Advertisement
Subscribe to our daily newsletter.
Subscribe

New York’s health data privacy bill would make state toughest in nation

The broad geographic scope offered by a bill recently sent to the desk of Gov. Kathy Hochul would give New York some of the most thorough health data privacy protections in the nation.

By

Listen to this article
0:00
Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
Kathy Hochul
New York Gov. Kathy Hochul speaks in June 2022. (Craig Ruttle-Pool / Getty Images)

Last month, New York state lawmakers passed the New York Health Information Privacy Act, or HIPA, and if Gov. Kathy Hochul signs the bill, it will make New York the toughest state on health data privacy.

New York’s HIPA would offer protections to “regulated health information,” much like the My Health, My Data Act in Washington, which in 2023 became the first state to codify in law protections for consumer health data.

But New York’s bill leaves out a private right of action, the right of residents to file lawsuits against organizations that violate the law. It would cover all New York residents regardless of where they’re located, and anyone physically present in New York, compared to other state privacy laws that only extend protections to residents. New York’s law would also regulate all businesses operating in the state or that process the data of New York residents.

Ron De Jesus, a field chief privacy officer at Transcend, said this subversion of state boundaries would make New York’s law “unique” and one of the most strict state privacy laws to date.

Advertisement

New York’s HIPA defines protected information as “any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual.” This definition is broader than those included in other health-data laws, such as those on the books in Connecticut and Nevada, which feature more narrow definitions that do not differentiate between physical health data and mental health data.

The bill, which is under review by the governor, a spokeswoman for the governor told the Times Union, would go into effect one year after the signing date.

HIPA would also include a list of rights for individuals to access and delete their health information, and mandatory data retention and deletion schedules for companies that possess health data covered by the law.

However, the bill’s definition excludes information already protected by and entities — such as health care facilities — that are already governed by the federal Health Information Portability and Accountability Act, or HIPAA.

HIPA also prohibits businesses from selling regulated health information to third parties. Certain businesses under the bill may be allowed to process or use certain health information, but only if they receive authorization from individuals, or if the information is being processed for a purpose allowed under the bill, like providing a product or service requested by the individual or protecting against security threats.

Advertisement

While HIPA’s expansive definitions and prohibitions make it tough, De Jesus said it’s the measure’s application to New Yorkers regardless of their physical locations, and to anyone in the state, regardless of their residential status, that makes it a standout.

“It is incredibly onerous, and broadly applicable,” he said. “For example, the fact that it applies to literally any company that has the regulated health information of either someone that is physically in New York or a New York resident is so incredibly unique. And one of the examples that I find really interesting is that, if I’m a New York resident, but I’m perhaps going to university in Texas, that Texas institution will likely have to protect my regulated health information in accordance with the New York law.”

This unbounded applicability, De Jesus said, will likely result in HIPA facing an uphill battle with private industry. It grants enforcement authority to the state’s attorney general, who may impose a fine of up to $15,000 per violation, or recoup 20% of revenue obtained from New York consumers within the past fiscal year, whichever is greater.

It would also grant the state attorney general rulemaking authority, which could allow the office to impose additional compliance requirements.

“This broad sweeping applicability and scope is really worrying privacy professionals, because now we have to not only assess whether or not we’re under the remit of the law, but we’re also having to perhaps now identify New York residents and which state they might be, and it’s just incredibly onerous,” De Jesus said. “Not only from a legal compliance perspective, but if you think about it from a pragmatic, technical perspective as well.”

Keely Quinlan

Written by Keely Quinlan

Keely Quinlan reports on privacy and digital government for StateScoop. She was an investigative news reporter with Clarksville Now in Tennessee, where she resides, and her coverage included local crimes, courts, public education and public health. Her work has appeared in Teen Vogue, Stereogum and other outlets. She earned her bachelor’s in journalism and master’s in social and cultural analysis from New York University.

In This Story

Advertisement
Advertisement

More Like This

Advertisement

Top Stories

Advertisement

More Scoops

Latest Podcasts

How Trump and DOGE will affect state and local services

Shared services, AI cost key concerns for New York’s CIO

Inside Maryland’s new digital infrastructure group

Breaking down states’ AI executive orders

State

City

Modernization

Cybersecurity