New York Health Information Privacy Act (HIPA)

The New York Health Information Privacy Act (HIPA) could soon become law in New York state, with wide-ranging implications for businesses handling and selling consumer health data. If your business handles health or wellness data of New York residents or other personal information regulated by the New York HIPA, now is the time to explore your obligations before it is signed into law.

This post will examine this proposed new legislation in depth. We'll explore how it affects consumers and businesses in the health and wellness sector and examine how your business can comply.

What Is the New York Health Information Privacy Act (HIPA)?

The New York Health Information Privacy Act (HIPA) is a proposed state-level data privacy law. If enacted, it will regulate consumers' rights and businesses' obligations regarding health data in New York state. It is similar to the Washington My Health, My Data Act (WMHMDA), signed into law in 2023, but goes even further.

On January 22, 2025, New York lawmakers passed the New York Health Information Privacy Act (HIPA). It is now on the desk of New York Governor Kathy Hochul, who has the power to request amendments, veto the bill, or sign it into law.

It will be one of the country's most stringent health privacy laws if signed into law unchanged. The requirements of NY HIPA work with and, at times, go beyond those of current federal regulations, including the Health Insurance Portability and Accountability Act (HIPAA).

As the excerpt below from the New York Senate Bill S929 shows, the purpose of the New York Health Information Privacy Act is twofold:

• Regulate companies collecting and selling healthcare information
• Enhance consumers' rights on how their private health information is used

Let's first explore the type of data the Act regulates.

Defining Regulated Health Information (RHI)

Under the proposed New York HIPA, Section 1120 (C) 2, regulated health information (RHI) includes far more than an individual's medical records.

As the excerpt below shows, it means "any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of the individual."

The Act stops short of regulating deidentified information. However, if you're in the business of deidentifying regulated health information, its regulations would apply to you.

Restrictions on the Sale and Processing of RHI

As seen below, the NY HIPA would make processing or selling a person's regulated health information illegal unless one of two conditions is met:

• Consent: In the Act, consent is called "valid authorization." This means the individual must fully understand how their health data will be used and have the opportunity to give or refuse consent.
• Strict necessity: This means the organization must only process health data that is essential to perform a service or provide a product the user has requested. There are a few other exceptions (§ 1122.II.B-G in the excerpt below) that we will review later.

Authorization and Revocation Requirements

If the NY HIPA becomes law, it will require businesses to obtain clear, informed consent before processing or selling health data. However, the law would require businesses to do more than simply ask for permission to process and sell health data.

As seen below, for an authorization to be valid, it would have to fulfill 11 criteria, including:

• Type of RHI being processed
• How and why it will be processed
• Which third parties you would share the person's RHI with
• Whether you would receive money or other benefits for processing it
• That refusing consent would not affect a user's access to your services
• How long consent would last (up to one year)
• How to revoke consent, access or delete data, and any other information the user needs to know

Even though authorization, or consent, is provided for one year, users can revoke (cancel) their consent at any time. At that point, the organization must immediately stop processing the user's RHI unless required by law to do so.

The organization must make it clear to the user how they can revoke authorization at any time. While they are processing the user's RHI, they must put robust security measures in place to protect the data from misuse or unauthorized access.

When Does the New York Health Information Privacy Act (HIPA) Take Effect?

Although the NY HIPA has passed the New York State Senate and Assembly, it has not yet been signed into law. For the proposed Act to become law, it would have to be signed into law by New York Governor Kathy Hochul.

Currently, it is unclear whether Governor Hochul will sign the bill into law as it stands, amend it, or refuse to sign it (veto it). If Governor Hochul does sign it, it will go into effect one year later. This will allow time for affected businesses to adjust their data processing policies and implement other required compliance measures.

Who Does the New York Health Information Privacy Act (HIPA) Apply to?

The Act would impact any organization that controls the processing of regulated health information (RHI), regardless of its size. In this sense, a controller is a business or non-profit responsible for determining how and why regulated health information is collected and processed.

As seen in the snippet below from the Act, organizations that control health data processing are called "regulated entities." This would include any organization that falls into one of three categories:

• Controls the processing of the RHI of New York residents
• Controls the processing of visitors to New York while they are in New York
• Operates in New York and controls the processing of RHI

How the Act defines data processing

The Act's definition of data processing is wide-ranging, as the excerpt below shows. Processing of RHI would include:

• Using
• Accessing
• Selling
• Sharing
• Analyzing
• Storing
• Transmitting, and more

This broad definition means that the New York HIPA would impact more than just traditional healthcare providers. It would affect any organization handling health data that could be linked to an individual or a device.

While the data it could include is still not clearly defined, it may include:

• Wellness tracking by health apps
• Biometric data
• Online searches for medical conditions
• Location and payment details of health-related transactions

If this is the case, many businesses, including those not specifically in the healthcare or wellness sectors, could be affected. It could even impact credit card processors and device manufacturers.

How Consumer Location Affects Businesses

It is normal for state data privacy acts to protect residents. However, the provision to control "the processing of regulated health information of an individual who is physically present in New York while that individual is in New York" means far more businesses will be affected.

Consider a Jersey City resident who commutes to work in Manhattan every day and shares health data with a company in another state via an app. While the user is physically located in New York, the organization would have to comply with NY HIPA, even if it has no other connection with the state.

This raises questions about how the company knows its users are in New York state. To comply, companies may need to begin collecting location information from all users. This could raise further issues around consent for location data. It remains to be seen how this will work if the Act becomes law.

Business Location Matters

Finally, if your business is located in New York state and processes RHI, it would definitely be affected by the Act. It would not matter where in the world the user was located; your business would have to comply with NY HIPA requirements.

What Does the New York Health Information Privacy Act (HIPA) Require?

A business regulated by the NY HIPA must comply with several key requirements, including:

• Only obtaining and processing health data that is strictly necessary to provide a product or service to a customer who has asked for it
• Obtaining valid authorization before they process or sell RHI
• Providing clear consent forms that outline the RHI it will collect and exactly how it will use it
• Letting customers easily withdraw consent
• Stopping processing RHI immediately when a customer withdraws consent
• Not selling RHI without explicit consent
• Implementing "reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of" customers' RHI
• Processing data only for specific, lawful purposes
• Communicating changes to processing activities to customers and giving them an opportunity to withdraw consent

How to Comply With the New York Health Information Privacy Act (HIPA)

If the HIPA becomes law, we can expect the New York General Attorney to put in place new rules and regulations to clarify what businesses must do to comply. Based on the Act's current provisions, here are some steps businesses will need to implement.

Conduct a Comprehensive Data Audit

Each affected business would have to undertake a thorough audit of the regulated health information it currently collects and processes. It must make sure the data it collects and the purposes it uses it for can be defined as "strictly necessary."

The Act defines conducting a business's internal operations as strictly necessary. However, as shown below, the HIPA forbids the use of RHI for the following purposes:

• Marketing
• Advertising
• Research and development
• Providing products or services to third parties

However, processing of RHI is strictly necessary in situations outlined in the excerpt below. These include:

• Providing requested products or services
• Protecting against fraud or other illegal activity
• Complying with other legal obligations

Therefore, your business would have to ensure that it has solid grounds for collecting and processing the RHI it wants to use and that robust processes are in place for obtaining and revoking authorization.

Obtain Valid Authorization

Under the NY HIPA, if you are not collecting information that is "strictly necessary," you would have to obtain "valid authorization" from consumers before collecting and processing their health data.

Some data privacy acts require companies to use "clickwrap," a way of obtaining consent by asking a customer to click "I Accept" the terms of the Privacy Policy, or other relevant conditions. However, as seen below, the NY HIPA goes further with two unique requirements:

• Authorization must be obtained separately from any other transaction, AND
• The authorization request must be made a minimum of 24 hours after the customer creates an account or requests a service

This would effectively stop businesses from offering any products or services involving regulated health information to their customers in the first 24 hours of their initial request.

Businesses will need to configure their consent requests very carefully. Some more requirements you must include are as follows:

• Allowing customers to provide or withhold authorization for each activity
• Not asking customers a second time about activities they have already refused consent for within the last year
• Ensuring the customer's decision-king is not obscured, subverted, or impaired, meaning that every effort is made to make the process is transparent and easy to follow as possible
• Explaining exactly how you will use RHI, and any compensation you would receive for selling it

Your business would need to set up systems to do more than just track authorizations. They must also go into the granular detail mentioned above and be careful not to ask the same question twice in one year. This will require careful planning to implement.

You must also plan to give your customers a copy of their authorization in a format they can keep (see below). If they have an account with you, the processing activities they have authorized must be displayed prominently within the account settings.

If the Act becomes law, the authorization to use RHI will only last for one year. After that, you will have to repeat the process of getting consent before continuing to process a customer's RHI.

Make Revocation of Authorization Easy

On the platform your users use to connect with your business, you would need to create an easy way for them to withdraw authorization to use their RHI. Customers have the right to do this at any time.

Once the user withdraws consent, the company must stop processing the user's health information unless required to continue by other laws (see below).

Make it Easy to Delete the RHI you Hold

As we see below, your business would also need to set up a simple system for customers to ask you to delete their RHI. This must be on an interface the customer regularly uses.

Also, if the customer decides to delete their account with you, you must interpret this as a request to delete their health data.

Give Customers Access to Their RHI

The NY HIPA would give customers the right to access the RHI businesses hold about them. As shown in the excerpt below, each business must:

• Set up user-friendly mechanism for customers to request access to their RHI
• Provide the customer with the information within 30 days of receiving the access request

If a third party handles your data processing, you would also need to ensure it complies with requirements around consent, revoking authorization, and deleting RHI.

Develop Safeguards to Protect Health Information

The Act would require businesses to put reasonable safeguards in place to "protect the security, confidentiality, and integrity" of customers' RHI. The following are examples of the types of safeguards your business could consider putting in place:

• Administrative safeguards: Security management processes, staff training, and contingency plans to respond to lost data emergencies.
• Physical safeguards: Locks, alarms, and privacy filters for computer monitors.
• Technical safeguards: Access controls, audit protocols, and transmission security measures.

These measures are particularly important in light of the requirement to provide RHI on request and delete data. Your business would need to consider how to verify who was making the request.

Under the terms of the act, users can authorize a third party to collect data on their behalf. Without robust controls, there would be a possibility that malicious actors could exploit the users' access rights to fraudulently obtain confidential health information.

Penalties for Not Complying With the New York Health Information Privacy Act (HIPA)

Under the terms of NY HIPA, individuals would not have the right to take legal action against an organization that breaks this law. However, as shown below, the New York Attorney General has the power to impose a fine of the greater of $15,000 or 20% of the revenue the company earned from New York customers in the last fiscal year.

Summary

The New York Health Information Privacy Act (HIPA) would be a game-changer for many businesses operating in or handling the health data of New York visitors and residents. As its definition of regulated health information is broad, it could affect many businesses beyond those operating in the health and wellness industry.

If passed, affected companies in New York and beyond will be required to review their data collection practices and establish safeguards to meet the law's strict requirements. All affected businesses would need to implement robust measures for obtaining authorization from customers before collecting, using, or selling their regulated health information.