New York Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in New York.
New York medical practices face one of the most demanding compliance stacks in the country. The Stop Hacks and Improve Electronic Data Security Act (the NY SHIELD Act) amended NY Gen Bus Law §899-aa in 2019 to expand the definition of "private information" to include biometric data, account credentials, and standalone health information, and the law applies to any business that holds private information about a New York resident — including out-of-state practices with even one NY patient. Breach notification must go to the affected individual, the New York Attorney General, the Department of State, and the State Police "in the most expedient time possible." On the prescribing side, the I-STOP/PMP is one of the strictest in the nation: prescribers must check the registry before every controlled-substance prescription, with narrow exemptions for hospice, cancer treatment, ER 5-day supplies, inpatient administration, MAT, and veterinarians. Medical records carry a 6-year retention floor under 10 NYCRR §415.10, pediatric records run until age 21 or 3 years past last treatment under Education Law §6530(32), and Mental Hygiene Law §33.13 layers separate, stricter confidentiality protections onto psychiatric records.
Breach Notification Rules
Notification deadline
Most expedient time possible
Notification must be made in the most expedient time possible and without unreasonable delay. AG, Department of State, and State Police must be notified. SHIELD Act expanded scope to include private data.
AG notification threshold
All breaches
Notify: AG + Department of State + State Police
Harm analysis required
Penalty range
Up to $5,000 per violation; courts may impose up to $20/failed notification, max $250,000
Enforcement Posture
The New York Attorney General is among the most active state enforcers of healthcare data security in the country. The AG's Bureau of Internet and Technology has investigated healthcare entities for breach-notification delays, SHIELD Act safeguard failures, and HIPAA-adjacent violations under both state consumer protection law and the SHIELD Act. The Department of State, State Police, and the Department of Health all sit alongside the AGO in receiving breach notices, which creates multi-front exposure for practices that mishandle response timelines. The Department of Health separately enforces 10 NYCRR through facility surveys and Office of Professional Medical Conduct discipline. New York practices that maintain a written SHIELD-Act safeguards program — administrative, technical, and physical — and document their breach response chain are well-defended. Practices without a documented program become straightforward targets.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 6 years | Last treatment |
| Pediatric | 3 years | Patient turns 18 |
| Radiology | 6 years | Record creation |
Controlled-Substance Prescription Monitoring (I-STOP/PMP)
New York's I-STOP/PMP is one of the strictest prescription-monitoring programs in the country. Every prescriber must query the registry before every controlled-substance prescription, with exemptions limited to hospice, cancer treatment, ER ≤5-day supplies, inpatient administration, medication-assisted treatment for substance use disorder, and veterinarians. Delegation to designated staff is allowed. Failure to check is treated as professional misconduct and can result in licensing-board discipline, fines up to $20,000, and possible criminal prosecution for willful violations.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
Professional misconduct; licensing board discipline; fines up to $20,000; possible criminal prosecution for willful violations
Exemptions
Hospice patients, cancer treatment, ≤5 day supply in ER, inpatient hospital administration, medication-assisted treatment for substance use disorder, veterinarians
How New York Rules Hit by Specialty
Behavioral health
Mental Hygiene Law §33.13 imposes consent and disclosure rules on psychiatric records that exceed HIPAA — separate written authorization is generally required, OASAS Part 487/488 layers additional protections on substance-use records, and incidental disclosures to other providers within an integrated record require careful audit-log review.
Pain management
I-STOP requires a prescriber to query every patient's controlled-substance history before every prescription. Pain practices typically build the PDMP check into the EHR pre-prescription workflow and capture the query timestamp as part of the visit note to defend against later board review.
Pediatrics
Education Law §6530(32) runs the retention clock until age 21 or 3 years past last treatment, whichever is later — so a chart for an 8-year-old who hasn't been seen in 2 years still needs to be retained for another 11 years. Pediatric practices migrating EHR vendors must verify the new system imports the full retention window.
Hospital systems
10 NYCRR §405 imposes hospital-specific data-security and audit-log requirements that go beyond the SHIELD Act, including a 6-year retention floor on X-ray and imaging records under §405.10.
Mandatory Reporting Obligations
Mandated reporters
Physicians, surgeons, dentists, nurses, psychologists, social workers, EMTs, and all healthcare professionals
Report to
New York State Central Register (SCR), Office of Children and Family Services
Timeline
Immediately / as soon as possible
Penalty for failure
Class A misdemeanor, up to 1 year jail; civil liability for damages caused by failure
Immunity provision
Good faith reporters immune from civil and criminal liability under NY Social Services Law 419
Mandated reporters
Physicians, nurses, social workers, and all healthcare professionals in residential care facilities
Report to
Adult Protective Services, local Department of Social Services
Timeline
Immediately / as soon as possible
Penalty for failure
Class A misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers treating injuries from weapons or criminal violence (mandatory wound reporting)
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Class A misdemeanor
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, laboratories, and healthcare facility administrators
Report to
New York State Department of Health or local health department
Timeline
Within 24 hours
Penalty for failure
Misdemeanor, up to $2,000 fine per violation
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Every physician attending or treating a gunshot wound or wound from a weapon
Report to
Local law enforcement immediately by phone
Timeline
Immediately / as soon as possible
Penalty for failure
Class A misdemeanor, up to 1 year jail
Immunity provision
Good faith reporters immune from civil and criminal liability under NY Penal Law 265.25
New York Compliance FAQs
Yes — NY Gen Bus Law §899-bb provides scaled reasonable-safeguards expectations for small businesses (defined by employee count, gross revenue, or year-end assets), but the duty to implement administrative, technical, and physical safeguards applies regardless of size. The breach-notification duty in §899-aa has no size exemption at all.
Prescribers must query the I-STOP/PMP before every controlled-substance prescription. Exemptions cover hospice, cancer, ER ≤5-day supplies, inpatient administration, MAT, and veterinarians. Delegation to staff is permitted but the prescriber remains responsible for the documented check.
Affected individuals, the New York Attorney General, the Department of State Division of Consumer Protection, and the State Police — and, separately, HHS OCR under HIPAA. Notification must be in the most expedient time possible without unreasonable delay.
Yes. Mental Hygiene Law §33.13 generally requires separate written authorization for disclosure of psychiatric records, narrows the categories of permissible disclosure compared to HIPAA, and is layered on top of federal substance-use confidentiality under 42 CFR Part 2 for OASAS-licensed providers.
10 NYCRR §415.10 sets a 6-year minimum from date of last treatment for general medical records, with X-ray and imaging records under §405.10 also at 6 years from creation. Pediatric records under Education Law §6530(32) run until age 21 or 3 years post-treatment, whichever is later.
Guides & Articles
Stay audit-ready in New York
GuardWell tracks New York-specific breach deadlines, retention periods, I-STOP/PMP PDMP queries, and mandatory reporting obligations automatically.