New York Legislature Passes a New Health Privacy Law

On January 22, the New York state legislature passed Senate Bill S929, known as the New York Health Information Privacy Act (HIPA or the “Act”). The bill will next move to the New York governor for signature.

Adopting an approach similar to that employed in the Washington My Health My Data Act (MHMDA) (albeit without a private right of action), HIPA would impose significant limitations on entities’ processing of “regulated health information,” which is defined broadly as “any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual” (but notably excluding protected health information (“PHI”) collected by covered entities or business associates governed by HIPAA, as well as deidentified information). Specifically, the Act provides that regulated entities may not sell regulated health information to third parties, and may only process regulated health information if they (1) obtain “valid authorization” from the relevant individual or (2) process the information pursuant to a permissible purpose (such as, for example, providing a product requested by the individual or responding to security threats). These substantive obligations, combined with its broad scope, mean that HIPA is likely to create meaningful compliance obligations for entities that process consumer health data for secondary purposes (including for marketing or targeted advertising purposes).

If signed into law, HIPA would join a series of other recently enacted state laws focused specifically on health data, including, for example, the Washington MHMDA and similarly focused health data laws in Connecticut and Nevada. Though the 2025 legislative session remains in its early stages, we expect that more health-focused proposals are likely to emerge in state legislatures across the country as the year progresses, especially given the change in administration.

In this post, we summarize notable provisions of HIPA and highlight key takeaways for companies looking to understand how this bill will affect their health data privacy compliance obligations.

KEY TAKEAWAYS

• Limitations on Sale and Processing of Health Information: The Act’s key substantive provisions restrict regulated entities’ processing of health information. Specifically, the Act prohibits regulated entities from selling regulated health information to third parties and allows regulated entities to process regulated health information only if (1) they obtain “valid authorization” from the relevant individual or (2) the information is processed for a permissible purpose (such as, for example, providing a product or service requested by the individual, conducting certain internal business operations, protecting against illegal activity or security threats, or complying with legal obligations).

• Broad Definition of Health Information: The Act defines “regulated health information” broadly as “any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual.” The bill text emphasizes the broad reach of this definition by explicitly stating that “[l]ocation or payment information that relates to an individual’s physical or mental health” and “inference[s] drawn or derived about an individual's physical or mental health” fall within the scope of regulated health information subject to the law’s protections. Notably, however, deidentified information is excluded from the Act’s definition of regulated health information.

• Expansive Applicability: The Act is similarly broad in terms of the entities that it applies to. The bill’s definition of “regulated entity” is expansive, including “any entity that (a) controls the processing of regulated health information of … a New York resident, (b) controls the processing of regulated health information of an individual who is physically present in New York while that individual is in New York, or (c) is located in New York and controls the processing of regulated health information.” This definition is arguably broader even than that of the MHMDA, which applies to entities that either conduct business in Washington or target products or services to individuals in Washington. Moreover, the Act’s far-reaching definition of “regulated entity” is paired with an unusually small set of exemptions. Though the Act does exempt PHI collected by HIPAA-governed covered entities and business associates, HIPAA covered entities, and clinical trial information, it does not include other types of exemptions commonly incorporated into state privacy laws, such as those for GLBA-regulated information, nonprofit entities, or employee information.

• State AG Rulemaking: Unlike the MHMDA, HIPA grants the state AG rulemaking authority. This creates the potential for additional compliance challenges for companies down the road, if the New York AG elects to exercise this authority to layer additional regulatory requirements on top of those enshrined in the statute.

• Specific Data Disposal Requirement: Finally, HIPA is notable for requiring regulated entities to dispose of regulated health information no later than 60 days after it is no longer needed for its established processing purpose — another distinction between HIPA and other state privacy laws (including the MHMDA), which generally do not include a specific data disposal requirement.

KEY PROVISIONS

• Definitions

• Regulated health information: Defined as “any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual.” Sec. 1120(2).

• The Act notes that “[l]ocation or payment information that relates to an individual’s physical or mental health or any inference drawn or derived about an individual's physical or mental health that is reasonably linkable to an individual, or a device, shall be considered, without limitation, regulated health information.” Sec. 1120(2).
• The Act’s definition of regulated health information excludes deidentified information. Sec. 1120(2).

• Regulated entity: Defined as “any entity that (a) controls the processing of regulated health information of an individual who is a New York resident, (b) controls the processing of regulated health information of an individual who is physically present in New York while that individual is in New York, or (c) is located in New York and controls the processing of regulated health information.” Sec. 1120(4).
• Sell: Defined as sharing regulated health information “for monetary or other valuable consideration.” Sec. 1120(5) (emphasis added).

• Exemptions
  •  The bill exempts information processed by local, state, and federal government entities; protected health information collected by covered entities or business associates governed by HIPAA; HIPAA covered entities to the extent they “maintain[] patient information in the same manner as protected health information [governed by HIPAA]”; and clinical trial information governed by the Common Rule, International Council for Harmonisation good clinical practice guidelines, or FDA human subject protection requirements. Sec. 1126.

• Restrictions on Processing of Regulated Health Information
  • Prohibition on Sale: The Act prohibits regulated entities from selling individuals’ regulated health information to third parties. Sec. 1122(1)(a).
  • Restrictions on Processing: The Act makes it unlawful for a regulated entity to process an individual’s regulated health information unless (1) “[t]he individual has provided valid authorization for such processing” or (2) the processing of the individual’s regulated health information is “strictly necessary” for specified permissible purposes, including (i) “providing or maintaining a specific product or service requested by such individual,” (ii) “conducting the regulated entity's internal business operations, which exclude any activities related to marketing, advertising, research and development, or providing products or services to third parties,” (iii) “protecting against malicious, fraudulent, or illegal activity,” (iv) “detecting, responding to, or preventing security incidents or threats,” (v) “protecting the vital interests of an individual,” (vi) “investigating, establishing, exercising, preparing for, or defending legal claims,” or (vii) “complying with the regulated entity's legal obligations.” Sec. 1122(1)(b).

• Valid Authorizations
  • Required Information: Valid authorizations must include such information as the types of regulated health information to be processed, the nature and purposes of the processing; the names or categories of service providers and third parties to which the regulated health information may be disclosed; the purposes for such disclosures to service providers and third parties; any monetary or valuable consideration the regulated entity may receive in relation to the processing; affirmation that declining to provide authorization will not affect the individual’s use of the entity’s products and services; the expiration date of the authorization (up to one year from the date authorization is granted); and mechanisms by which the individual may revoke authorization and request access to and deletion of their regulated health information. Sec. 1122(2)(b)
  • Additional Requirements: Requests for valid authorization must conform to several additional requirements, including (see 1122(2)(a)):
    • Being “made separately from any other transaction or part of a transaction”;
    • Being “made at least twenty-four hours after an individual creates an account or first uses the requested product or service”;
    • Being “made in the absence of any mechanism that has the purpose or substantial effect of obscuring, subverting, or impairing an individual's decision-making regarding authorization”;
    • Allowing the individual to provide or withhold authorization separately for different categories of processing;
    • Not including “any request for authorization for a processing activity for which an individual has withheld or revoked authorization within the past calendar year.”
  • Revocation: Regulated entities must provide a mechanism by which individuals may revoke their valid authorizations. Sec. 1122(2)(c).
  • Material Alterations of Processing: Regulated entities must obtain a new authorization from an individual if they seek to “materially alter” their processing of regulated health information collected pursuant to an existing authorization. Sec. 1122(2)(f).
  • Non-Discrimination: Regulated entities are prohibited from discriminating against individuals for declining to provide authorization. Sec. 1122(2)(g).

• Permissible Purpose Processing

• Clear and Conspicuous Notice: Regulated entities that process regulated health information pursuant to a permissible purpose must provide a “clear and conspicuous notice” that describes “(i) the types of regulated health information to be processed; (ii) the nature of the processing activity; (iii) the specific purposes for such processing; (iv) the names where readily available, or categories of service providers and third parties to which the regulated entity may disclose the individual's regulated health information and the purposes for such disclosure … ; and (v) the mechanism by which the individual may request access to and deletion of their regulated health information.” Sec. 1122(3)(a).
• Material Alterations: If the regulated entity “materially alters” its processing of regulated health information collected for a permissible purpose, it must provide another clear and conspicuous notice “that describes any material changes to the processing activities and provide[s] the individual with an opportunity to request deletion of their regulated health information.” Sec. 1122(3)(b).

• Individual Rights
  • Rights to Access and Delete: Creates rights for individuals to access and delete their regulated health information. Sec. 1123(1)-(2).

• Security
  • Reasonable Safeguards: Requires regulated entities to implement “reasonable administrative, technical, and physical safeguards” to protect regulated health information. Sec. 1124(1).
  • Data Disposal: Requires regulated entities to dispose of regulated health information “pursuant to a publicly available retention schedule within a reasonable time, and in no event later  than  sixty days, after it  is no longer necessary to maintain for the permissible purpose or purposes identified in the notice or for which the individual provided valid authorization.” Sec. 1124(2).

• Service Providers
  • Data Processing Agreements: Requires that processing of regulated health information by a service provider be governed by a written, binding agreement between the service provider and regulated entity that satisfies specific requirements laid out in the Act related to, for example, processing limitations, fulfilment of individuals’ data rights, and compliance assessments. Sec. 1125.

• Enforcement
  • State AG Enforcement: Grants the state AG authority to bring enforcement actions, which may include civil penalties consisting of the greater of $15,000 per violation or 20% of annual revenue obtained by the regulated entity from New York consumers. Sec. 1127(1).
  • State AG Rulemaking: Grants the state AG rulemaking authority. Sec. 1127(6).
  • Effective Date: The Act would take effect one year after it is signed into law. Sec. 3.