Logo
Media Centre

New York Legislature Passes the Health Information Privacy Act

Kobi Plotkin Ariel Yosefi

3 February 2025

The New York Assembly and Senate have passed the New York Health Information Privacy Act (the “Act“), establishing a comprehensive framework for the processing of health data. The Act joins other state-level health privacy laws in the US, such as the Washington My Health My Data Act and the Nevada Consumer Health Data Privacy Law (as well as health privacy related provisions that have been incorporated in the general privacy law in Connecticut), but introduces a regulatory approach that is distinct from other privacy and health data laws in the United States

 

Applicability

Material scope – The categories of information covered under the Act are defined as “Regulated Health Information” (“RHI”), which includes any data reasonably linkable to an individual or a device, used in connection with the physical or mental health of an individual, including any derivations thereof and any applicable payment or location information.

  • Entities which control the processing of RHI (“Regulated Entity(ies)”); and
  • Entities which process RHI on behalf of a Regulated Entity (“Service Provider(s)”).

 

Territorial scope – The Act applies with respect to:

  • Any Regulated Entity which controls the processing of RHI of New York residents or individuals physically located in New York; or
  • Any Regulated Entity which is located in New York and controls the processing of RHI.

 

Exemptions – Deidentified RHI is also exempt from the Act. However, the definition of deidentified information extends beyond mere non-identifiability, and requires entities to implement proactive measures to ensure its continued deidentifiability. Entities must apply technical safeguards, publicly commit to deidentification, and contractually obligate recipients to uphold the same standards.

It is interesting to note, that unlike other state-level health privacy laws, the Act does not exempt publicly available data or data covered under the Gramm-Leach-Bliley Act (which applies to entities in the financial sector).

The Act and HIPAA – Another notable aspect of the Act’s applicability is its interplay with the existing Federal Health Insurance Portability and Accountability Act (“HIPAA”), which governs the use and protection of personal health information on a Federal level.

Similarly to other state-level health privacy laws, the Act applies to entities that are not covered by HIPAA (such as healthcare and health-insurance providers), e.g., app developers and online platforms operators.

In addition, it does not apply to “protected health information”, as defined and regulated under HIPAA. However, since RHI is defined more broadly than “protected health information”, and does not include nexus to personal information only, the Act may apply to entities that are subject to HIPAA  with respect to other types of RHI controlled or processed by them.

 

Key highlights

Legal bases for processing – Under the Act, Regulated Entities may only collect and process RHI if such use is subject to a closed list of permissible activities (Permissible Activities”). This list includes activities such as:

  • Providing or maintaining a service or product specifically requested by the individual;
  • Conducting internal business operations, which explicitly exclude any marketing, advertising, R&D, or the provision of services to any third party other than the individual;
  • Complying with legal obligations, as well as exercising or defending against any legal claims.

 

Notice and valid authorization – Any Regulated Entity processing RHI must provide a clear and conspicuous notice detailing its processing activities. This notice must include information such as the types of RHI involved, the specific purposes of processing, the categories of third parties to whom RHI is disclosed, and the nature of the related processing activities. Additionally, any material change to the Regulated Entity’s processing activities must be accompanied by a separate, updated notice outlining such changes.

In addition to the general notice requirement, if a Regulated Entity cannot rely on one of the Permissible Activities, it must obtain the individual’s valid authorization to collect and process RHI. The threshold for valid authorization under the Act is higher than that of consent under similar laws. Any valid authorization must comply with specific disclosure requirements, including but not limited to:

  • Providing the notice separately from any other disclosures presented during transactions in which other categories of personal data are collected;
  • Allowing the individual to individually authorize or withhold authorization regarding each specific processing activity covered under the Act;
  • Providing information such as the types of RHI processed, the nature of the processing activity, the third parties to whom RHI may be disclosed, and any other relevant details as required under the Act to the individual.
  • Acquiring a signature by the individual or the applicable legal guardian; and
  • Providing the individual with a copy of any authorization they have provided.

 

These disclosure requirements apply separately and, if applicable, in addition to any other general notice requirements applicable to any Regulated Entity.

Individual rights – The Act requires any Covered Entity to provide an easily accessible mechanism that allows individuals to request access to and deletion of their RHI. Additionally, individuals have the right to withhold or revoke any authorization previously provided.

Regulated Entities must comply with such requests and fulfill the rights within the timeframes and technical requirements specified by the Act. This includes contractually ensuring that applicable Service Providers comply with the requests and refraining from discriminating against individuals who withhold authorization.

Contractual requirements – Any processing of RHI by a Service Provider must be governed by a written, binding agreement that outlines specific instructions limiting the nature, duration, and purposes of the processing activities. Regulated Entities are also required to manage the Service Provider’s processing activities in aspects such as the exercise of individual rights, the combination of RHI with other categories of data, and the deletion of RHI upon the completion of services provided.

Data retention – Regulated Entities must dispose of any RHI within a reasonable time, but no later than sixty days after the RHI is no longer necessary, in accordance with the applicable Permissible Activity or the individual’s authorization.

The Act is currently awaiting the Governor’s signature, and is set to take effect one year after signing into law.

 

Related Practice Areas

Related Lawyers

More news

FTC Implements Major Revisions to Children’s Online Privacy Protection Rule
EDPB Adopted Opinion on Personal Data in Developing and Deploying AI Models
Herzog’s Comparative Guide on Key Rights in US States Privacy Laws – December 2024
JOIN OUR
Newsletter

    © 2020, All rights reserved, Herzog Law
    Site by Gootte

    The information contained in this web site is provided for informational purposes only and should not be construed as legal advice on any subject matter and should not be relied upon as such. Herzog accepts no responsibility for any consequences whatsoever arising from use of the information contained in this web site. The accessing of information contained in this web site shall under no circumstances be considered as creating an attorney-client relationship between Herzog and any party accessing this web site. Contacting through email any lawyer named in this web site or sending information without prior agreement of Herzog shall not be construed as automatically creating an attorney-client relationship between Herzog and the party sending an email or information. The material contained in this web site has been created by and remains the property of Herzog. No reproduction, transmission, publication or any other form of dissemination shall be permitted unless the prior written consent of Herzog has been obtained. This web site may contain links to other web sites operated by third parties. Herzog does not sponsor, approve or endorse the content of any such web site and is not responsible for the materials appearing in such sites.

    Search by
    Search by +

    Search