New York's Health Information Privacy Act Aims to Strictly Regulate Consumer Health Data

On January 22, 2025, the New York State Assembly and Senate rapidly passed the wide-ranging New York Health Information Privacy Act (“NY HIPA”). If not vetoed by Governor Kathy Hochul, NY HIPA would be the fourth enacted state consumer health data privacy law, following the Washington My Health My Data Act, Nevada SB 370 and the Connecticut Data Privacy Act, and will have a significant impact on both consumers and users of health data in New York.

NY HIPA seeks to impose more stringent regulation of consumer health care data given the increased monetization of consumer data, prevalence of online tracking technologies, and concerns arising from the Dobbs v. Jackson Women’s Health Organization decision that information stored or obtained digitally can be used to prosecute individuals who seek abortions.¹ In particular, NY HIPA’s broad application to various entities and vast amounts of data, as well as its restrictions on how consumer health data may be collected, used, disclosed and sold, attempt to address and mitigate those concerns.

Additionally, similar to the other state consumer health data privacy laws, the stated justification for the passage of NY HIPA is to close the “enforcement gap” for entities, such as consumer and digital health companies, medical device companies, and pharmaceutical and life science companies, that collect consumer health data in non-traditional health care contexts (e.g., via mobile applications, wearable devices, online tracking technologies) and that are not otherwise regulated under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended (“HIPAA”). In doing so, NY HIPA would require either (1) a designated, strictly necessary purpose, or (2) prior written consent for regulated entities to collect, use, disclose or sell an individual’s health data, as well as impose transparency requirements on how such data are collected and processed by regulated entities, thereby granting individuals greater control over their health data.

This Alert provides a detailed summary of NY HIPA and describes how it would impose onerous compliance requirements on entities of all sizes that collect a broad amount of health data. If signed into law, NY HIPA is positioned to be among the most extensive consumer health data privacy laws in the country. NY HIPA would be effective one year after becoming law, and the Office of the New York Attorney General may promulgate regulations prior to such effective date.

1. Scope of NY HIPA

Regulated Entities

NY HIPA would apply to “regulated entities” that collect or process “regulated health information” in New York or about New York residents. “Regulated entities” are defined as an entity that:

• Controls the processing of regulated health information of an individual who is a New York resident;
• Controls the processing of regulated health information of an individual who is physically present in New York while that individual is in New York; or
• Is located in New York and controls the processing of regulated health information. Service providers may also be considered regulated entities in certain contexts.

Importantly, as in the Washington My Health My Data Act and Nevada SB 370, NY HIPA would apply to regulated entities of all sizes, irrespective of revenue or processing thresholds, for-profit status or physical presence in the state. This coverage is distinct from most state consumer data privacy laws, which generally have jurisdictional, revenue and processing thresholds as well as for-profit status requirements.

Regulated Health Information

NY HIPA would regulate “regulated health information,” defined as:  

• Any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual.
• Location or payment information that relates to an individual’s physical or mental health or any inference drawn or derived about an individual’s physical or mental health that is reasonably linkable to an individual, or a device.

This definition is extremely broad and would presumably include internet browsing data, internet search or purchase histories, data collected via online tracking technologies, wellness habits and reproductive health information. 

Exemptions

NY HIPA contains the following limited exemptions:

• Information processed by local, state and federal governments and municipal corporations;
• PHI collected by a covered entity or business associate;
• HIPAA-covered entities, to the extent that such entities maintain patient information in the same manner as PHI;
• Information collected as part of a clinical trial subject to the Common Rule, the Good Clinical Practice Guidelines issued by the International Council for Harmonization or the FDA regulations on human subjects research; and
• De-identified information, provided that a regulated entity or its service provider (i) implements reasonable technical safeguards to ensure that the information cannot be associated with an individual, household or device; (ii) publicly commits to process the information only as de-identified; (iii) does not attempt to re-identify the information; and (iv) contractually obligates recipients of the de-identified information to comply with these requirements.

Of note, unlike other state consumer data privacy laws, NY HIPA does not exempt public data, information regulated by the Gramm-Leach Bliley Act or financial or payment-related entities.

2. Strictly Necessary Processing and Limited Exemptions

In accordance with the principle of data minimization inherent in many state consumer data privacy laws, NY HIPA would require that regulated entities only process regulated health data if directly relevant and needed to achieve a specific, enumerated purpose; otherwise, regulated entities would have to obtain an individual’s authorization prior to such collection and/or processing. Such purposes include:

• Providing or maintaining a requested product or service;
• Conducting the regulated entity’s internal business operations;
• Protecting against malicious, fraudulent or illegal activities;
• Detecting, responding to or preventing security incidents or threats;
• Protecting the vital interests of an individual;
• Investigating, establishing, exercising, preparing for or defending legal claims; or
• Complying with legal obligations.

For purposes of clarity, NY HIPA explicitly makes it unlawful to collect, use, disclose or sell regulated health information for marketing, advertising, research and development or providing products or services to third parties without first obtaining individuals’ authorization. 

3. Stringent and Burdensome Authorization Requirements

NY HIPA’s authorization requirements starkly differ from the opt-in consent requirements provided in other state consumer data privacy laws. Clicking a simple “I accept” button after reading a privacy policy would not be sufficient for compliance. Instead, the authorization would be a standalone document and appears to draw from certain authorization requirements set forth under HIPAA and the notice at collection requirements set forth under the California Consumer Privacy Act (“CCPA”). Specifically, NY HIPA requires that the authorization include:

• The types of regulated health information to be processed;
• The nature of the processing activity;
• The purpose of processing;
• The names or categories of service providers or third parties with which customer information may be shared;
• A general disclaimer stating that failure to provide authorization will not interfere with a consumer’s experience of using the regulated entity’s products or services;
• Any monetary or other valuable consideration a regulated entity may receive in connection with such processing;
• An expiration date of the authorization;
• The mechanism by which a consumer may revoke authorization;
• The mechanism by which the individual may request access to and deletion of their regulated health information;
• Any other information material to an individual’s decision-making regarding authorization for processing; and
• The signature (including an electronic signature) of the individual, or their parent or guardian if authorized by law.

Additionally, NY HIPA prescribes certain procedural requirements that regulated entities must follow with respect to the authorization. In particular, regulated entities may only request that an individual fill out the authorization if the request:

• Is separate from any other transaction or as part of a transaction;
• Is made at least 24 hours after an individual creates an account or first uses the requested product or service;
• Is provided without any mechanism that has the purpose or substantial effect of obscuring, subverting or impairing an individual’s decision-making regarding such authorization;
• Allows the individual to provide or withhold authorization for each category of processing activity, if the requested authorization is for multiple categories of processing activities; and
• Does not include any request for authorization for a processing activity for which an individual has withheld or revoked authorization within the past year.

Further, in an effort to promote transparency and individual rights, NY HIPA surpasses the requirements of other state consumer data privacy laws by requiring that regulated entities conspicuously provide in an individual’s online account settings a list of all processing activities the individual has authorized and, for each processing activity, permit the individual to revoke the authorization with one motion or action. This would require regulated entities to implement mechanisms on the back end to update continuously the list as needed and immediately cease all processing activities for which the authorization was revoked (except to the extent necessary to comply with legal obligations).

4. Privacy Notice

NY HIPA’s privacy notice requirements largely track those set forth under other state consumer data privacy laws and do not require additional, state-specific disclosures. Specifically, regulated entities would be required to provide individuals notice that describes the following:

• The types of regulated health information to be processed;
• The nature of the processing activity;
• The specific purposes for such processing;
• The name where readily available, or categories of service providers and third parties to which the regulated entity may disclose the regulated health information and the purposes for such disclosure, including the circumstances under which the regulated entity may disclose regulated health information to law enforcement; and
• The mechanism by which individuals may request access to and deletion of their regulated health information.

However, in a deviation from the general privacy notice requirements of other state consumer data privacy laws, if the regulated entity materially alters the way it processes regulated health information collected pursuant to a permissible purpose, it must provide a notice—separate from a privacy policy or terms of use—that describes such changes and allows individuals to request deletion of their regulated health information.

5. Individual Rights

Regulated entities would be required to honor individuals’ rights to request access to and delete their regulated health information, subject to certain limited exceptions. Such requests would be required to be made through an “effective, efficient, and easy-to-use mechanism through an interface the individual regularly uses in connection with the regulated entity’s product or service.” However, NY HIPA does not provide clarification as to what such mechanism entails and whether and to what extent identity verification is required prior to honoring such individual rights requests. NY HIPA does not expressly provide a private right of action to sue for violations of the law.

6. Security Safeguards and Data Retention Schedule

Consistent with other state consumer data privacy laws, regulated entities would be required to develop and implement reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of regulated health information; however, NY HIPA does not specify the nature and scope of such safeguards. Moreover, regulated entities would have to create a publicly available retention schedule and securely dispose of regulated health information in accordance with such schedule within 60 days after it is no longer necessary to maintain for the purpose for which it was collected. 

7. Contracts with Service Providers

Much like business associate agreements under HIPAA, regulated entities would be required to enter into agreements with service providers, which must include certain required provisions limiting the actions the service provider may take with respect to the processing of regulated health data. Specifically, the agreements must require that the service provider:

• Ensure that each person processing regulated health information is subject to a duty of confidentiality with respect to such information;
• Protect regulated health information in a manner consistent with the requirements of NY HIPA;
• Only process regulated health information when and to the extent necessary to comply with its obligations to the regulated entity;
• Not combine the regulated health information which the service provider receives from or on behalf of the regulated entity with any other personal information that the service provider receives from or on behalf of another party or collects from its own relationship with individuals;
• Comply with any exercises of an individual’s rights upon the request of the regulated entity and notify any service providers or third parties to which it disclosed regulated health information of the request;
• Delete or return all regulated health information to the regulated entity at the end of the provision of services, unless retention of the regulated health information is required by law;
• Upon the reasonable request of the regulated entity, make available to the regulated entity all data in its possession necessary to demonstrate the service provider’s compliance with its obligations;
• Allow and cooperate with reasonable assessments by the regulated entity or the regulated entity’s designated assessor for purposes of evaluating compliance with the obligations of NY HIPA. Alternatively, the service provider may arrange for a qualified and independent assessor to conduct an assessment of the service provider’s policies and technical and organizational measures in support of the obligations under NY HIPA using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The service provider would have to provide a report of such assessment to the regulated entity upon request;
• Notify the regulated entity a reasonable time in advance before disclosing or transferring regulated health information to any further service providers, which may be in the form of a regularly updated list of further service providers that may access regulated health information; and
• Engage any further service provider pursuant to a written, binding agreement that includes the contractual requirements provided in NY HIPA, containing at the minimum the same obligations that the service provider has entered into with regard to regulated health information.

8. Broad Investigatory and Enforcement Powers and Steep Civil Penalties

The Attorney General would be granted the authority to investigate known or suspected violations of NY HIPA and bring enforcement actions to (i) enjoin any violation of NY HIPA; (ii) obtain restitution of money or property obtained (directly or indirectly) by such violations; (iii) obtain disgorgement of any profits obtained (directly or indirectly) by such violations; and (iv) obtain civil penalties of the greater of $15,000 per violation or 20% of revenue obtained from New York consumers within the past fiscal year.

9. Implications and Recommended Next Steps

Consumer and digital health companies, medical device companies, and pharmaceutical and life science companies of all sizes that are not regulated or fully regulated by HIPAA should assess whether they either do business in New York or target products or services to New York residents. If so, if NY HIPA is signed into law, such companies would have to implement a compliance infrastructure to address NY HIPA’s robust requirements. At a minimum, these companies would have to do the following:

• Create and implement mechanisms to obtain authorization and opt-out of authorization.
• Analyze online tracking technologies and cookie management tools to determine whether additional disclosure and consent mechanisms are required.
• Assess first- and third-party marketing and advertising practices and obtain explicit authorization to use regulated health data for such purposes.
• Continuously monitor and track authorizations and opt-outs to keep an up-to-date list of all processing activities the individual has authorized and make that list readily available to individuals.
• Implement mechanisms to immediately cease all processing activities if authorization is revoked.
• Create or update privacy notices.
• Implement or revise consumer privacy right request processes.
• Employ reasonable security practices, which may require considerable time and effort for those that are not already subject to HIPAA’s stringent security requirements.
• Create a publicly accessible data retention policy.
• Implement or update service provider agreements.

Ropes & Gray is tracking NY HIPA, including whether it will be vetoed by Governor Hochul. If you have any questions regarding NY HIPA, please do not hesitate to contact one of the authors or your Ropes & Gray advisor.