The Health Insurance Portability and Accountability Act (HIPAA) establishes the federal framework for protecting patient health information. For healthcare providers, health plans, healthcare clearinghouses, and their business associates in New York, HIPAA compliance is not optional. Violations can result in civil monetary penalties ranging from $100 to $50,000 per violation (as of early 2026), with annual maximums reaching $2 million or more for willful neglect. Criminal penalties for knowing violations can include fines and imprisonment. Beyond the penalties, a HIPAA breach damages patient trust, triggers costly breach notification obligations, and can attract investigations from the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services.
This guide covers the core HIPAA requirements, what healthcare entities in New York need to do to comply, and the most common compliance failures that trigger enforcement actions.
Who Must Comply with HIPAA
HIPAA applies to covered entities and their business associates. Covered entities include healthcare providers (physicians, dentists, hospitals, clinics, pharmacies, home health agencies, and any other provider that transmits health information electronically), health plans (health insurance companies, HMOs, employer-sponsored group health plans, and government programs like Medicare and Medicaid), and healthcare clearinghouses (entities that process health information between providers and payers). Business associates are organizations or individuals that perform services for a covered entity that involve access to protected health information (PHI), such as billing companies, IT service providers, cloud storage vendors, attorneys, accountants, and consultants. Both covered entities and business associates must comply with HIPAA's requirements, and their relationship must be governed by a written business associate agreement (BAA).
The HIPAA Privacy Rule
The Privacy Rule establishes standards for how covered entities use and disclose protected health information. PHI includes any individually identifiable health information, whether oral, written, or electronic, that relates to a patient's past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare. The Privacy Rule requires covered entities to use and disclose PHI only as permitted or required by the rule, to provide patients with a Notice of Privacy Practices (NPP) explaining how their information is used and their rights, to honor patient requests to access, amend, or receive an accounting of disclosures of their PHI, to obtain patient authorization before using PHI for marketing or selling PHI, to apply the minimum necessary standard (using or disclosing only the minimum amount of PHI needed to accomplish the intended purpose), and to designate a privacy officer responsible for developing and implementing privacy policies.
Permitted disclosures without patient authorization include disclosures for treatment (sharing information with another provider involved in the patient's care), payment (submitting claims to insurance), healthcare operations (quality assessment, training, compliance activities), and disclosures required by law (reporting communicable diseases, responding to court orders). For healthcare practice compliance, see our regulatory compliance practice page.
The HIPAA Security Rule
The Security Rule applies specifically to electronic protected health information (ePHI) and requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect ePHI from unauthorized access, use, or disclosure.
Administrative Safeguards
Administrative safeguards include conducting a risk analysis to identify vulnerabilities in how ePHI is created, stored, transmitted, and disposed of, implementing a risk management plan to address identified vulnerabilities, developing and enforcing written security policies and procedures, providing workforce training on security awareness and HIPAA requirements, establishing sanctions for employees who violate security policies, and designating a security officer responsible for developing and implementing security measures. The risk analysis is the foundation of HIPAA security compliance. OCR consistently identifies the failure to conduct a thorough risk analysis as the most common HIPAA violation in enforcement actions.
Physical Safeguards
Physical safeguards protect the physical infrastructure where ePHI is stored and accessed. Requirements include facility access controls (locks, alarm systems, security cameras, visitor logs), workstation security (positioning screens away from public view, automatic logoff, cable locks for portable devices), and device and media controls (procedures for disposing of hardware and electronic media that contain ePHI, including proper data destruction).
Technical Safeguards
Technical safeguards address the technology used to protect ePHI. Requirements include access controls (unique user IDs, passwords, role-based access limiting users to the minimum necessary information), audit controls (systems that record and monitor access to ePHI), integrity controls (mechanisms to ensure ePHI is not improperly altered or destroyed), and transmission security (encryption of ePHI transmitted over electronic networks). Encryption is addressable rather than required under the Security Rule, meaning covered entities must either implement encryption or document why an alternative measure provides equivalent protection. In practice, encryption is the standard approach and is expected by OCR in most circumstances.
The HIPAA Breach Notification Rule
The Breach Notification Rule requires covered entities to notify affected individuals, the Secretary of HHS, and, in some cases, the media when a breach of unsecured PHI occurs. A breach is defined as the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the information. Notifications to individuals must be provided without unreasonable delay and no later than 60 days after discovery of the breach. For breaches affecting 500 or more individuals, the covered entity must also notify prominent media outlets in the affected state and report the breach to HHS simultaneously. For breaches affecting fewer than 500 individuals, the covered entity must report to HHS within 60 days of the end of the calendar year in which the breach was discovered.
Business Associate Agreements
Any vendor, contractor, or service provider that has access to PHI on behalf of a covered entity is a business associate and must sign a BAA before receiving any PHI. The BAA must specify the permitted uses and disclosures of PHI, require the business associate to implement appropriate safeguards, require the business associate to report breaches and security incidents, and ensure PHI is returned or destroyed when the relationship ends. Failing to have BAAs in place with all business associates is one of the most common HIPAA violations. Covered entities should maintain an inventory of all business associates and ensure each has a current, compliant BAA. For guidance on healthcare contracts, see our healthcare contracts practice page.
New York State Privacy Requirements
In addition to HIPAA, New York has its own health information privacy laws that may impose stricter requirements in certain areas. New York Public Health Law Section 18 gives patients the right to access their medical records and requires providers to make records available within a specified timeframe. New York Mental Hygiene Law provides additional protections for mental health records. The New York SHIELD Act requires businesses that hold private information of New York residents (including health information) to implement reasonable data security measures. Healthcare entities in New York must comply with both federal HIPAA requirements and applicable state laws, applying the stricter standard where they differ.
HIPAA Enforcement and Penalties
The Office for Civil Rights (OCR) at HHS enforces HIPAA through complaint investigations, compliance reviews, and breach investigations. As of early 2026, civil monetary penalties are structured in four tiers based on the level of culpability. Tier 1 covers violations the covered entity was unaware of and could not have reasonably avoided, with penalties ranging from $100 to $50,000 per violation. Tier 2 covers violations due to reasonable cause (not willful neglect), with penalties from $1,000 to $50,000 per violation. Tier 3 covers violations due to willful neglect that are corrected within 30 days, with penalties from $10,000 to $50,000. Tier 4 covers violations due to willful neglect that are not corrected, with a minimum penalty of $50,000 per violation. Annual maximums for each tier can reach $2 million or more. Criminal penalties for knowing violations can include fines up to $250,000 and imprisonment for up to 10 years.
Beyond federal enforcement, New York's Attorney General has authority to investigate and prosecute data breaches affecting New York residents under the SHIELD Act and other state laws. Healthcare entities that experience a breach may face enforcement actions from both federal and state authorities. The cost of a breach extends beyond penalties to include breach notification expenses, credit monitoring services for affected individuals, forensic investigation costs, remediation costs, and reputational damage that can affect patient volume for years.
Building a HIPAA Compliance Program
An effective HIPAA compliance program includes written privacy and security policies tailored to the practice's operations, a designated privacy officer and security officer (which can be the same person in a small practice), a comprehensive risk analysis conducted upon implementation and updated annually, workforce training provided at hire and refreshed at least annually, a process for patients to exercise their rights (access, amendment, accounting of disclosures), business associate agreements with all vendors that access PHI, an incident response plan for handling potential breaches, and regular audits to verify compliance with policies and procedures. The compliance program should be documented thoroughly, because in the event of an investigation, OCR will review the organization's policies, training records, risk analyses, and incident response documentation to assess whether the entity made good-faith efforts to comply.
Common HIPAA Compliance Failures
The most frequently cited violations in OCR enforcement actions include failure to conduct a comprehensive risk analysis, failure to implement a risk management plan, impermissible disclosures of PHI (including disclosures to unauthorized family members, sending PHI to wrong recipients, and discussing patient information in public areas), insufficient access controls (shared passwords, failure to terminate access for former employees), failure to encrypt ePHI on portable devices (laptops, USB drives, smartphones), lack of BAAs with business associates, and inadequate employee training. Most of these violations are preventable with proper policies, training, and oversight. An attorney experienced in healthcare compliance can help your practice develop and implement a HIPAA compliance program tailored to your operations. For more on healthcare law, visit our healthcare law practice page.
Telehealth and HIPAA
The expansion of telehealth services has created new HIPAA compliance considerations for healthcare providers. Telehealth platforms must comply with HIPAA's Security Rule requirements, including encryption of audio and video communications, access controls, and audit logging. During the COVID-19 public health emergency, HHS exercised enforcement discretion for providers using non-compliant communication platforms, but that discretion has ended. Providers offering telehealth services must now use HIPAA-compliant platforms and have BAAs in place with the platform vendors. The platform should provide end-to-end encryption, unique user authentication, and the ability to generate audit logs. Providers should also ensure that their telehealth consent forms address the privacy and security risks specific to virtual visits.
Frequently Asked Questions
What is considered protected health information (PHI) under HIPAA?
PHI is any individually identifiable health information held or transmitted by a covered entity or its business associate. This includes names, dates (birth, admission, discharge, death), addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, and any other information that can be used to identify a patient in connection with their health condition, treatment, or payment for healthcare.
What is a HIPAA risk analysis and how often should it be conducted?
A risk analysis is a systematic evaluation of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by your organization. HIPAA does not specify a frequency, but OCR expects covered entities to conduct a risk analysis when they first implement HIPAA compliance and to update it regularly, particularly when there are changes to the organization's operations, technology, or workforce. Annual review is considered best practice.
Do I need a business associate agreement with every vendor?
A BAA is required with any vendor, contractor, or service provider that creates, receives, maintains, or transmits PHI on behalf of your practice. This includes billing companies, EHR vendors, cloud storage providers, IT support companies, shredding services, answering services that take patient messages, and any other entity that has access to patient information. If the vendor does not have access to PHI, a BAA is not required.
What should I do if a HIPAA breach occurs?
Contain the breach immediately by stopping the unauthorized access or disclosure. Investigate the scope of the breach to determine what information was affected and how many individuals were impacted. Notify affected individuals within 60 days. Report the breach to HHS. If the breach affects 500 or more individuals, notify the media and HHS simultaneously. Document every step of the investigation and response. Consult your attorney to ensure compliance with all notification requirements.
Can employees access their own medical records in the system?
Employees who are also patients of the practice have the right to access their own medical records under the Privacy Rule. However, employees should not access their own records through the practice's EHR system using their employee credentials. Doing so may constitute an impermissible access under the practice's HIPAA policies. Employees should request their records through the normal patient request process.
Is texting patient information a HIPAA violation?
Standard text messaging (SMS) is not encrypted and is generally not compliant with HIPAA's transmission security requirements. Sending PHI via unencrypted text message can constitute a violation. Secure messaging platforms that provide encryption, access controls, and audit capabilities can be used for communicating PHI if they meet HIPAA's technical safeguard requirements. Your practice should have a written policy on electronic communication of PHI.
What training do employees need for HIPAA compliance?
HIPAA requires covered entities to train all workforce members on the organization's HIPAA policies and procedures. Training should cover the Privacy Rule (what PHI is, how it can be used and disclosed, patient rights), the Security Rule (password policies, workstation security, encryption requirements, reporting incidents), and the Breach Notification Rule (how to identify and report a potential breach). Training should be provided to new employees upon hire and refreshed periodically. Document all training activities and maintain records of attendance.
Need HIPAA Compliance Help?
Our healthcare attorneys help practices develop and implement HIPAA compliance programs throughout New York and New Jersey. Schedule a free consultation.
Contact Us Onlineor call (212) 920-5989