New York Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in New York.
Breach Notification Rules
Notification deadline
Most expedient time possible
Notification must be made in the most expedient time possible and without unreasonable delay. AG, Department of State, and State Police must be notified. SHIELD Act expanded scope to include private data.
AG notification threshold
All breaches
Notify: AG + Department of State + State Police
Harm analysis required
Penalty range
Up to $5,000 per violation; courts may impose up to $20/failed notification, max $250,000
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 6 years | Last treatment |
| Pediatric | 3 years | Patient turns 18 |
| Radiology | 6 years | Record creation |
PDMP Requirements — I-STOP/PMP
Check required
All controlled substances
Check frequency
Every prescription
Delegation allowed
Penalty range
Professional misconduct; licensing board discipline; fines up to $20,000; possible criminal prosecution for willful violations
Exemptions
Hospice patients, cancer treatment, ≤5 day supply in ER, inpatient hospital administration, medication-assisted treatment for substance use disorder, veterinarians
Mandatory Reporting Obligations
Mandated reporters
Physicians, surgeons, dentists, nurses, psychologists, social workers, EMTs, and all healthcare professionals
Report to
New York State Central Register (SCR), Office of Children and Family Services
Timeline
Immediately / as soon as possible
Penalty for failure
Class A misdemeanor, up to 1 year jail; civil liability for damages caused by failure
Immunity provision
Good faith reporters immune from civil and criminal liability under NY Social Services Law 419
Mandated reporters
Physicians, nurses, social workers, and all healthcare professionals in residential care facilities
Report to
Adult Protective Services, local Department of Social Services
Timeline
Immediately / as soon as possible
Penalty for failure
Class A misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers treating injuries from weapons or criminal violence (mandatory wound reporting)
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Class A misdemeanor
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, laboratories, and healthcare facility administrators
Report to
New York State Department of Health or local health department
Timeline
Within 24 hours
Penalty for failure
Misdemeanor, up to $2,000 fine per violation
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Every physician attending or treating a gunshot wound or wound from a weapon
Report to
Local law enforcement immediately by phone
Timeline
Immediately / as soon as possible
Penalty for failure
Class A misdemeanor, up to 1 year jail
Immunity provision
Good faith reporters immune from civil and criminal liability under NY Penal Law 265.25
Stay compliant in New York
GuardWell tracks New York-specific breach deadlines, PDMP requirements, retention periods, and mandatory reporting obligations automatically.