Skip to content
vCard Download
By clicking on the Submit button below, you are downloading the Loeb contact's vCard

Unpacking the New York Health Information Privacy Act

Client Alerts/Reports

On Jan. 21, the New York State Senate Bill S929 was passed by the Senate and Assembly. According to the New York Senate website, as of the date of this alert, the bill still hasn’t been delivered to Gov. Kathy Hochul. When it reaches her desk, she will have 10 days to act or it will automatically become law. 

What does it do? Big picture, similar to Washington’s My Health My Data Act, the New York Health Information Privacy Act  (NY HIPA) imposes sweeping protections on individual health information, requiring a written authorization to sell or process health information unless strictly necessary for providing or maintaining a requested service or product.

Who does it impact? A “regulated entity” under the act is any entity that meets one of the following criteria:

  • Controls the processing of regulated health information of New York residents
  • Controls the processing of regulated health information of an individual physically present in New York
  • Is located in New York and controls the processing of regulated health information

Note: There is no “knowledge” requirement, so beyond the challenges of determining residency, the onus will be on the regulated entity to know whether someone who is not a New York state resident is physically present in New York when their information is collected. 

What data is covered? "Regulated health information" means any information that is reasonably linkable to an individual or a device and is collected or processed in connection with an individual’s physical or mental health. This includes location or payment information related to an individual’s physical or mental health or any inference drawn from or derived about an individual’s physical or mental health that is reasonably linkable to an individual or a device. The definition excludes de-identified data, which is defined using the qualifications found in many of the comprehensive state privacy laws. 

Note: “Individual” is not defined or limited to “consumers,” so the act can be read to apply to all individuals, even when acting in an employment or business-to-business capacity. 

What are the restrictions? Regulated health information cannot be sold or otherwise processed without a written authorization from the individual. A request for authorization must be separate from the transaction, be made at least 24 hours after an account is created or the services are used, and be granular. For multiple processing purposes, the individual must be allowed to provide or withhold consent separately. 

A valid authorization must include the following:
 
  • The types of regulated health information to be processed
  • The nature of the processing activity
  • The specific purposes for such processing
  • The names, where readily available, or the categories of service providers and third parties to which the regulated entity may disclose the individual’s regulated health information and the purposes for such disclosure, including the circumstances under which the regulated entity may disclose regulated health information to law enforcement
  • Any monetary or other valuable consideration the regulated entity may receive in connection with processing the individual’s regulated health information, where applicable
  • Notice that failing to provide authorization will not affect the individual’s experience of using the regulated entity’s products or services
  • The expiration date of the authorization, which may be up to one year from the date authorization was provided
  • The mechanism by which the individual may revoke authorization prior to expiration 
  • The mechanism by which the individual may request access to and deletion of their regulated health information 
  • Any other information material to an individual’s decision-making regarding authorization for processing
  • A signature (which may be electronic) 
Note: These requirements will impose significant operational challenges. First, the requirement to wait 24 hours after creating an account will need to be operationalized. Then the authorization will need to be renewed at least annually, and individuals will need to be able to withdraw consent at any time. 
 
What else is required?

Notices. Regulated entities that process regulated health information under a permissible purpose must provide clear and conspicuous notice of their processing activities. While this does not appear to require a notice separate from the policy (similar to Washington’s law), if the processing purposes are materially altered, the regulated entity must provide a clear and conspicuous notice in plain language, separate from a privacy policy, terms of service or similar document, that describes any material changes to the processing activities and must provide the individual with an opportunity to request deletion of their regulated health information.
 
Individual Rights. In addition to the right to opt out or withdraw consent, NY HIPA establishes individual rights to access and delete regulated health information. A request to cancel or delete an account must be treated as a request to delete regulated health information. Deletion requests must be passed to third parties and service providers unless it is impossible or involves a disproportionate effort. Requests can be made by an individual or authorized agent. 
 

Contractual Obligations for Service Providers. The obligations of service providers are similar to what we see in the comprehensive privacy laws and include requirements to:

  • Ensure that each person processing regulated health information is subject to a duty of confidentiality 
  • Not combine regulated health information that the service provider receives from or on behalf of the regulated entity with any other personal information that the service provider receives from or on behalf of another party or collects from its relationship with individuals
  • Comply with any exercises of an individual’s rights 
  • Delete or return all regulated health information to the regulated entity at the end of the provision of services
  • Agree to reasonable assessments by the regulated entity or a third party

Security. NY HIPA requires regulated entities to develop, implement and maintain reasonable administrative, technical and physical safeguards to protect regulated health information’s security, confidentiality and integrity. Notably, it also includes record retention obligations requiring secure disposal of an individual’s regulated health information under a publicly available retention schedule within a reasonable time and in no event later than 60 days after it is no longer necessary to maintain for the permissible purpose or purposes identified in the notice or for which the individual provided valid authorization.

What are the exceptions?

Authorization is not required when processing the individual’s regulated health information is strictly necessary for:

  • Providing or maintaining a specific product or service requested by such individual
  • Conducting the regulated entity’s internal business operations (which exclude any activities related to marketing, advertising, research and development, or providing products or services to third parties)
  • Protecting against malicious, fraudulent or illegal activity
  • Detecting, responding to or preventing security incidents or threats
  • Protecting the vital interests of an individual 
  • Investigating, establishing, exercising, preparing for or defending legal claims
  • Complying with the regulated entity’s legal obligations

Companies are also exempted if they are:

  • Government entities
  • Covered entities governed by the privacy, security and breach notification rules under the federal Health Insurance Portability and Accountability Act (HIPAA), as long as patient information is maintained in the same manner as protected health information (PHI)
  • Processing PHI under HIPAA
  • Collecting information as part of a clinical trial

Note: This exemption is extremely limited and may not extend to all activities of a covered entity. 

What happens now? As noted above, Gov. Hochul has 10 days to act once NY HIPA is sent to her desk. If passed, the law would take effect one year after it passes and may be subject to additional rules and implementing regulations, which must be passed before the effective date. 
 
In the meantime, companies should take stock of the impact of this law. Companies in the health and wellness space may be able to establish that some health information is strictly necessary to provide their services. Still, to the extent they want to monetize that data and use it for research or personalization, those uses may require authorization under NY HIPA. Likewise, a pharmaceutical company’s marketing and other patient-related activities will likely fall outside the narrow exception provided for data connected with clinical trials. Employers with New York employees may need to consider how this new law will impact employee wellness programs that may collect health information. Entertainment companies must consider how NY HIPA may impact data collected from talent. As always, advertising activities that use health information will be significantly restricted. Companies may look to modeled audiences or demographic data as alternative avenues, but those must be carefully considered.
 
Loeb & Loeb is tracking NY HIPA and will provide an update on whether it passes or gets vetoed. If you have any questions on how NY HIPA may impact you, please reach out to a member of Loeb & Loeb’s Privacy, Security & Data Innovations team. 

Related Professionals