Alston & Bird Privacy, Cyber & Data Strategy Blog

New York Passes Health Privacy Law – Your Questions Answered

By , , and

The New York State legislature passed the Health Information Privacy Act (“NYHIPA”) on January 22, 2025, marking the second state to introduce a comprehensive consumer health data law. If passed, the NYHIPA imposes more stringent obligations on organizations that handle “regulated health information. (“RHI”).  You’ve got questions – we’ve got answers.

How is “regulated health information” defined?

RHI is defined broadly to include health data that is linkable to an individual or a device.  Notably, NYHIPA also expressly includes location, payment information, and inferences related to or derived from health data.

What entities does NYHIPA apply to?

NYHIPA will apply to New York entities and any entities that collect data from New York residents and New York visitors.  NYHIPA will apply to (1) data collected from New York residents, (2) entities that control “the processing of [RHI] of an individual who is physically present in New York while that individual is in New York”, and (3) businesses located in New York that control the processing of RHI.

What are some of the big ticket requirements?

Entities subject to NYHIPA must:

  • Not sell RHI to a third party.
  • Obtain valid authorization for processing RHI, unless the RHI is “strictly necessary” for certain purposes, such as to provide a product or service the individual requested. Interestingly, NYHIPA also allows entities to process RHI in order to protect the “vital interests of an individual.”  NYHIPA does not define “vital interest”.
  • Allow individuals to revoke their authorization.
  • Not make providing the product or service contingent upon an individual providing authorization to process RHI.
  • Provide a health privacy notice and separately provide any material updates to that notice.
  • Offer individuals the right to access and delete their RHI.
  • Provide reasonable security measures for RHI.
  • Enter into agreements with service providers that contain certain requirements, including permitting compliance audits of the service provider by the regulated entity.

 

Are there exemptions?

Yes, but only a few: (1) information processed by the federal, state, or local governments; (2) protected health information (“PHI”) subject to HIPAA; (3) covered entities subject to HIPAA; and (4) information collected as part of a clinical trial.  Notably, business associates and entities subject to GLBA are not categorically exempt from NYHIPA.

What about enforcement?

The New York Attorney General can enforce NYHIPA – including outside of the state of New York and to preemptively stop any violation from occurring (“whenever it appears to the attorney general, either upon complaint or otherwise, that any person or persons, within or outside the state, has engaged in or is about to engage in any of the acts or practices stated to be unlawful under this article”).  Violations can be as high as $15,000 per violation or 20% “of the revenue obtained from New York consumers within the past fiscal year”, but there is no private right of action.

When does the law go into effect?

NYHIPA will become effective one year after it is signed by the Governor.

 

LinkedIn
Headshot of Dan Felz

About Daniel Felz

Dan’s clients receive operations-ready management of their complex privacy, security, and technology issues, as well as seamless interactions with stakeholders. Fluent in German with a U.S. litigation background, Dan helps companies of all sizes across industries and jurisdictions resolve data-related matters at the local, national, and international levels.

[Read Bio]

Jennifer Everett

About Jennifer Everett

Jennifer Everett focuses on regulatory compliance, enforcement, and transactions in data privacy, cybersecurity, health care, and emerging technologies. Jennifer offers strategic guidance to public and private companies across several sectors, including life sciences and health technology, when navigating state, federal, and international privacy regulations.

[Read Bio]

Jennifer Pike

About Jennifer Pike

When clients face health information privacy and security issues, they trust Jen’s ability to craft strategic and practical solutions to the most challenging problems.

[Read Bio]

Avatar photo

About Sara Pullen Guercio

Sara Pullen Guercio is an associate with Alston & Bird’s Technology & Privacy Group. Sara assists clients with various technology contracting and privacy compliance matters and is an experienced project manager. Sara concentrates her practice on health care-related privacy matters and health care technology transactions.

[Read Bio]

Share to...
BufferCopyFlipboardHacker NewsLineLinkedInMessengerMixPinterestPocketPrintRedditSMSTelegramTumblrVKWhatsAppXingYummly