25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

March 2020 Deadline for Compliance with New York SHIELD Act Data Security Requirements

Posted By on Mar 10, 2020

In July 2019, the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act was signed into law. The New York SHIELD Act expanded the breach notification requirements for businesses that collect the personal information of New York residents. On March 21, 2020, the data security provisions of the New York SHIELD Act come into effect.

There are also exemptions for small businesses, which are deemed to be businesses with fewer than 50 employees, businesses with less than $3 million in gross revenues for each of the past 3 fiscal years, or businesses with less than $5 million in year-end total assets. In these cases, their data security program can be scaled according to the size and complexity of the business, the nature of business activities, and the sensitivity of the personal data collected.

For most HIPAA-covered entities, HIPAA compliance will be relatively straightforward. Entities in compliance with the Health Insurance Portability and Accountability Act (HIPAA) are deemed to be in compliance with the New York SHIELD Act.

New York SHIELD Act Requirements for HIPAA Covered Entities

Compliance with HIPAA does not guarantee compliance with the New York SHIELD Act. While there is some overlap, the New York SHIELD Act covers different data types to HIPAA. HIPAA-covered entities that collect the personal data of New York State residents will need to ensure they are in compliance with the Act’s data security provisions for those data types.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

One notable example of when the SHIELD Act applies and HIPAA does not, is for information technology systems that contain employee data but no protected health information. Employees’ social security numbers or driver’s license numbers, for example. While the data is not covered by HIPAA, the SHIELD Act requires reasonable technical, administrative, and physical safeguards to be implemented to ensure the data is safeguarded. The data security provisions of the SHIELD Act are detailed below.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist