State-specific guidance

HIPAA Business Associate Agreements in New York — SHIELD Act and BAA Term Implications

By BAA Generator Research Team · Published Apr 27, 2026 · Last reviewed Apr 27, 2026 · 6 min read

Quick answer: HIPAA establishes a federal floor for Business Associate Agreements. New York state law adds requirements above that floor. A BAA executed for a covered entity or business associate operating in New York should explicitly address the state-specific obligations below — not just the HIPAA baseline. New York regulators and the state AG can investigate and enforce state law independently of HHS OCR.

New York laws affecting BAA terms

Stop Hacks and Improve Electronic Data Security Act (SHIELD)

NY Gen. Bus. Law § 899-bb

Requires "reasonable" administrative, technical, and physical safeguards for any private information of NY residents — broader than HIPAA. BAAs should require BAs to maintain SHIELD-compliant security controls, not just HIPAA Security Rule baseline.

NY Information Security Breach and Notification Act

NY Gen. Bus. Law § 899-aa

Triggers notification obligations broader than HIPAA in some scenarios. BAAs must align on breach-notification timing.

NY Stop Hacks security regulation (DFS Cybersecurity Reg.)

23 NYCRR 500

For BAs that are also financial-services entities (e.g., billing/payment vendors), DFS cybersecurity rule applies. BAAs should address overlap.

What New York BAAs should add to the HHS model

Require SHIELD-compliant safeguards, not just HIPAA Security Rule baseline
Specify NY breach-notification timing (which can be stricter than HIPAA in some scenarios)
For financially-regulated BAs, address 23 NYCRR 500 cybersecurity overlap

Operational notes

If your covered entity is based in New York, every BAA you sign with a vendor handling PHI of your patients should bind that vendor to New York's state-law obligations in addition to HIPAA. The HHS model BAA satisfies federal requirements but doesn't include state-specific language by default.

If your business associate operates in multiple states, you generally bind the BA to the strictest applicable state's requirements rather than each state separately. Practices in New York typically reference New York's rules in the BAA's "compliance with applicable law" clause.

For broader 2024–2026 HIPAA Privacy Rule context, see HIPAA BAA requirements. For state law and HIPAA interaction generally, see ComplyCreate's HIPAA vs state privacy laws guide.

Generate a compliant BAA in 5 minutes

HHS model BAA provisions · 45 CFR § 164.504(e) compliant · $49 one-time · clean PDF + editable Word

Generate my BAA → See pricing →

No subscription · PDF + Word · Free watermarked preview

Your practice also needs an NPP

A BAA covers vendor relationships. The Notice of Privacy Practices is the patient-facing document required under § 164.520. New York state law also affects NPP content.

Generate an NPP at NPP Generator →