Listen to this post

Keypoint: The New York legislature passes broad and restrictive health data privacy legislation with implications for businesses both within and outside New York.

Last week, the New York legislature passed the New York Health Information Privacy Act (S 929) (the “Act”). If signed into law, the Act will add New York to the list of states that have enacted consumer health data-specific privacy legislation in response to the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization.

Although the Act is not a clone of Washington’s My Health My Data Act (“MHMD”), it follows many of the same themes: regulating health data beyond the state’s borders, utilizing a broad definition of health data, and imposing additional obligations and narrower exemptions than those seen in generally applicable consumer privacy legislation.

Below, we provide a summary of the Act and identify some of the unique challenges it poses for affected companies.

Background

The Act was proposed by Senator Liz Krueger in early January and passed the Senate and Assembly on January 21 and 22, 2025, respectively. Last year’s version of this Act (S 158) passed the Senate, but not the Assembly.

The Act will next move to Governor Hochul. According to the New York Senate’s website, if a bill is received during session, the Governor has ten days to sign or veto it. If the Governor takes no action, the bill becomes law automatically. If the bill is sent to the Governor when the legislature is out of session, the Governor has thirty days to “make a decision, and failure to act . . . has the same effect as a veto.” Although not discussed on the Senate’s website, the Governor can also engage in a chapter amendment. As explained here, a “chapter amendment is essentially a bill that the Legislature agrees to pass in exchange for the Governor signing another bill amending the same law(s).”

Scope

What entities are regulated under the Act?

The Act applies to “regulated entities” that process “regulated health information” (“RHI”) of “individuals.” The Act defines a “regulated entity” as “any entity that (a) controls the processing of regulated health information of an individual who is a New York resident, (b) controls the processing of regulated health information of an individual who is physically present in New York while that individual is in New York, or (c) is located in New York and controls the processing of regulated health information. A regulated entity may also be a service provider depending upon the context in which regulated health information is processed.”

For comparison, MHMD defines a regulated entity as “any legal entity that: (a) Conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington; and (b) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.” In that respect, notably missing from New York’s definition is any requirement that the regulated entity conduct business in New York. That requirement is presumably inferred in part (c) but is not required by parts (a) or (b). In theory, this issue would be addressed through personal jurisdiction arguments.

Further, subsection (b) is based on an individual’s physical presence in New York alone and not residency (as is the case with other consumer data privacy laws). This means an entity with no other relationship to New York could still be considered a regulated entity if it collects information from an individual physically located in New York. It also means that the Act applies if, for example, a business sells a product to a New Jersey resident who then commutes to work in New York.

Notably, the Act also lacks a scienter requirement for this provision – i.e., that the regulated entity knows the individual is physically present in New York. How this works in practice remains to be seen. Presumably, to comply, a business subject to the Act needs to collect some form of location data from all of its customers by default to be able to determine when they travel to New York. This type of data collection could potentially violate other parts of the Act (as discussed below) and, depending on the specific type of geolocation data at issue, could implicate notice and consent issues under other state privacy laws. For example, New Jersey’s privacy law requires consent for the collection of precise geolocation data. Of course, the FTC (at least under the prior presidential administration) has also regulated in the processing of location information.

Moreover, subsection (c) removes any residency or physical location requirements and instead considers only the business’ location. Any business located in New York that processes RHI is a regulated entity under the Act. The definition does not specify that the RHI must involve individuals with a specific residency or location. Therefore, a business located in New York must treat the RHI of any individual—whether they are in Brooklyn or Brussels—in accordance with the Act. This type of language could be ripe for Dormant Commerce Clause challenges.

Finally, the Act’s use of the word “individual” is significant. The Act does not define that word or, more to the point, exclude employee and business-to-business data. In comparison, Washington’s MHMD applies to “consumer health data” and defines “consumer” as a “natural person who acts only in an individual or household context, however identified, including by any unique identifier. ‘Consumer’ does not include an individual acting in an employment context.”

What information is regulated under the Act?

The definition of RHI is broad in both scope and implications. The Act defines RHI as “any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual. Location or payment information that relates to an individual’s physical or mental health or any inference drawn or derived about an individual’s physical or mental health that is reasonably linkable to an individual, or a device, shall be considered, without limitation, regulated health information.”

The Act’s lack of defined terms means that RHI could be interpreted to apply to a broad variety of information. For example, RHI includes information processed “in connection with” or location or payment information that “relates to” an individual’s physical or mental health, but the Act does not define what constitutes a “connection” or “relation.” As a result, any direct or indirect link between a piece of information and a health-related product, service, or activity could potentially constitute RHI. For example, health information collected by an employer as part of a job application, such as an applicant’s physical capabilities, could potentially be considered RHI. In theory, a restaurant’s collection of dietary or allergy information could also potentially be covered.

Additionally, RHI includes any “location information” related to an individual’s physical or mental health but does not define “location.” It is an open question whether location means something equivalent to precise geolocation data or whether it could include general location data such as an address, state of residence, or even country of residence, as long as it relates to an individual’s health.

Further, while the Act covers “payment information” it notably does not include a GLBA exemption. Like MHMD, RHI also includes “inferences” about an individual’s health that are “reasonably linkable” to the individual.

Among other things, if the Act becomes law, entities will need to consider the Act’s application to online information such as IP addresses and cookie information as well as offline information. The FTC’s Complaint against BetterHelp serves as a good example of how regulators can consider even basic information like email addresses and IP addresses to be health data. For example, in paragraph 48 of the Complaint, the FTC stated “each such disclosure of even a Visitor’s or User’s email address constituted a disclosure of the Visitor’s or User’s health information.”

What entities and information are exempt under the Act?

The Act exempts only a limited set of information.

First, the Act exempts deidentified information from its definition of RHI; however, it does not exempt publicly available information. The absence of such an exemption will likely trigger arguments that the Act violates the First Amendment.

The Act also exempts protected health information collected by a HIPAA-covered entity or business associate and information collected as part of a clinical trial subject to the Common Rule. Further, it exempts any HIPAA-covered entity governed by the privacy, security and breach notification rules issued by HHS “to the extent the covered entity maintains patient information in the same manner as protected health information.” The Act also exempts information processed by local, state, and federal governments, and municipal corporations.

The Act lacks many common exemptions found in other state privacy laws. For example, it does not exempt HIPAA business associates, GLBA-regulated entities, FCRA data, FERPA data, non-profits, or employers acting in relation to their employees.

Obligations

The Act’s obligations can be broken down into five parts: (1) processing restrictions, (2) notices, (3) individual rights, (4) security and document retention, and (5) service provider contracts. We briefly discuss each of these in turn.

Processing Restrictions

Although it is typically not ideal to quote statutory language in full in a summary article, the Act’s processing restriction language found in section 1122 is an exception. Specifically, section 1122 states:

1. In general, it shall be unlawful for a regulated entity to:

(a) sell an individual’s regulated health information to a third party; or

(b) otherwise process an individual’s regulated health information unless:

(i) the individual has provided valid authorization for such processing as set forth in paragraph (b) of subdivision two of this section; or

(ii) processing of an individual’s regulated health information is strictly necessary for the purpose of:

(a) providing or maintaining a specific product or service requested by such individual;

(b) conducting the regulated entity’s internal business operations, which exclude any activities related to marketing, advertising, research and development, or providing products or services to third parties;

(c) protecting against malicious, fraudulent, or illegal activity;

(d) detecting, responding to, or preventing security incidents or threats;

(e) protecting the vital interests of an individual;

(f) investigating, establishing, exercising, preparing for, or defending legal claims; or

(g) complying with the regulated entity’s legal obligations.

The apparent issue raised by this language is whether part (a) stands alone or whether the language in subsections (i) and (ii) applies to part (a). In other words, does the Act strictly prohibit the sale of RHI to third parties? Or does it allow the sale of RHI to third parties if an individual provides a valid authorization?

Although not dispositive, the Act’s requirements for what must be provided in a valid authorization suggest that regulated entities can use them to authorize sales. Specifically, the Act states that valid authorizations must include, among other things, “the names where readily available, or categories of service providers and third parties to which the regulated entity may disclose the individual’s regulated health information” and “any monetary or other valuable consideration the regulated entity may receive in connection with processing the individual’s” RHI. “Sale” is defined broadly as “to share regulated health information for monetary or other valuable consideration.” The Act also defines “processing” to include sharing and sale. Piecing this all together, one could argue that the inclusion of such requirements for a valid authorization is evidence that they can be used to authorize RHI sales; otherwise, the language would serve no purpose.

As noted, absent a valid authorization, a regulated entity must process RHI only if it is “strictly necessary” for one of seven specific purposes. The Act does not define “strictly necessary.”

The requirements for valid authorizations under the Act generally mirror those found in other similar privacy laws – e.g., requiring disclosures about the RHI collected, its use, and its sharing. However, the Act imposes additional requirements. Perhaps most notable is that a regulated entity cannot seek to obtain a valid authorization for “at least twenty-four hours after an individual creates an account or first uses the requested product or service.” Among other things, authorizations must be made available on the entity’s website, include a statement that refusal to provide an authorization will not impact the individual’s use of a product or service, and for individuals with online accounts, the regulated entity must provide a conspicuous and easily accessible place within the account settings to list all of the processing activities for which an individual has provided authorization and allow the individual to revoke authorization for each distinct processing activity.

Notices

The Act requires regulated entities that process RHI for a permissible purpose to provide a “clear and conspicuous notice” publicly available on their websites that describes their RHI processing and sharing practices. The notice also must include the “names where readily available, or categories of service providers and third parties to which the regulated entity may disclose the individual’s [RHI] and the purposes for such disclosure.” There is no specific requirement – like with Washington’s MHMD – that the notice be kept separate from a regulated entity’s general online privacy policy/notice.

One question that comes to mind is whether this notice could be combined with a notice already provided for MHMD purposes. Notably, the Washington Attorney General has stated that the MHMD notice “may not contain additional information not required under” MHMD. See MHMD FAQs. Because the definitions of “consumer health data” under MHMD and RHI under the Act differ, they may not entirely overlap depending on the specific use case, complicating the use of a single notice.

Individual Rights

The Act provides for two individual rights: (1) the right to access RHI and (2) the right to delete RHI. Regulated entities must fulfill these requests within 30 days. Importantly, the Act does not require (or even allow) regulated entities to verify the identity of the requestor. The Act also passingly states that a request may be made by “an agent authorized by such individual.”

The lack of verification for access requests – including authorized agent access requests – obviously creates obstacles for entities seeking to protect against malicious actors. As discussed in the next section, the Act does require regulated entities to secure RHI. Therefore, it could be argued that securing RHI means verifying access and deletion requests. In any event, this may be an area ripe for clarification through a chapter amendment or attorney general rulemaking.

Additionally, the only exception allowing entities to retain RHI after a deletion request is if there is a “legal obligation” to maintain the data. Therefore, regulated entities will need to closely examine their practices to ensure that any denial is tied to a legal requirement.

Security and Document Retention

As mentioned, the Act requires regulated entities to develop, implement, and maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of RHI.

Regulated entities also must securely dispose of RHI “pursuant to a publicly available retention schedule within a reasonable time, and in no event later than sixty days, after it is no longer necessary to maintain for the permissible purpose or purposes identified in the notice or for which the individual provided valid authorization.”

Service Provider Contracts

Regulated entities are required to enter into contracts with service providers that process RHI. Most of the requirements for these contracts will look familiar to those dealing with other privacy laws. One wrinkle is that service providers must “notify the regulated entity a reasonable time in advance before disclosing or transferring [RHI] to any further service providers, which may be in the form of a regularly updated list of further service providers that may access” RHI.

Enforcement

Paragraph 1 of section 1127 permits the state attorney general to bring an action or special proceeding to enjoin any violation, obtain restitution or disgorgement of profits obtained through a violation, seek a civil penalty of the greater of $15,000 per violation or 20% of revenue obtained from New York consumers within the past fiscal year, and any other relief deemed proper. There is a six-year statute of limitations for violations.

Paragraph 2 of section 1127 further states that the “remedies provided by this section shall be in addition to any other lawful remedy available.” Some have taken the position that such language may leave the door open for private litigants to bring lawsuits.

In comparison, last year, the New York legislature passed the Safe for Kids Act, which is chaptered in the New York General Business Law (where the Act will be chaptered if signed into law). The remedy section of that law contains language similar to paragraph 1, but not language similar to paragraph 2. See N.Y. Gen. Bus. Law § 1508. Last year’s New York Child Data Protection Act is structured the same. See N.Y. Gen. Bus. Law § 899-MM. Further, last year’s Social Media Terms of Service law states that actions “shall be prosecuted exclusively in a court of competent jurisdiction by the attorney general.” See N.Y. Gen. Bus. Law § 1103. Finally, the state’s Fair Credit Reporting Act – also chaptered in the General Business Laws – contains private right of action language. See N.Y. Gen. Bus. Law § 380-l.

For reference, Washington’s MHMD contains language stating that the state’s consumer protection act applies, thereby specifically authorizing private litigation.

Effective Date

The Act takes effect one year after it is signed into law (assuming it is).

Rulemaking

The Act authorizes (but does not require) the attorney general to promulgate rules and regulations “as are necessary to effectuate and enforce” the Act.