Recently passed by the New York Assembly, the New York Health Information Privacy Act (“NYHIPA” or the “Act”) marks a significant shift in the regulation of health-related data in the State of New York. If signed into law, the Act would take effect one year from signature by Governor Kathy Hochul. Modeled after Washington’s My Health My Data Act, this legislation introduces robust privacy protections, expands the scope of regulated entities and imposes stringent data processing requirements. These requirements go beyond the requirements of the Health Insurance Portability and Accountability Act, and its implementing regulations, as amended (“HIPAA”). Healthcare entities and providers must understand the key provisions and compliance obligations included in the Act to navigate this evolving regulatory landscape effectively.
Broad Scope and Applicability
NYHIPA applies to “regulated entities” as defined by the Act, consisting of a wide range of entities beyond traditional healthcare providers. Pursuant to NYHIPA, “regulated entities” include any entity that:
- Controls the processing of “regulated health information” (“RHI”) of an individual who is a New York resident;
- Controls the processing of RHI of an individual who is physically present in New York; or
- Is located in New York and controls the processing of RHI.
Similar to Washington’s My Health My Data Act, NYHIPA applies to regulated entities of all sizes, regardless of revenue, processing thresholds, or presence in New York.
Enforcement and Penalties
The New York Attorney General is tasked with enforcing NYHIPA. Potential penalties for noncompliance include:
- Civil fines up to $15,000 per violation or 20% of revenue derived from New York consumers in the preceding fiscal year, whichever is greater.
- Restitution and disgorgement of profits obtained through unlawful data processing.
Any action brought by the New York Attorney General must commence within 6 years of the date on which the New York Attorney General becomes aware of the violation.
Definition of Regulated Health Information
Unlike HIPAA, which applies primarily to protected health information (“PHI”) managed by healthcare providers and insurers, RHI under NYHIPA casts a wider net over consumer health data. Specifically, NYHIPA defines RHI as any data reasonably linkable to an individual or a device and which is collected or processed in connection with the physical or mental health of an individual. This includes location, payment information, and inferences about an individual’s physical or mental health status.
Restrictions on Selling or Processing Regulated Health Information
NYHIPA explicitly prohibits regulated entities from: (1) sharing RHI with a third party for monetary or valuable consideration, or (2) processing an individual’s RHI, which includes, without limitation, the collection, use, access, sharing, sale, monetization, analysis, retention, creation, generation, derivation, recording, organization, structuring, storage, disclosure, transmission, disposal, licensing, destruction, deletion, modification, or deidentification of RHI; unless the processing is “strictly necessary” for a permissible purpose or the regulated entity obtains a “valid authorization.”
- Permissible purposes include satisfying an individual’s request for a specific product or service; conducting the regulated entity’s internal business operations; protecting against malicious, fraudulent, or illegal activity; detecting, responding to, or preventing security incidents or threats; protecting the vital interests of an individual; investigating, establishing, exercising, preparing for, or defending legal claims; or complying with the regulated entity’s legal obligations.
- Activities related to marketing, advertising, research and development, or providing products or services to third parties are specifically excluded from permissible purposes.
- Any use that is not strictly necessary for a permissible purpose requires a valid authorization from the individual to process the RHI, which authorization must meet rigorous standards, as further described below.
Exceptions
A regulated entity is not prohibited from sharing RHI with a third party, for monetary or other valuable consideration, where the RHI constitutes an asset of the regulated entity that is engaging in a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the regulated entity’s assets.
In addition, the restrictions do not apply to the following:
- RHI processed by local, state or federal governments, and municipal corporations;
- PHI collected by a covered entity or business associate governed by HIPAA and the Health Information Technology for Economic and Clinical Health Act (“HITECH”);
- Information managed by covered entities under HIPAA and HITECH to the extent the covered entity maintains patient information in the same manner as PHI; and
- Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule.
Valid Authorization Requirements
NYHIPA sets forth granular requirements with respect to valid authorization. Specifically:
- Valid authorizations must contain:
- the types of RHI to be processed;
- the nature of the processing activity;
- the purposes for such processing; names or categories of third parties to which the regulated entity may disclose the individual’s RHI and the purposes for such disclosure;
- any monetary or other valuable consideration the regulated entity may receive in connection with processing the individual’s RHI;
- assurance that failure to provide authorization will not affect the individual’s experience of using the regulated entity’s products or services;
- the expiration date of the authorization (which may be up to one year from the date authorization was provided);
- the mechanism by which the individual may revoke authorization prior to expiration;
- the mechanism by which the individual may request access to and deletion of their RHI;
- any other information material to an individual’s decision-making regarding authorization for processing; and
- the signature (which may be electronic) of the individual who is the subject of the RHI, or a parent or guardian authorized by law to take actions of legal consequence on behalf of the individual who is the subject of the RHI, and the date.
- A request for valid authorization must:
- be made separately from any other transaction or part of a transaction;
- be made at least 24 hours after an individual creates an account or first uses the requested product or service;
- be made in the absence of any mechanism that has the purpose or substantial effect of obscuring, subverting, or impairing an individual’s decision making regarding authorization or processing;
- if requesting authorization for multiple categories of processing, allow the individual to provide or withhold authorization separately for each category of processing activity; and
- not include any request for authorization for a processing activity for which an individual has withheld or revoked authorization within the past calendar year.
- Consumers must be able to revoke consent at any time, requiring businesses to cease processing activities immediately upon revocation, with limited exceptions.
- If the regulated entity materially alters the processing activities for RHI collect pursuant to valid authorization, it must obtain new authorization for the new or altered processing activity.
- Providing a product or service requested by an individual must not be made contingent on providing authorization.
- The regulated entity must not discriminate against an individual for withholding authorization, such as by charging different prices or rates for products or services, including through the use of discounts or other benefits, imposing penalties, or providing a different level or quality of services or goods to the individual.
Consumer Rights and Transparency Obligations
NYHIPA grants consumers extensive rights over their RHI, including:
- Right to Access and Deletion – Individuals can request access to their RHI and demand its deletion through an effective, efficient and easy to use mechanism made available by the regulated entity. Within 30 days of receiving request for deletion, a regulated entity must delete all RHI associated with the individual, except for very limited situations.
- Clear Privacy Disclosures – Businesses must provide conspicuous notices detailing how health data is collected, processed, and shared.
Contracts with Service Providers
NYHPA also requires that any processing of RHI by a service provider on behalf of a regulated entity be governed in accordance with a written, binding agreement, which clearly sets forth instructions for processing RHI, the nature and purpose of the processing, the duration of processing, and the rights and obligations of both parties, including certain other contractual requirements including mutual confidentiality responsibilities, compliance assessments and fulfillment of individuals’ data rights.
Conclusion
If signed into law, NYHIPA’s stringent authorization requirements and broad applicability are poised to create significant challenges for businesses serving New York consumers. Organizations should anticipate increased compliance costs to align systems with technical mandates, operational complexities in validating authorizations with third parties, and ongoing uncertainty regarding the law’s security requirements. Should NYHIPA become law, New York may issue additional regulations to clarify compliance obligations and enforcement expectations.
In the meantime, our law firm is closely monitoring NYHIPA and other state-level health privacy legislation. For the latest updates and insights, stay connected with our firm. If you have questions about NYHIPA’s potential impact on your organization, please contact our team at Frier Levitt.
