New York tries again to pass a consumer health privacy law Skip to main content

Take two: New York tries again to pass a consumer health privacy law

| |
  1. HOME
  2. INSIGHTS

Overview

Readers may recall that last year, New York attempted to enact a health privacy law that was ultimately vetoed by the governor. Now, New York is back with another attempt that, after some modification from last year’s version, stands a chance of being signed by Governor Kathy Hochul. Like Washington’s My Health My Data Act (MHMDA), New York’s Health Information Privacy Act (NYHIPA) regulates the collection and use of health-related data from consumers to the extent not already subject to the Health Insurance Portability and Accountability Act (HIPAA). Given the impact that MHMDA has had on consumer health companies, were NYHIPA to become law, its impact also would be felt far and wide.

If signed by Governor Hochul, NYHIPA would come into effect within six months – as early as December 2026. As a result, if your business collects and processes health information that is not subject to HIPAA or one of the other statutory exemptions, now is the time to take heed of NYHIPA and prepare for its implementation.

In Depth

Applicability

NYHIPA applies to any “regulated entity” that controls the processing of regulated health information of:

  • A New York resident
  • An individual physically present in New York
  • An individual seeking or receiving services in New York where the entity is located in the state

What is “regulated health information”?

NYHIPA defines “regulated health information” in nearly identical terms to MHMDA, which results in a very broad definition, including:

  • Individual health conditions, treatments, diseases, or diagnoses
  • Social, psychological, behavioral, and medical interventions
  • Surgeries or medical procedures
  • Use or purchase of medication
  • Bodily functions, vital signs, symptoms, or related measurements
  • Diagnoses or diagnostic testing, treatment, or medication
  • Gender-affirming care information
  • Reproductive or sexual health information
  • Biometric data
  • Genetic data
  • Precise location information that could reasonably indicate an individual’s attempt to acquire or receive health services or supplies
  • Data that identifies an individual seeking healthcare services
  • Any information that a regulated entity or their processor processes to associate or identify an individual with a physical or mental health status, derived or extrapolated from non-health information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning)

As with MHMDA, the catch-all category at the end is the one that is likely to cause the most disruption for healthcare-related companies operating in New York. Read literally – and as has been interpreted by the Washington attorney general under MHMDA – this last category can mean any type of information that is used to infer a health condition or one of the other categories in the list that precedes it.

NYHIPA is not, however, applicable to deidentified information. Tracking other consumer privacy laws, deidentified information under NYHIPA is information that cannot be used to infer information about or otherwise be linked to an identifiable individual, household, or device, provided that the regulated entity takes steps to ensure (i) safeguards are in place that ensure the deidentified information cannot be associated with an individual, household, or device, (ii) publicly commits to process such data only in a deidentified fashion and not attempt to reidentify such data, and (iii) contractually obligates recipients of such data to satisfy criteria described in (i) – (iii).

Exemptions and carve-outs

NYHIPA includes a number of entity- and data-level exemptions. Notably, it does not apply to:

  •  Local, state, or federal governments and their agencies
  • Protected health information governed by HIPAA
  • HIPAA-covered entities and business associates
  • Substance-use disorder records subject to 42 CFR Part 2
  • Clinical trial data subject to the Common Rule
  • Information governed by federal policies on human subject research
  • Information subject to the federal Health Care Quality Improvement Act of 1986
  • Patient safety work product
  • Government entities processing data for governmental purposes
  • Deidentified information meeting statutory requirements
  • Data collected from job applicants and employees

Controller obligations

The headline is that NYHIPA creates a flat prohibition on the sale of regulated health information. There is no consent exception, companies simply are not permitted to sell regulated health information. Otherwise, NYHIPA creates a general restriction on processing regulated health information unless the individual has provided valid authorization, or the processing is strictly necessary for a limited set of purposes, including product maintenance, conducting internal business operations (not marketing, advertising, or research), and handling legal claims.

Authorization and notice requirements

Where authorization is required, NYHIPA imposes proscriptive requirements. The authorization must:

  • Be separate from other authorizations
  • Use plain language and at least 12-point font
  • Clearly state:
    • Processing is not strictly necessary
    • The consumer can decline without losing access to the service
  • Not use manipulative or misleading design
  • Allow separate consent for different types of processing
  • Not re-request consent for activities the user declined or revoked within the past nine months

Authorizations must also include detailed disclosures about the processing, including:

  • The types of health information being processed
  • The nature of the processing activities
  • The specific purposes for processing
  • The names (where readily available) or categories of recipients, and the purposes of such disclosure
  • The circumstances under which regulated entities may disclose regulated health information to law enforcement
  • Any monetary or other valuable consideration the regulated entity may receive from using the data
  • A statement that refusal to provide an authorization will not affect service use
  • An expiration date (maximum of one year)
  • What mechanism the individual can use to revoke consent
  • How the individual can access or delete their data
  • Any other material information needed for an informed decision
  • Clear affirmative consent (e.g., signature or electronic agreement) and date

In addition to the above authorization requirements, regulated entities are required to provide a consumer health notice that describes (i) the types of regulated health information being processed by the regulated entity; (ii) the nature of the processing activities; (iii) the specific purposes of the processing; (iv) the recipients of the data, or categories of recipients, including service providers, third parties, and any disclosures to law enforcement along with the circumstances for such disclosures; (v) the mechanism by which the individual may request access to and deletion of their regulated health information; and (vi) a retention schedule for regulated health information, which states that the information will be disposed of within 60 days after it is no longer necessary to maintain for the permissible purpose identified in the notice or for which there was an authorization.

Wow, that’s a lot. The authorization and notice requirements – including 60-day retention periods – are more onerous than those of MHMDA and even Colorado’s consent requirements. Companies should take heed of these requirements and ensure that they update their existing consumer health policies (or publish new ones) that track each of the above requirements.

Service providers

NYHIPA requires a now familiar set of contractual obligations on the use of service providers, including ensuring that each service provider processing regulated health information is subject to a duty of confidentiality, protects regulated health information in accordance with applicable requirements, and limits processing of regulated health information to what is necessary to fulfill obligations to the regulated entity.

Individual rights

NYHIPA gives consumers the right to delete and access regulated health data. It departs from other consumer privacy laws in that it requires regulated entities to respond to these requests within 30 days, and there is no provision for extensions of that time period to respond. Another nuance is that consumers must be able to make the deletion request through an “easy-to-use mechanism through an interface the individual regularly uses in connection with the regulated entity’s product or service.” In other words, NYHIPA will require many digital-health companies to create request portals to the extent they do not already have them.

Enforcement

The exclusive enforcement mechanism under NYHIPA is through the attorney general; there is no private right of action. The attorney general may seek disgorgement of profits and a civil penalty of $15,000 per violation. There is a six-year statute of limitations.

***

If you have questions or need assistance getting ready for NYHIPA or other new state privacy laws, please contact any authors or your regular McDermott Will & Schulte lawyer.

Stay Connected

Subscribe Follow us on LinkedIn Get in touch

Authors

James S. Mann
Associate | Los Angeles
/ +1 310 788 6021
View Profile >

David P. Saunders
Partner | Chicago
/ +1 312 803 8305
View Profile >