New York Passes Health Privacy Law

Written By Kevin McKernan

The New York State legislature passed the Health Information Privacy Act ("NYHIPA") on January 22, 2025, marking the second state to introduce a comprehensive consumer health data law. If passed, the NYHIPA imposes more stringent obligations on organizations that handle "regulated health information.” 

RHI is defined broadly to include health data that is linkable to an individual or a device. Notably, NYHIPA also expressly includes location, payment information, and inferences related to or derived from health data. 

NYHIPA will apply to New York entities and any entities that collect data from New York residents and New York visitors. NYHIPA will apply to (1) data collected from New York residents, (2) entities that control "the processing of (RHI) of an individual who is physically present in New York while that individual is in New York", and (3) businesses located in New York that control the processing of RHI. 

Entities subject to NYHIPA must: 

  • Not sell RHI to a third party. 

  • Obtain valid authorization for processing RHI, unless the RHI is "strictly necessary" for certain purposes, such as to provide a product or service the individual requested. Interestingly, NYHIPA also allows entities to act in order to protect the "vital interests of an individual." NYHIPA does not define "vital interest." 

  • Allow individuals to revoke their authorization. 

  • Not making providing the product or service contingent upon an individual providing authorization to process RHI. 

  • Provide a health privacy notice and separately provide any material updates to that notice.

  • Offer individuals the right to access and delete their RHI. 

  • Provide reasonable security measures for RHI. 

  • Enter into agreements with service providers that contain certain requirements, including permitting compliance audits of the service provider by the regulated entity. 

Are there exemptions? 

Yes, but only a few: (1) information processed by the federal, state, or local governments; (2) protected health information ("PHI") subject to HIPAA; (3) covered entities subject to HIPAA: and (4) information collected as part of a clinical trial. Notably, business associates and entities subject to GLBA are not categorically exempt from NYHIPA. 

The New York Attorney General can enforce NYHIPA - including outside of the state of New York and to preemptively stop any violation from occurring. Violations can be as high as $15,000 per violation or 20% "of the revenue obtained from New York consumers within the past fiscal year", but there is no private right of action.

This document is designed for general information only. The information presented in this document should not be construed to be formal legal or tax advice nor the formation of a lawyer/client relationship. 

For more information on this and other topics, please contact Kevin via any of the channels listed below:

📧 kevin@kmckernan.com  | 📞 718-317-5007

Kevin McKernan
Previous

Employers: How to Navigate Four Common Conflicts to Minimize Litigation Risks
Next

New York's "No Severance Ultimatums Act" Sets a New Minimum Standard for Severance Agreements, Expanding Protections for New York Employees (US)