25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

New York Data Breach Notification Requirements Updated

Posted By on Jan 6, 2025

In late December 2024, the Governor of New York, Kathy Hochul, signed two bills into law updating the New York data breach notification requirements under New York’s general business law (§ 899-aa). The bills expand the definition of personal information and set a time limit for issuing notifications.

Prior to the law change, notifications had to be issued by companies that experienced a breach of system security that resulted in unauthorized access to the personal data of New York residents or if it was reasonably believed to have resulted in unauthorized access to the personal data of New York residents. Those notifications had to be issued to the affected individuals and the state Attorney General, Department of State, and the Division of State Police “in the most expedient time possible and without reasonable delay.”

Effective immediately, a time limit has been stipulated for issuing those notifications, which must now be sent within 30 days of the discovery of a breach. The Department of Financial Services has also been added to the list of entities to be notified. The law enforcement exception still applies, where notifications may be delayed for legitimate law enforcement purposes.

The second bill updates the definition of personal information that requires notifications to be issued, expanding the definition to also include medical information and health insurance information, as has happened in many other U.S. states. This update takes effect on March 21, 2025. Medical information is defined as “any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.” Health insurance information is defined as “an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual or any information in an individual’s application and claims history, including, but not limited to, appeals history.”

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist