If enacted, the New York Health Information Privacy Act (“NYHIPA”) will be the latest in a series of state privacy laws that regulate health data outside of the traditional health care context. It would follow the passage of similar laws in Connecticut, Maryland, Nevada, and Washington, but is markedly broader in scope and more restrictive in regulating how such health data can be processed. NYHIPA’s departures from existing legislative approaches to consumer health privacy regulation would complicate compliance strategies for entities subject to Washington’s My Health My Data Act (“WAMHMDA”) and its progeny, as well as bring new types of entities under its scope.
In a move to bolster reproductive health privacy, the New York legislature recently passed the NYHIPA bill. Although part of a larger legislative package on reproductive health care, NYHIPA has widespread implications for consumer health privacy at large. Given the recent federal administration change, a surge in copycat bills may be introduced elsewhere, similar to the post-Dobbs period. The article below summarizes NYHIPA’s key features and how it compares to existing consumer health privacy laws.
Broader Scope
NYHIPA would apply to a broad range of entities, due to the expansive definition of “regulated health information” and NYHIPA’s limited exemptions.
NYHIPA defines “regulated entities” to include (a) entities located in New York that control the processing of “regulated health information”; or (b) control the processing of “regulated health information” of New Yorkers or individuals physically located in New York, regardless of the entity’s location. Regulated health information means any information that is “reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual” and expressly includes location and payment information related to an individual’s health and inferences drawn about an individual’s health that’s linkable to an individual or device. NYHIPA contains very limited exemptions, exempting only government actors, PHI governed by HIPAA, HIPAA covered entities to the extent patient information is maintained in the same manner as PHI, de-identified information, and information collected as part of clinical trial research subject to the Common Rule, ICH good clinical practices guidelines, or FDA human subjects protections. Notably, it does not exempt non-profits or entities or information subject to FCRA, FERPA, or GLBA.
The broad definition of regulated health information and limited exemptions make NYHIPA more widely applicable than other consumer health privacy laws. Such laws do not apply to payment information and exempt information and/or entities subject to the GLBA, resulting in a clear exclusion of financial institutions and related health care payment data. These laws also exclude information and/or entities subject to FCRA and FERPA. Further, the other consumer health privacy laws do not limit their research-related exemptions to clinical trials only, but rather exempt research subject to the Common Rule, ICH good clinical practices guidelines, or FDA human subjects protections more generally.
More Limited Processing Purposes
Under NYHIPA, regulated entities generally cannot process regulated health information unless it is “strictly necessary” to (1) provide or maintain a specific product or service; (2) conduct internal business operations, excluding any activities related to marketing, advertising, research and development, or providing products or services to third parties; (3) protect against fraudulent activity; (4) detect or respond to security incidents; (5) protect an individual’s vital interests; (6) investigate or defend legal claims; or (7) comply with the regulated entities legal obligations. If the processing of an individual’s regulated health information does not fall under one of the purposes above, regulated entities must secure valid authorization at least 24 hours after the individual first interacts with the entity. NYHIPA also bans the “sale” of regulated health information. NYHIPA’s broad “sale” definition and statements made by New York legislators indicate this ban is intended in part to prevent certain disclosures made via third-party web tracking technologies. Other consumer health privacy laws permit a wider range of processing purposes, either expressly permitting certain internal business uses or requiring the processing to be merely “necessary” to provide a product or service. Further, these laws require only consent to process consumer health data for additional purposes and do not impose a mandatory waiting period before seeking such consent. With the exception of the Maryland Online Data Privacy Act, consumer health privacy laws generally permit the sale of consumer health data so long as authorization or consent is obtained.
Burdensome Compliance Obligations
NYHIPA creates obligations related to notice, consumer rights, accessibility, security, and service provider contracting. These obligations largely align with those found other consumer health privacy laws, with a few notable exceptions. First, the service provider obligations are more prescriptive than found in other consumer health privacy laws. These additional obligations include prohibitions on combining regulated health information with other information the service provider maintains, requirements to assist the regulated entity in effectuating consumer rights requests, audit requirements, and advance notice for engaging subcontractors to assist in processing the regulated health information. Second, in addition to basic regulated health processing details, the privacy notice must explain the circumstances under which regulated health information may be disclosed to law enforcement. Third, the law imposes more detailed accessibility requirements for notices and other communications, requiring such information to be more readily accessible to individuals with disabilities.
More Aggressive Enforcement Authority
NYHIPA provides for broad enforcement authority by the New York Attorney General and allows for a variety of damages, including restitution of any money or property obtained by a violation, disgorgement of profits obtained by a violation, and civil penalties of no more than $15,000 per violation or 20% of revenue obtained from New York consumers within the past year (whichever is greater). NYHIPA also does not clearly exclude a private right of action, instead providing that the Attorney General’s enforcement authority “shall be in addition to any other lawful remedy available.” The risk of enforcement under NYHIPA appears greater than under existing consumer health privacy laws. Other consumer health privacy laws are generally enforced by the relevant Attorney General in lower civil penalty amounts (e.g., $7,500 per violation under WAMHMDA). In addition, these states’ Attorneys General tend to be less active with respect to data privacy related issues than New York’s.
Next Steps
NYHIPA would go into effect one year after its passage. As the bill awaits the governor’s signature, companies may begin to evaluate whether NYHIPA will apply to their business operations and whether they fall under its definition of regulated entities. Entities that are already in compliance with WAMHMDA and its progeny may also review current consumer health data processing activities to determine which could continue without additional action (e.g., requiring an authorization). Given NYHIPA’s broader scope, entities that are not yet subject to consumer health privacy laws may consider whether NYHIPA could apply to their operations. In particular, financial institutions that have previously been exempt from consumer health privacy laws may evaluate potential obligations if they process health care payment information outside the HIPAA-regulated context. Further, research institutions that were exempt under other consumer health privacy may evaluate whether their procedures meet NYHIPA’s processing requirements.
Entities that determine they are subject to NYHIPA may start developing measures for compliance with the requirements of the law, such as plans to narrow processing of regulated health information and implement processes that adhere to NYHIPA’s authorization requirements. This includes a close review of health-related websites, mobile applications, and third-party web tracking technologies to help ensure that prohibited “sales” do not occur.
[View source.]
