January 29, 2025

New York Poised to Transform Health Data Privacy

Holland & Knight Healthcare Blog
Harshita Rathore | Ben Steinberg
Healthcare Blog

New York lawmakers have passed a groundbreaking health privacy bill, the New York Health Information Privacy Act (NYHIPA or the Act), which could significantly redefine how entities handle health-related data. The Act, which is awaiting Gov. Kathy Hochul's signature, imposes strict requirements on "regulated entities" processing "regulated health information" (RHI) linked to New York residents or individuals physically present in New York. If signed into law, the Act will take effect one year later.

What Is RHI?

The Act's expansive definition of RHI includes any data reasonably linkable to an individual or device and collected or processed in connection with an individual's physical or mental health, such as location and payment details, while excluding properly deidentified information.

What Entities Are Required to Comply with the Act?

NYHIPA addresses privacy gaps left by the Health Insurance Portability and Accountability Act (HIPAA). Unlike HIPAA, which primarily applies to healthcare entities, NYHIPA covers nearly all regulated entities that process RHI. The Act defines a "regulated entity" as any entity that 1) controls the processing of RHI of an individual who is a New York resident, 2) controls the processing of RHI of an individual who is physically present in New York while that individual is in New York or 3) is located in New York and controls the processing of RHI. This includes fitness apps, wearable device manufacturers, employers and educational institutions – in other words, entities that collect health and wellness information not covered by HIPAA. "Processing" refers to any operation involving RHI, such as collection, use, storage, sharing, analysis, modification or deletion.

Authorization Requirements

The Act makes it unlawful for a regulated entity to sell an individual's RHI or "otherwise process" an individual's RHI unless the individual provides a valid authorization, which requires compliance with rigorous standards, or the processing of RHI is "strictly necessary" for specific delineated purposes.

The authorization process requires, among other things, regulated entities to keep authorization requests separate from other transactions, make the authorization request at least 24 hours after the individual creates an account or utilizes the entity's product or service, and ensure the authorization request is free from mechanisms impairing decision-making. Requests must allow individuals to authorize or decline specific processing categories and not repeat previously declined activities. Valid authorizations must specify the types of RHI to be processed, the nature and purposes of the processing, the third parties to which the RHI may be disclosed, any compensation received by a regulated entity in connection with processing RHI, the authorization's expiration date and the process for revoking the authorization and by which individuals can access or delete their RHI.

Regulated entities must provide easy revocation methods, cease unauthorized processing immediately upon revocation (with certain exceptions) and supply individuals copies of their authorizations. Additionally, processing must align strictly with the terms disclosed during the authorization process, and any significant changes to processing activities require new consent. Importantly, entities cannot make service access contingent upon an individual providing authorization.

As noted above, the processing of RHI is also permitted when it is "strictly necessary" for certain permissible purposes. These purposes are 1) maintaining requested services, 2) conducting the regulated entity's internal business operations, excluding activities related to marketing, advertising, research and development, or providing products or services to third parties, 3) protecting against malicious, fraudulent or illegal activity, 4) preventing security incidents, 5) protecting the vital interests of an individual, 6) complying with legal obligations or 7) defending against legal claims. A regulated entity that processes RHI pursuant to a permissible purpose must provide a clear and conspicuous notice detailing the types, purpose and nature of health information processing, any disclosures to third parties and how individuals can access or delete their information.

RHI Exemptions

NYHIPA exempts four categories of information: 1) information processed by government entities, 2) protected health information governed by HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH), 3) information managed by covered entities under HIPAA and HITECH to the extent the covered entity maintains patient information in the same manner as protected health information and 4) data collected for clinical trials subject to federal protections for human subjects.

Enforcement

If signed into law, the Act would grant the state attorney general authority to enforce violations, including restitution, disgorgement of profits and civil penalties of the greater of $15,000 per violation or 20 percent of revenue from New York consumers within the past fiscal year, and pursue other appropriate relief, including preliminary measures.

Holland & Knight will continue to monitor NYHIPA for any new developments.

Related Insights