AI Healthcare Regulations in New York (2025–2026)

New York has no single AI-in-healthcare statute as of early 2026. Compliance obligations stem from existing frameworks like HIPAA, the NY SHIELD Act, professional licensing rules, and NYC Local Law 144. Two major AI-specific bills, A3265 and A3356, are in committee but are not yet law.

Existing New York Laws That Already Govern AI in Healthcare

Existing privacy, anti-discrimination, and professional liability frameworks govern the use of AI in New York healthcare settings.

Federal law, including HIPAA, governs any covered entity or business associate handling protected health information (PHI). This includes AI systems that process, analyze, or generate PHI. The FDA's Software as a Medical Device (SaMD) guidance applies to clinical decision support tools that meet the definition of a medical device.

State obligations are defined by the NY SHIELD Act (NY General Business Law § 899-aa et seq.). This law requires reasonable cybersecurity safeguards for private information, including health data processed by AI systems. NY Public Health Law § 18 gives patients rights to access and correct their records, which extends to AI-generated clinical notes. Physicians remain professionally liable under NY Education Law and Office of Professional Medical Conduct (OPMC) rules for clinical decisions made with AI assistance.

For employment, S822 (signed as Chapter 96 of the 2025-2026 session) requires employers to disclose the use of automated employment decision-making tools and maintain an AI inventory. Consult the NY Department of Labor for the effective date, covered employer thresholds, and exact scope, as these details are not specified.

Two significant bills are not yet law. A3265 (NY AI Bill of Rights) and A3356 (Advanced AI Licensing Act) were both referred to the Assembly Science and Technology Committee as of March 2026. Neither has a floor vote scheduled.

Build compliance programs around HIPAA, the SHIELD Act, OPMC professional liability standards, and NYC Local Law 144 if operating in New York City.

NY SHIELD Act (NY General Business Law § 899-aa et seq.)

The SHIELD Act requires any person or business that owns or licenses computerized data containing private information of New York residents to implement and maintain reasonable safeguards. Health information is explicitly covered. If your AI system ingests, processes, or outputs patient data, you need documented cybersecurity controls for that system. The Attorney General enforces this with civil penalties up to $5,000 per violation (NY General Business Law § 899-bb). There is no exception for AI tools operated by a vendor; the covered entity owns the obligation.

NY Public Health Law § 18

Patients have the right to access and request correction of their medical records. AI-generated clinical notes, diagnostic summaries, and risk scores are part of the medical record and fall within § 18's scope. A patient who disputes an AI-generated notation can request an amendment. Your record-keeping and amendment workflows must account for AI-generated content.

NY Education Law § 6530 and OPMC Rules

Physicians cannot delegate clinical judgment to an algorithm. NY Education Law § 6530 defines professional misconduct broadly. The Office of Professional Medical Conduct (OPMC) has authority to discipline physicians who rely on AI outputs without appropriate clinical oversight. As of early 2026, OPMC has not issued formal guidance on AI-assisted clinical decisions. Consult OPMC directly for current interpretive positions. Document that a licensed clinician reviewed and accepted or modified any AI-generated recommendation before it influenced patient care.

NY Mental Hygiene Law

Behavioral health records have heightened protections under the NY Mental Hygiene Law. AI tools that process psychiatric notes, substance use records, or mental health assessments must comply with these additional restrictions on disclosure and use. This is in addition to HIPAA's 42 CFR Part 2 requirements for substance use disorder records.

NYC Local Law 144 of 2021 (Int. 1894-A)

This New York City law is fully enforced. Healthcare employers in NYC that use automated employment decision tools (AEDTs) in hiring or promotion must conduct annual independent bias audits and publish the results. Enforcement began in 2023. Civil penalties can reach $500 per day for violations. No statewide equivalent exists as of March 2026.

NY Human Rights Law (NY Executive Law § 296)

If an AI triage tool, scheduling algorithm, or diagnostic system produces disparate outcomes along protected class lines, it may create liability under the NY Human Rights Law. New York's protected classes are broader than those in federal laws like Title VII or the ADA. Audit AI tools against New York's standards, not just federal anti-discrimination frameworks.

Pending AI Legislation That Could Reshape Healthcare Compliance

A3265: New York Artificial Intelligence Bill of Rights

This bill would establish rights against automated decision-making without human oversight. It would also require transparency about when AI is being used and create opt-out rights for individuals subject to consequential automated decisions. Healthcare applications are explicitly implicated. As of March 2026, A3265 is referred to the Assembly Science and Technology Committee with no floor vote scheduled.

A3356: Advanced Artificial Intelligence Licensing Act

A3356 would require licensing of "advanced AI systems" above a certain compute threshold. The implications for large diagnostic models or generative AI used in clinical documentation are significant. Whether the compute-threshold definition would capture large language models used for clinical documentation is a question to raise with NY-licensed health law counsel. As of March 2026, A3356 is also referred to the Assembly Science and Technology Committee.

What "Referred to Committee" Means Practically

Bills in committee can be amended, combined with other legislation, or expire at the end of the session without a vote. The New York legislative session typically ends in June. Any bill not passed by then must be reintroduced in the next session. Healthcare entities should monitor these bills and begin internal impact assessments but should not build compliance programs around them yet.

S3006 (Chapter 56): State Budget Bill

S3006 was signed as Chapter 56 of the 2025-2026 session. The source material identifies it as the education, labor, housing, and family assistance budget. The available source material does not confirm whether it contains any AI or health-tech specific appropriations or mandates. Consult the NY Division of the Budget or review the enrolled bill text to determine if any AI-related provisions were included.

What Changed Recently: 2024-2026 Regulatory Activity

S822, Chapter 96: AI Employment Disclosure

S822 requires disclosure of automated employment decision-making tools and maintenance of an AI inventory. It was signed as Chapter 96 in the 2025-2026 session. The effective date, covered employer size thresholds, and whether the AI inventory requirement extends to clinical tools must be confirmed by reviewing the enrolled bill text or contacting the NY Department of Labor. The source material confirms the signing but does not specify these parameters.

NYC Local Law 144: Now Fully Active

Bias audit requirements for automated employment decision tools have been enforceable since 2023. Healthcare employers in NYC that have not conducted an independent bias audit of any AEDT used in hiring or promotion are out of compliance.

Federal Activity Affecting NY Entities

The HHS Office for Civil Rights issued guidance in 2024 on HIPAA compliance and AI. It clarified that AI systems processing PHI are subject to the full HIPAA Security Rule (45 CFR Part 164). The ONC HTI-1 Final Rule (45 CFR Part 170) introduced algorithmic transparency requirements for certified health IT, affecting EHR-integrated AI tools used in NY hospitals. The FTC issued AI guidance in 2024 addressing deceptive claims about AI capabilities, relevant to any healthcare entity marketing AI-assisted services.

NY Governor's Executive Order on AI

The available source material does not confirm whether the NY Governor issued a specific Executive Order addressing AI governance or AI use in state agency operations in 2024-2025. Consult the NY Governor's Office or review the NY State Register for any relevant executive orders.

NY DFS Circular Letter on AI in Insurance

The available source material does not confirm whether the NY Department of Financial Services has issued a Circular Letter specifically addressing AI or external data use in health insurance underwriting. Consult the NY DFS Insurance Division for current guidance.

Compliance Requirements Comparison: Key Obligations by Entity Type

AI vendors who qualify as Business Associates under HIPAA inherit Security Rule obligations through their BAAs (45 CFR § 164). The NY SHIELD Act adds a separate, independent state-law cybersecurity obligation that exists regardless of whether a BAA is in place.

Clinical decision support tools classified as SaMD require FDA clearance or approval. This is a federal requirement that NY law cannot displace.

The bias audit requirement under NYC Local Law 144 applies only within New York City. No statewide equivalent is currently enacted.

Federal vs. New York State AI Healthcare Rules: How They Interact

HIPAA Sets a Floor, Not a Ceiling

HIPAA's preemption provision (45 CFR § 160.203) allows states to impose stricter privacy and security requirements. The NY SHIELD Act's definition of private information is broader than HIPAA's definition of PHI, and its reasonable safeguards standard applies to a wider range of entities. HIPAA compliance alone does not ensure SHIELD Act compliance.

Regarding de-identification, HIPAA's safe harbor standard (45 CFR § 164.514) governs de-identification of PHI for federal purposes. An AI training dataset that meets HIPAA de-identification standards may still contain information covered under the SHIELD Act's broader definitions.

No Federal AI Preemption in Healthcare

There is no federal AI-in-healthcare statute that preempts state action. New York is free to legislate, and a bill like A3356 could impose licensing obligations on AI developers that exceed any current federal requirement.

FDA Jurisdiction Is Federal and Non-Negotiable

If an AI tool meets the definition of a medical device under the FDA's SaMD framework, it requires FDA clearance or approval. New York law cannot substitute for or grant an exemption from this federal requirement. Dual compliance is required.

NY Human Rights Law Covers More Ground Than Federal Anti-Discrimination Law

NY Executive Law § 296 covers more protected classes than Title VII and the ADA. When auditing AI tools for discriminatory outcomes, analyze them against New York's protected class definitions.

Build to the Stricter Standard

For each AI use case, identify every applicable federal and NY requirement, then build the compliance program to whichever is stricter. Document the analysis. If A3356 or A3265 passes, this documentation will make updating the program faster.

Next Steps and Who to Contact in New York

Immediate Actions

Conduct an AI inventory. List every AI tool used in clinical, administrative, and hiring functions. For each tool, identify the vendor, the data it processes, the decisions it influences, and the applicable regulatory framework. S822 (Chapter 96) requires an AI inventory for employment tools; extend this discipline to all tools.

Map each tool to applicable law. Use the comparison table as a starting framework. For any tool that touches clinical decision-making, confirm whether it meets the FDA's SaMD definition and has obtained FDA clearance.

Review Business Associate Agreements. Ensure BAAs with AI vendors explicitly address the vendor's obligations under HIPAA and the NY SHIELD Act.

Update HIPAA risk assessments. HHS OCR's 2024 guidance clarifies that AI systems processing PHI must be included in the Security Rule risk analysis (45 CFR § 164.308(a)(1)).

For NYC employers: Confirm you have conducted an independent bias audit of any AEDT used in hiring or promotion, as required by NYC Local Law 144. Audits must be independent and the results published.

Monitor the Legislative Pipeline

Subscribe to updates from the NY Assembly Science and Technology Committee to track A3265 and A3356. The NY Legislature's public bill tracking system at nysenate.gov allows email alerts for specific bills.

Key Contacts and Agencies

NY Attorney General, Health Care Bureau: Enforces the SHIELD Act. Contact through ag.ny.gov.

NY Department of Health: Oversees clinical AI issues under the Public Health Law. Contact through health.ny.gov.

NY Office of the Professions / OPMC: Governs physician liability for AI-assisted clinical decisions under NY Education Law § 6530. Contact OPMC directly for current interpretive positions.

NYC Commission on Human Rights: Enforces NYC Local Law 144 bias audit requirements. Guidance is available at nyc.gov/cchr.

NY Department of Financial Services: Regulates health insurers. Contact through dfs.ny.gov to verify if any Circular Letter on AI in insurance has been issued.

Federal touchpoints: HHS OCR (HIPAA and AI guidance), FDA (SaMD clearance), FTC (AI marketing claims).

A Note on Legal Counsel

As of early 2026, OPMC has not issued formal guidance on physician liability for AI-assisted clinical decisions. The regulatory gap between existing professional liability standards and the capabilities of current AI tools is unresolved. Before deploying any AI tool in clinical decision support, engage NY-licensed health law counsel to assess your specific liability exposure.