On January 22, the New York State Legislature passed Senate Bill S929, titled the New York Health Information Privacy Act (NYHIPA), which is poised to redefine how businesses handle health and wellness-related data in and outside of New York. If the bill is signed into law in its current form, it will go into effect one year after the governor signs it.
Given NYHIPA’s expansive scope, substantial obligations, and broad language, the act would significantly affect how businesses process health and wellness-related information. Furthermore, its stringent authorization rules and harsh penalties make certain that NYHIPA will have sweeping implications for businesses targeting New York consumers.
Background
NYHIPA is the latest in a wave of state-level health data legislation aimed at extending protections for personal health information beyond the scope of the federal Health Insurance Portability and Accountability Act (HIPAA). NYHIPA shares several similarities with Washington State’s My Health My Data Act (MHMDA), which took effect on March 31, 2024. (See our analysis of MHMDA here.) Both NYHIPA and MHMDA address perceived gaps in the privacy of health information at the federal level. Unlike HIPAA, which generally limits its focus to healthcare entities, NYHIPA applies privacy protections to additional entities outside of covered entities and business associates that control or process health and wellness-related data.
Key Takeaways
Expansive scope and applicability
Type of information covered: NYHIPA seeks to protect “regulated health information” (RHI), a broad definition that includes any data reasonably linkable to an individual or a device that is collected or processed in connection with that individual’s physical or mental health. This encompasses location or payment information and any inference about an individual’s mental or physical health. This definition is similarly as broad as the definition of “consumer health information” in MHMDA. However, MHMDA specifically exempts certain categories of data that NYHIPA does not, including public data, research data, and financial data regulated under the Gramm-Leach-Bliley Act. Notably, NYHIPA does not apply to protected health information that is regulated under HIPAA.
Entities covered: NYHIPA applies to any entity that fulfills any of the following:
- Controls the processing of RHI of a New York resident
- Controls the processing of RHI of an individual who is physically present in New York at the time of processing
- Is located in New York and controls the processing of RHI
Under this definition, NYHIPA applies to any company that processes non-HIPAA regulated health or wellness-related data pertaining to a New York resident or an individual in New York at the time of processing that data. One can reason from this definition that it includes a non-New York entity that is processing a non-New York resident’s data if that individual happens to be in New York at the time of processing.
NYHIPA exempts from regulation any covered entity regulated under HIPAA only to the extent that such covered entity processes patient information in the same manner as protected health information, meaning even covered entities regulated under HIPAA are not exempt with respect to their non-protected health information data (e.g., employee health and wellness data).
Stringent authorization requirements
NYHIPA mandates that regulated entities obtain “valid authorization” to collect or process RHI, with exceptions for “strictly necessary” processing activities, such as:
- Providing requested products or services
- Conducting limited internal business operations
- Protecting against malicious activities
- Detecting security incidents
- Safeguarding the individual’s vital interests
- Investigating legal claims
- Complying with legal obligations
Understood from this requirement is NYHIPA’s intention to limit the use of health and wellness data for marketing purposes without consumer authorization, a common target among recent state-level health data legislation.
Because many forms of processing will not be considered “strictly necessary,” regulated entities will be required to obtain valid authorization to process RHI regularly. NYHIPA requires that regulated entities obtain these authorizations separate from any other transaction, and in no case within the first 24 hours of a consumer’s initial use of a product or service. This requirement precludes the use of typical opt-in processes during a consumer’s initial account registration process. Further, compound authorizations must grant the consumer an option to provide or withhold authorization for each processing activity independently. NYHIPA details certain authorization form requirements common among similar forms, including those under HIPAA, such as the nature and purpose of processing, categories of parties to whom the data will be disclosed, an expiration date, and a revocation mechanism, among other requirements.
NYHIPA imposes additional rules for users with online accounts, requiring a list of all authorized processing activities to be accessible “in a conspicuous and easily accessible place within the account settings” and allowing revocation of authorization “with one motion or action.” Entities can neither require authorization for their products or services nor discriminate against individuals who withhold authorization by imposing different benefits or pricing.
Vague security requirements
NYHIPA requires regulated entities to develop, implement, and maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of RHI. While this language is certainly borrowed from HIPAA and other similar privacy laws, NYHIPA does not provide specific guidance as to what qualifies as reasonable under these terms. If NYHIPA is signed into law, we anticipate that New York will promulgate rules and regulations that further detail these requirements.
Service provider requirements
NYHIPA requires regulated entities to enter into agreements with service providers that process RHI on their behalf. This is similar to the Business Associate Agreement requirement under HIPAA, and NYHIPA requires similar terms to be included related to confidentiality, individual rights, deletion or return of RHI upon termination, cooperation with compliance evaluations, and flow-down requirements for subcontractors. Unique, however, is NYHIPA’s requirement that service providers agree not to combine RHI with any other personal information received from a third party or from their own relationships with individuals. This may require service providers to update their technical capabilities to allow for data segregation.
Enforcement
NYHIPA empowers the New York attorney general to enforce the law through injunctive relief, including disgorgement, and financial penalties up to $15,000 per violation or 20% of revenue from New York consumers, whichever is greater. Notably, these penalty limits are higher than those in similar state-level health data laws such as MHMDA, but the law does not offer a private right of action.
Potential Impact and What’s Next
If signed into law, NYHIPA’s onerous authorization requirements and broad scope of applicability are likely to cause challenges for digital health companies and other industries targeting New York consumers. If MHMDA is any indication, we can expect that compliance costs will increase to align systems with technical requirements, certain operational challenges will surface related to authorization validation with third parties, and confusion related to the law’s security requirements will persist.
Before NYHIPA’s effective date — assuming it is signed into law — New York may promulgate rules and regulations to provide greater clarity regarding these new requirements and their enforcement. Until then, Goodwin’s healthcare regulatory attorneys will continue to monitor NYHIPA and other state health privacy legislation proposals. For the most up-to-date information and latest news in this space, be sure to bookmark our dedicated Health Headlines newsletter. If you have questions on the final rule or its potential impact, please contact Jonathan Ishee, Michael Paluzzi, Sukrti Thonse, or a member of the Goodwin healthcare team.
This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee similar outcomes.