In December 2024, New York Governor Kathy Hochul signed two significant bills (A8872A and S2376B) into law, majorly changing the state’s Data Breach Notification Law.
Unpacking the changes
1. 30-day notification deadline
New York’s updated Data Breach Notification Law signals a stronger stance on consumer data protection, especially regarding sensitive health information. The update requires businesses to notify affected New York residents of a data breach within 30 days of discovering the incident.
This will replace the requirement to notify them "without unreasonable delay," improving response times and providing timely protection to consumers whose data may be compromised.
2. Expanded reporting requirements
Healthcare providers must now report data breaches to the New York State Attorney General (NYSAG) as well as the New York State Department of Financial Services (NYSDFS).
Expanding these reporting obligations will increase oversight and allow more comprehensive cybersecurity monitoring.
3. Broadened definition of private information
Starting March 21, 2025, the definition of "private information" will expand to include medical and health insurance data. This change will particularly affect life sciences and consumer healthcare companies not covered by HIPAA which will now face new notification requirements and potential legal exposure.
Implications for healthcare providers
Overlap with HIPAA regulations
Healthcare providers already subject to the Health Insurance Portability and Accountability Act (HIPAA) must continue following federal guidelines, which require breach notifications within 60 days. However, these entities must now also comply with New York’s expanded reporting obligations, notifying the NYSAG and the NYSDFS.
Increased responsibilities for non-HIPAA entities
Life sciences companies, wellness startups, and consumer healthcare organizations not regulated under HIPAA now face increased legal and compliance risks. These entities must implement processes to meet the 30-day notification timeline and report breaches to the newly included state agencies. The expanded definition of private information directly impacts how these companies handle data breaches involving medical and health insurance data.
Cybersecurity preparedness
Healthcare providers must improve their data protection strategies through encryption, performing regular security assessments, and ensuring all employees are trained on data security protocols.
Why compliance matters
The N.Y. State Assembly’s Memorandum in Support of Legislation stated, “There seems to be a broad sense of uncertainty by experts and lawmakers as to which federal regulations, if any, is charged with the responsibility to monitor and do regular supervision on cybersecurity.
Thus, it is time for New York State to lead on this issue… To this end, this legislation provides a clear consumer protection mandate that will aggressively protect consumers by mandating timely disclosure of data breaches by credit reporting agencies.”
Furthermore, non-compliance could lead to severe legal consequences, financial penalties, and reputational damage.
For healthcare providers, failing to meet the 30-day notification deadline or properly report breaches can undermine patient trust and invite regulatory scrutiny.
Actionable steps for healthcare providers
- Review and update data protection policies: Update existing cybersecurity and breach response plans to align with the new 30-day notification requirement and expanded reporting obligations.
- Train staff on compliance: Educate employees on how to quickly identify, report, and respond to potential data breaches.
- Assess cyber insurance coverage: Check whether the organization’s cyber insurance policy covers the risks associated with data breaches under the new law.
- Strengthen cybersecurity measures: Implement stronger security protocols to prevent unauthorized access to sensitive medical and health insurance data.
- Develop a response plan for non-HIPAA entities: Non-HIPAA-regulated companies must establish clear breach detection procedures, reporting, and notification to mitigate legal exposure.
FAQs
What is HIPAA compliance?
HIPAA compliance refers to adhering to regulations outlined in the Health Insurance Portability and Accountability Act to safeguard patients’ protected health information (PHI).
Go deeper:
What is a covered entity under HIPAA?
A covered entity, as defined by HIPAA, is any healthcare provider, health plan, or healthcare clearinghouse that transmits any electronic health information.
Read also: When is a non-healthcare company a covered entity?
What is the process for reporting a HIPAA breach?
To report a HIPAA breach, covered entities must notify affected individuals without unreasonable delay and no later than 60 days after discovering the breach.
They must also notify the Secretary of Health and Human Services (HHS) immediately if the breach impacts 500 or more individuals, or annually for smaller breaches.
Additionally, if the breach affects over 500 residents in a state or jurisdiction, media notification is required.
