Healthplex, Inc., a licensed insurance agent, for $2 million for NYCRR Part 500 violation.
Usually, the fines range from $2,500 per day for standard violations to $75,000 per day for knowing or willful noncompliance.
For healthcare organizations that interface with financial services, this regulation is integral to healthcare IT security New York is part of.
What Does the NY Health Information Privacy Act Protect?
On January 22, 2025, the New York State Legislature passed Senate Bill S929, better known as the New York Health Information Privacy Act (NYHIPA). The governor’s signature remains pending, but New York’s healthcare organizations should treat NYHIPA as a compliance obligation now.
NYHIPA covers a category of health data that HIPAA explicitly does not cover – consumer health information that falls outside the definition of PHI.
This includes data from wellness apps, wearables, health-related browsing behavior, fitness trackers, location data near clinical facilities, and any inference drawn about an individual’s physical or mental health.
For traditional healthcare organizations, the law’s scope includes the following:
- Marketing and behavioral data collected from patients. These are website analytics, health-adjacent advertising pixels, and wellness program inputs.
- Payment processors that handle patient payments alongside any health-related identifiers may require NYHIPA-compliant service agreements, like how BAAs function in HIPAA.
- Regulated entities may not sell regulated health information to third parties. They may only process it with valid authorization as defined by their purpose.
Unlike HIPAA, consumers get the right to access and delete their data within 30 days. Meanwhile, retention of regulated health information is limited, with a 60-day disposal requirement for data no longer needed.
And much like the SHIELD Act, NYHIPA’s reach extends beyond the state of New York if the regulated health information concerns a New York resident, regardless of where you’re located.
How Should NY Healthcare Organizations Tackle Compliances?
To help your healthcare organization wade through the many compliance obligations in New York, here are some measures that address all four frameworks simultaneously:
- Conduct a Full Organization-Wide Security Risk Analysis: The SRA must cover every PHI touchpoint, from EHR and billing to APIs and BA integrations. It must produce a documented threat model, a remediation plan, and a risk-acceptance log signed by a named executive.
This single artifact satisfies HIPAA’s risk analysis requirement, NYDFS Part 500’s risk assessment obligation, and the SHIELD Act’s reasonable security program standard simultaneously, especially when run annually.
- Implement Universal MFA Across Every Account: Both the 2026 HIPAA Security Rule and NYDFS Part 500’s November 2025 amendment require MFA for every account that accesses any information. This includes clinical, administrative, billing, and vendor accounts.
NYDFS specifically recommends token-based MFA over push-based or SMS-based authentication.
- Build a Breach Response Plan: A ransomware event in a New York healthcare organization triggers simultaneous obligations under HIPAA (72-hour reporting), NYDFS Part 500 (72-hour notification but 24 hours for ransomware payments), and the SHIELD Act (notification within five business days of the HHS filing).
Each notification has distinct requirements and recipient lists. A breach response plan built only around HIPAA will miss state-level notification windows.
- Audit All Business Associates Against All Four Frameworks: In HIPAA, OCR actively holds covered entities accountable for inadequate vendor oversight.
But NYCRR Part 500 holds vendors processing financial data alongside PHI responsible and require a separate third-party risk assessment independent of the BAA.
Meanwhile, under NYHIPA, service providers handling non-PHI health data require their own contractual framework. Thus, you need to map your full vendor landscape against all four regulatory frameworks and close the gaps in writing.
- Map All Health-Adjacent Data Flows Outside Your EHR: NYHIPA’s scope extends to an individual’s digital health data. That includes website analytics, marketing platform data, and payment processing data. The SHIELD Act’s scope similarly extends to private information beyond PHI such as employee data, etc.
Conduct a data mapping exercise that goes beyond ePHI. You should look into what information you collect, where it goes, and whether it qualifies as regulated health information under NYHIPA or private information under the SHIELD Act.
- Build and Maintain a Written Asset Inventory: NYDFS Part 500’s November 2025 requirements mandate written policies for creating and maintaining a complete asset inventory. You keep track of each system’s owner, location, classification, support expiration date, and recovery time.
The 2026 HIPAA Security Rule’s documentation expectations align directly with this. A single maintained asset inventory satisfies both requirements and accelerates every other compliance activity, from risk analysis to breach response. But you have to retain all documentation for at least five years as per NYCCR Part 500’s requirements.
- Establish Ongoing Vulnerability Testing: Both the 2026 HIPAA Security Rule and NYDFS Part 500 mandate biannual vulnerability scanning. The latter also requires quarterly vulnerability assessments for covered entities. These are the minimum requirements now.
For healthcare organizations handling ePHI across web applications, APIs, EHR integrations, and third-party platforms, manual penetration testing is increasingly becoming the standard for regulators and insurers.
How Can KLEAP Help?
KLEAP is a concierge cybersecurity firm serving healthcare organizations across New York and the US. We specialize in manual penetration testing and compliance advisory for SMBs handling PHI.
We help organizations that face the full weight of New York’s regulatory stack without the resources of enterprise security teams to absorb it.
KLEAP’s engagements are designed to address both security posture and regulatory documentation in the same workflow, so your team is not running compliance and security as separate programs.
KLEAP’s concierge model means every engagement is led by a dedicated expert assigned to your organization. We do not provide you with a rotating team and stay with you until you have the necessary controls and documentations to back it up to an auditor.
The documentation produced reflects the specific regulatory environment your organization operates in, including the New York-specific layers that generic compliance vendors consistently miss.
If your organization is working through the 2026 HIPAA Security Rule update, scoping NYDFS Part 500 obligations, or beginning to map NYHIPA readiness, KLEAP can help you build the program, not just the paperwork.
