What happened?

On January 22, 2025, the New York Assembly passed Senate Bill S929, the New York Health Information Privacy Act (NYHIPA). This legislation introduces stringent new requirements for entities processing the health information of individuals physically present in New York, regardless of the location and size.

Overview:

NYHIPA imposes strict requirements on businesses managing health data, including explicit consent, detailed authorization, and immediate cessation of data processing upon revocation. There are significant penalties for non-compliance.

The law applies to any entity processing the health information of New York residents or individuals physically present in New York. Businesses must assess their data practices, establish compliance plans, and train staff to avoid penalties and reputational harm.

Key Points of NYHIPA:

• Broad Scope: Covers various health-related data, including personal wellness habits, purchase histories, and location information.

• Strict Consent Requirements: Explicit consent is required before processing health data, except in specific circumstances.

• Prohibition on Selling Data: Selling health information without consent is prohibited.

• Exemptions: HIPAA-covered entities are exempt only for data already protected under HIPAA.

• Regulated Entities: Applies to any entity processing health information of New York residents or individuals physically present in New York.

• Authorization Requirements: Data collection/processing requires “valid authorization,” detailed forms, and a 24-hour waiting period.

• Revocation and Notice Requirements: Easy revocation process; immediate cessation of data processing upon revocation.

• Security Requirements: Entities must safeguard health information without specific guidance verifying consumer requests.

• Enforcement and Penalties: The New York attorney general can enforce actions with penalties up to $15,000 per violation or 20% of revenue from New York consumers.

Additional Details

• Regulated Health Information: NYHIPA defines regulated health information broadly, covering non-HIPAA-regulated data like personal wellness habits, purchase histories, and location/payment information related to health.
  • It includes any health-related inferences linkable to an individual.
  • Does not exempt public data, research data, or information regulated under the Gramm-Leach-Bliley Act, nor does it fully exempt HIPAA-covered entities or financial institutions.

• Regulated Entities: NYHIPA regulates any entity, regardless of size, that processes health information of New York residents, individuals physically present in New York, or entities located in New York.
  • Includes companies collecting non-HIPAA-regulated health, wellness, or nutritional data of residents or visitors in the state.

• Consent and Authorization: NYHIPA requires “valid authorization” to collect or process health information, with limited exemptions for activities deemed “strictly necessary.”
  • Strict necessity excludes marketing, advertising, R&D, and third-party services. This limits unauthorized marketing and may hinder outreach efforts for new medications and clinical trials.

• Authorization Requirements: Authorization must be obtained separately from other transactions and not within the first 24 hours of a customer’s initial use of a product or service.
  • Forms must allow individuals to approve or deny each processing activity, cannot request authorization for previously denied activities within the past year, and must detail data processing, including types of data, purpose, third parties, and consumer rights.

• Revocation and Notice Requirements: Entities must provide an easy way for consumers to revoke authorization, such as a simple action within account settings.
  • Upon revocation, processing must stop immediately, with few exceptions. New authorizations are needed for new or significantly changed processing activities.
  • Authorization cannot be granted within 24 hours of a product/service request, complicating updates.

• Security Requirements: Entities must safeguard health information without specific guidance verifying consumer requests.
  • Third-party agents can make requests on behalf of consumers, but there is no clear way to verify their identity or authorization, posing security risks.

• Enforcement and Penalties: The New York attorney general can investigate violations and enforce actions, with penalties up to $15,000 per violation or 20% of revenue from New York consumers, whichever is greater.
  • This strong penalty structure could deter entities from operating in New York due to high compliance costs.

“Please mark the effective date on your calendar as a reminder to be fully prepared and ready to ensure compliance with applicable laws and regulations.”

Source References

• Senate Bill S929

This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.