• undefined
      • undefined
    1. Home
    2. Insights
    3. 6 Things to Know About New York's Health Information Privacy Act

    6 Things to Know About New York's Health Information Privacy Act


    10 minute read | February.18.2025

    Earlier this year, the New York legislature passed the New York Health Information Privacy Act (New York HIPA), establishing strict requirements for handling health data. The legislation shares similarities with Washington’s My Health My Data Act (WA MHMD) and Nevada’s SB 370 (NV MHMD) but also presents unique challenges for companies in the health and wellness sector, especially regarding uses of “regulated health information” beyond certain strictly necessary purposes and requirements for service providers. While the Governor has not yet signed the Act and may even introduce changes to it, it is not too soon for regulated entities to become familiar with it and begin planning for the changes it will certainly require.

    Here are six key things you need to know about New York HIPA:

    1. Who Is Regulated?


      New York HIPA applies to regulated entities, which are defined as any entity that:

      • Controls the processing of regulated health information of an individual who is a New York resident,
      • Controls the processing of regulated health information of an individual who is physically present in New York while that individual is in New York, or
      • Is located in New York and controls the processing of regulated health information.

      This extremely broad definition includes the processing of data of an individual who is merely a visitor to New York if the processing occurs while the individual is physically located there.

      There are also few entity level exemptions. While governmental entities are exempt, nonprofits and small businesses are not. Additionally, there are no entity level exemptions for business associates governed by the Health Insurance Portability and Accountability Act (HIPAA) or entities governed by the Gramm-Leach-Bliley Act. Interestingly, a covered entity (but not business associate) subject to HIPAA may be exempt on an entity level to the extent the covered entity maintains “patient information” in the same manner as PHI. The statute suggests that the Attorney General will promulgate regulations, and this HIPAA-covered entity exemption would benefit from additional explanation.

    2. What Data Is Covered?


      The law applies to “regulated health information”, which includes any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual. It also includes location or payment information, if it relates to an individual’s physical or mental health, or any inference about their physical or mental health that is reasonably linkable to an individual, or a device. De-identified information is excluded from the definition.

      Similar to WA MHMD, this broad definition means companies that do not traditionally consider themselves to be part of the healthcare sector may need to comply with the law, including wellness companies, advertisers, wearable device providers and nutrition companies.

      There are fewer data level exemptions compared to WA MHMD and NV MHMD such as, no exemption for public data, research data, and data governed by the Gramm-Leach-Bliley Act.

      Notably, though, there is a data level exemption for certain clinical trial information and PHI collected by a covered entity or business associate subject to HIPAA.

    3. What Are the Obligations?


      Maintain a clear and conspicuous privacy notice

      Like WA MHMD and NV MHMD, NY HIPA requires regulated entities to publish a clear and conspicuous notice that describes processing activities, including the types of data to be processed, the nature of the processing, the purpose, the service providers (or categories of service providers) and the mechanism by which individual rights can be exercised.

      Lawful basis for collection and processing

      It is unlawful for regulated entities to process an individual’s regulated health information, unless:

      • The processing is strictly necessary to: (a) provide or maintain a specific product or service requested by the individual; (b) for internal business operations (excluding marketing, advertising, research and development or provision of products or services to third parties); (c) protect against malicious, fraudulent, or illegal activity; (d) detect, respond to or prevent security incidents or threats; (e) protect the vital interests of an individual; (f) investigate, establish, exercise, prepare for or defend legal claims; or (g) comply with legal obligations. When relying on strict necessity, regulated entities must clearly post the processing activities in their public-facing website privacy notices. Just as with the authorization basis, regulated entities must notify individuals of any material changes to processing activities.

      OR

      • The individual has provided valid authorization in compliance with the law’s requirements:
        • Requesting authorization: The regulated entity must issue a request for authorization, which is made separately from any other transaction with the individual and at least 24 hours after an individual creates an account or first uses the requested product or service. Entities must make the request for authorization in the absence of any mechanism that could obscure or impair the individual’s decision-making (such as a dark pattern or design). If the entity is requesting authorization for multiple processing activities, authorization must be obtained separately for each category of processing activity. The regulated entity cannot seek authorization for a processing activity for which the individual has withheld or revoked authorization within the previous calendar year.
        • Obtaining a valid authorization: A copy of the authorization must be provided to the individual, and include the following information:
          1. The types of regulated health data to be processed
          2. The nature of the processing activity
          3. The specific purposes of the processing
          4. The names or categories of service providers and third parties to which the regulated health information may be disclosed and the purpose of disclosure, including the circumstances under which the regulated entity may disclose health information to law enforcement
          5. Any money or valuable consideration the regulated entity may receive in return for the processing
          6. A disclosure to the individual that there will be no adverse impact on the individual using the regulated entity’s products or services if they fail to provide authorization. Provision of the product or service cannot be made contingent on receipt of valid authorization, and the entity cannot discriminate on the basis of an individual’s refusal to authorize processing.
          7. An expiration date for the authorization (which can be up to one year after it is granted)
          8. The mechanism for revoking authorization
          9. The mechanism for exercising the individual’s right to access and delete their regulated health information
          10. Any other information material to the individual’s decision to authorize the processing
          11. The signature, which can be electronic, of the individual (or their parent or guardian) and the date.
        • Ability to revoke authorization:  The regulated entity must provide an effective, efficient, and easy-to-use mechanism to revoke authorization at any time through an interface the individual regularly uses in relation to the entity’s product or service. Once a revocation is received, all processing activities must stop immediately except to the extent necessary to comply with legal obligations. If an individual has an online account with the entity, it must contain a list of all authorized processing activities, with the option to revoke the authorization “with one motion or action.”
        • Changes to the processing activities:  Processing must be limited to the scope of the authorization. If the regulated entity materially alters the processing activities, further authorization must be obtained.
        • Posting of a Sample Authorization/Copied of Signed Authorization:  The regulated entity must provide the individual with a copy of the signed authorization. Additionally, regulated entities must publicly post a sample authorization on its website.

      A special note regarding sales:  As drafted, the law is not clear as to whether “sales” of protected health information (which excludes M&A, bankruptcy, and other business transactions) are prohibited, or whether provisions permitting processing with authorization and/or on the basis of strict necessity apply to sales as well. Further Attorney General guidance on this point would be welcome.

      Consumer requests

      Regulated entities must have easy-to-use mechanisms for individuals to submit privacy rights requests, which must be addressed within 30 days of receipt. Individuals have the right to request access to their regulated health information and its deletion. Notably, entities must treat a request to delete or cancel an online account as a request to delete the regulated health information. Consumers may exercise privacy requests via an authorized agent.

      Regulated entities must notify service providers and third parties of a request to delete unless such communication proves impossible or involves disproportionate effort and is documented as such in writing by the regulated entity. Service providers and third-party entities must delete all regulated health information associated with the individual in its possession or control within 30 days of receipt of notice from the regulated entity, except as necessary to comply with its legal obligations.

      Security measures

      Regulated entities must develop, implement and maintain reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of regulated health information. It must also securely dispose of regulated health information under a publicly available retention schedule within a reasonable time (no later than 60 days after the conclusion of the specified processing activities). Unfortunately, there is no guidance provided on how regulated entities should verify individuals’ rights requests within the 30-day period for responding while also implementing measures to prevent fraudulent requests. The New York Office of the Attorney General (OAG) released guidance in 2023 to help businesses adopt effective security measures, which likely reflects the minimum security measures the OAG expects of companies under New York HIPA.

      Contracts with service providers

      Processing of regulated health information by service providers must be pursuant to a written, binding agreement, which sets forth the nature, purpose and duration of the processing, and the obligations of the parties. These include complying with the requirements of New York HIPA, limiting processing to only what is necessary to comply with the obligations to the regulated entity, not combining the regulated health information with any personal information obtained from other sources, complying with individual rights requests and complying with reasonable assessments by the regulated entity.

    4. How Is New York HIPA Enforced?


      The Attorney General will enforce the law by initiating actions or special proceedings, seeking restitution, disgorgement, civil penalties up to $15,000 per violation or 20% of revenue obtained from New York consumers within the previous fiscal year, and any other relief deemed proper.

    5. When Does New York HIPA Come Into Effect?


      New York HIPA will take effect one year after it is signed into law. The Attorney General can also make rules and regulations that are considered necessary to effectuate and enforce the law, so further guidance may be forthcoming.

    6. What Should Companies Do Now?


    Companies should:

    1. Determine whether they are within the scope of the law:  The definition of “regulated entity” is broad, and there are some key differences when compared with WA MHMD and NV MHMD. Therefore, companies should determine whether the New York HIPA applies to their activities.

    2. Identify whether they collect any “regulated health information”:  Again, a broad range of data falls within this definition, so companies should check to determine applicability, given the much broader scope than traditional healthcare-focused regulatory regimes.

    3. Be ready to build or adjust compliance programs:  Regulated entities will need to review their policies and procedures to determine if they need to implement new measures or adjust their current programs. This is particularly important because the New York HIPA is not identical to WA MHMD or NV MHMD, so even if companies already have a consumer health privacy program in place, some changes may need to be made.

    4. Be ready to pivot:  While the law has passed the legislature, it has not yet been signed by the Governor. Companies should be aware that the law might change before it takes effect and be ready to make adjustments as needed.
    Orrick’s Cyber, Privacy & Data Innovation Group helps clients review their state and federal compliance programs, assess the impact of legislative updates on their data processing activities and update their website disclosures and internal data flows in light of regulatory guidance and litigation trends. If you have any questions, please contact the authors (Thora Johnson, Alyssa Wolfington, and Anna Booth) or another Orrick team member.