On October 2, 2024, the New York State Department of Health (DOH) published notice of its adoption of the previously proposed hospital cybersecurity regulations. The adopted regulations create a new Section 405.46 of Title 10 (Health) of the New York State Codes, Rules, and Regulations and impose cybersecurity-related requirements on all New York State hospitals.
The adopted regulations require all hospitals licensed under Article 28 of the New York State Public Health Law to adopt a cybersecurity program. The key points of the adopted regulations were summarized in our prior alert on the proposed requirements. Importantly, hospitals have one year from the date of adoption to comply with the new regulatory requirements.i As such, compliance with most provisions of the rule will be required by October 2, 2025.
Notably, however, the regulatory provisions that require cybersecurity incidents to be reported to the DOH are not subject to the one-year implementation timeline; instead, they are effective as of October 2, 2024.ii This requirement mandates that each hospital or their designee is required to notify the DOH as promptly as possible but no later than 72 hours after determining that a cybersecurity incident has occurred.iii The regulations define a “cybersecurity incident” as:
- A “cybersecurity event”—i.e., any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt, or misuse the hospital’s information system or the information stored thereon, including, but not limited to, health records—that:
- Has a material adverse impact on the normal operations of the hospital; or
- Has a reasonable likelihood of materially harming any part of the normal operations of the hospital; or
- Results in the deployment of ransomware within a material part of the hospital’s information systems.iv
Importantly, this required notification does not replace any other notifications that may be required under state or federal laws or regulations, such as notifications to affected individuals or the US Department of Health and Human Services Office of Civil Rights under the Health Insurance Portability and Accountability Act (HIPAA) or 42 CFR Part 2, or reports required under the New York State Stop Hacks and Improve Electronic Data Security (SHIELD) Act.v Additional information on these reporting requirements is needed; reports must be made in the manner prescribed by the DOH, and information regarding the manner for reporting has not yet been made available.vi
In addition to these reporting requirements, the requirements related to maintenance of documentation also became effective on October 2, 2024.vii These requirements obligate hospitals to maintain any and all documentation required by the new regulations, including, but not limited to, records, schedules, reports, and data, to submit documentation to the DOH upon request and to maintain the documentation for at least six years.viii Additionally, to the extent that a hospital has identified areas, systems, or processes that require material improvement updating or redesign, the hospital is required to document the identification and remedial efforts (both planned and underway) to address the areas, systems, or processes.ix This documentation also must be made available to the DOH for inspection and must be maintained for at least six years.x
As noted above, the full text of the adopted hospital cybersecurity regulations is available on the DOH’s website. Attorneys in Barclay Damon’s Data Security & Technology Practice Area are available to assist hospitals with preparing, reviewing, and revising their cybersecurity programs, including policies and procedures, and will continue to monitor any developments and best practices.
If you have any questions regarding the content of this alert, please contact Dena DeFazio, associate, at ddefazio@barclaydamon.com; Bridget Steele, counsel, at bsteele@barclaydamon.com; or another member of the firm’s Data Security & Technology Practice Area or Health & Human Services Providers Team.
iSee 10 NYCRR § 405.46(p).
iiSee id.
iiiSee 10 NYCRR § 405.46(n)(1).
ivSee 10 NYCRR § 405.46(b)(4)–(5).
vSee 10 NYCRR § 405.46(n)(1).
viSee id.
viiSee 10 NYCRR § 405.46(p).
viiiSee 10 NYCRR § 405.46(n)(2).
ixSee 10 NYCRR § 405.46(n)(3).
xSee id.