New York Healthcare AI Compliance: SHIELD Act, Executive Order 144, and NYC AI Bias Requirements
New York has enacted some of the most proactive AI regulations in the United States. Governor Hochul's Executive Order 144 (2024) established AI governance requirements for state agencies and direction for regulated industries including healthcare. New York City's Local Law 144 (2021, effective 2023) requires bias audits for AI tools used in employment decisions — a framework that may extend to clinical AI. The New York SHIELD Act at General Business Law §899-aa imposes data breach notification and security program requirements that apply to healthcare data alongside HIPAA.
New York has proposed multiple bills imposing AI-specific requirements, some with penalties up to $20M per violation for high-risk AI systems causing harm. While comprehensive state AI legislation has not yet passed as of early 2026, New York's regulatory direction is clear — healthcare AI vendors operating in New York should anticipate increasing regulation. New York's aggressive enforcement posture in financial services (DFS) and its expanding consumer protection framework suggest healthcare AI will face increasing state oversight.
New York SHIELD Act: Data Security Requirements
General Business Law §899-aa — Enhanced Data Security for New Yorkers- Act
- Stop Hacks and Improve Electronic Data Security (SHIELD) Act
- Effective
- October 23, 2019
- Scope
- Any person or business owning or licensing computerized data of New Yorkers — including healthcare AI vendors
- Security Program
- Must implement reasonable administrative, technical, and physical safeguards
- Healthcare Alignment
- Healthcare covered entities must comply with SHIELD in addition to HIPAA
- Key Addition
- SHIELD's definition of private information includes biometric information and account access credentials — broader than HIPAA
New York Executive Order 144 and AI Governance
New York Governor Hochul's Executive Order 144 (2024) directed state agencies to develop AI governance frameworks and established the Office of AI for state government. The EO also signaled regulatory direction for regulated industries including healthcare — New York regulators (Department of Health, Department of Financial Services) are developing AI governance guidance that will affect healthcare AI vendors.
NYC Local Law 144 and Healthcare AI: New York City's Local Law 144 (effective July 2023) requires employers using AI in employment decisions to conduct annual bias audits by independent auditors and publish bias audit results. While LL144 specifically addresses employment decisions, the bias audit framework represents a model that New York regulators may extend to clinical AI tools. Healthcare AI vendors in New York should proactively conduct bias assessments of their AI tools as a risk management measure.
NY Department of Health Healthcare AI Oversight
The New York State Department of Health (NYSDOH) has authority over healthcare facilities, health information exchange, and public health programs. NYSDOH is actively developing guidance on AI in healthcare settings. New York's Office of the Medicaid Inspector General (OMIG) has specific healthcare fraud enforcement authority that applies to AI-related billing errors.
Compliance Checklist
New York Healthcare AI Compliance — Key Requirements
SHIELD Act Security Program Compliance
AI vendors operating in New York must have a documented information security program meeting SHIELD Act requirements. SHIELD's security program requirements align with HIPAA's Security Rule, but SHIELD applies to any private information of New York residents — not just PHI. Verify that the AI platform's security program documentation addresses SHIELD Act requirements specifically.
NY Breach Notification Timing
New York's SHIELD Act requires breach notification to affected New Yorkers 'in the most expedient time possible' and without unreasonable delay — this is the same standard as HIPAA but applies to a broader category of private information. Maintain breach notification procedures that address both HIPAA and SHIELD notification requirements simultaneously.
NYC LL144 Bias Audit Preparation
While LL144 currently applies to employment AI, proactively conduct bias audits of clinical and administrative AI tools used in New York. Document bias testing methodology, results, and remediation actions. This positions organizations for compliance if the bias audit framework is extended to clinical AI.
NY Medicaid (OMIG) Compliance
New York's Office of the Medicaid Inspector General (OMIG) conducts compliance audits of Medicaid providers including AI billing system compliance. OMIG's provider audit program reviews coding accuracy, medical necessity documentation, and billing integrity. AI billing tools must be tested against OMIG audit criteria.
NY Mental Health Law Compliance
New York Mental Hygiene Law imposes mental health record privacy requirements beyond HIPAA. AI systems in New York mental health settings must comply with Mental Hygiene Law confidentiality provisions at Article 33 — including stricter limitations on mental health record disclosure than HIPAA requires.
NY Telemedicine Laws
New York telemedicine laws (Public Health Law §2999-cc) and subsequent COVID-era extensions apply to AI-assisted telemedicine. New York has relatively permissive telemedicine regulations but requires physician licensure in New York for telemedicine services to New York patients — AI-assisted telemedicine platforms must verify physician licensure.
Frequently Asked Questions
New York Healthcare AI with SHIELD Act and Executive Order 144 Compliance
Claire's New York deployment includes SHIELD Act security program documentation, OMIG billing compliance controls, NY Mental Hygiene Law data segregation, and bias assessment frameworks aligned with LL144 principles.