Skip to Main Content
Services Talent Knowledge
Site Search
Menu

Alert

Our attorneys stay on top of changes in legislation, agency regulations, case law, and industry trends—then craft timely legal alerts to keep clients up to date on legal developments important to their business.

October 10, 2024

NYS Department of Health Publishes Adopted Cybersecurity Regulations for Hospitals

On October 2, 2024, the New York State Department of Health (DOH) published notice of its adoption of the previously proposed hospital cybersecurity regulations. The adopted regulations create a new Section 405.46 of Title 10 (Health) of the New York State Codes, Rules, and Regulations and impose cybersecurity-related requirements on all New York State hospitals.

The adopted regulations require all hospitals licensed under Article 28 of the New York State Public Health Law to adopt a cybersecurity program. The key points of the adopted regulations were summarized in our prior alert on the proposed requirements. Importantly, hospitals have one year from the date of adoption to comply with the new regulatory requirements.i  As such, compliance with most provisions of the rule will be required by October 2, 2025.

Notably, however, the regulatory provisions that require cybersecurity incidents to be reported to the DOH are not subject to the one-year implementation timeline; instead, they are effective as of October 2, 2024.ii This requirement mandates that each hospital or their designee is required to notify the DOH as promptly as possible but no later than 72 hours after determining that a cybersecurity incident has occurred.iii The regulations define a “cybersecurity incident” as:

  • A “cybersecurity event”—i.e., any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt, or misuse the hospital’s information system or the information stored thereon, including, but not limited to, health records—that:
    • Has a material adverse impact on the normal operations of the hospital; or
    • Has a reasonable likelihood of materially harming any part of the normal operations of the hospital; or
    • Results in the deployment of ransomware within a material part of the hospital’s information systems.iv

Importantly, this required notification does not replace any other notifications that may be required under state or federal laws or regulations, such as notifications to affected individuals or the US Department of Health and Human Services Office of Civil Rights under the Health Insurance Portability and Accountability Act (HIPAA) or 42 CFR Part 2, or reports required under the New York State Stop Hacks and Improve Electronic Data Security (SHIELD) Act.v Additional information on these reporting requirements is needed; reports must be made in the manner prescribed by the DOH, and information regarding the manner for reporting has not yet been made available.vi

In addition to these reporting requirements, the requirements related to maintenance of documentation also became effective on October 2, 2024.vii These requirements obligate hospitals to maintain any and all documentation required by the new regulations, including, but not limited to, records, schedules, reports, and data, to submit documentation to the DOH upon request and to maintain the documentation for at least six years.viii Additionally, to the extent that a hospital has identified areas, systems, or processes that require material improvement updating or redesign, the hospital is required to document the identification and remedial efforts (both planned and underway) to address the areas, systems, or processes.ix This documentation also must be made available to the DOH for inspection and must be maintained for at least six years.x  

As noted above, the full text of the adopted hospital cybersecurity regulations is available on the DOH’s website. Attorneys in Barclay Damon’s Data Security & Technology Practice Area are available to assist hospitals with preparing, reviewing, and revising their cybersecurity programs, including policies and procedures, and will continue to monitor any developments and best practices.

If you have any questions regarding the content of this alert, please contact Dena DeFazio, associate, at ddefazio@barclaydamon.com; Bridget Steele, counsel, at bsteele@barclaydamon.com; or another member of the firm’s Data Security & Technology Practice Area or Health & Human Services Providers Team.
                                                                                           

iSee 10 NYCRR § 405.46(p).
iiSee id.
iiiSee 10 NYCRR § 405.46(n)(1).
ivSee 10 NYCRR § 405.46(b)(4)–(5).
vSee 10 NYCRR § 405.46(n)(1).
viSee id.
viiSee 10 NYCRR § 405.46(p).
viiiSee 10 NYCRR § 405.46(n)(2).
ixSee 10 NYCRR § 405.46(n)(3).
xSee id.
 

Featured Media

Alerts

RAPID Action: NYS Office of Energy Renewable Energy Siting and Transmission Announces Draft Regulations for New Transmission Siting Framework

Alerts

NYSDEC Issues Draft Freshwater Wetlands General Permit

Alerts

USPTO Updates Audit Program

Alerts

NYS DOL Publishes Long-Awaited FAQs on Paid Prenatal Leave Law

Alerts

Update on Massachusetts Pay Transparency Law Disclosures and EEO Reporting Requirements in 2025

Alerts

Massachusetts Employers Required to Provide Job Applicants Notice That Use of a Lie Detector Test Is Unlawful

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out