New York’s Proposed Health Information Privacy Act Takes Aim at Digital Health Companies
The New York Health Information Privacy Act (NYHIPA), if enacted, could create a chilling effect on patient access and engagement to readily available digital health care services relied upon by New Yorkers. Digital health companies will likely struggle to maintain patient engagement and care coordination and will almost certainly face hurdles in improving their products and services due to the financial and operational burdens created by NYHIPA.
As of January 23, 2025, the NYHIPA had passed both the New York Senate and Assembly and will be routed to the Governor for possible signature. If enacted, the NYHIPA would significantly impact how digital health companies collect, disclose, and use consumer health information in New York.
Who is regulated?
As currently drafted, NYHIPA will be applicable to any health care organization with patients or customers that have a connection to New York.
Specifically, NYHIPA would apply to any entity that:
- controls the processing of regulated health information of a New York resident,
- controls the processing of regulated health information of an individual who is physically present in New York while that individual is in New York, or
- is located in New York and controls the processing of regulated health information.
The entity-level exemptions are limited as compared to other consumer data privacy laws. HIPAA-covered entities are exempt but only to the extent the entity maintains patient information in the same manner as HIPAA-protected health information. Although traditional medical records maintained by HIPAA-covered entities will likely be exempt, personal information collected early in the user workflow will likely be governed by NYHIPA and subject to the strict authorization requirements discussed below prior to any processing by a regulated entity — unless the entity is a HIPAA-covered entity and treats that information as HIPAA- protected health information.
What information is regulated?
NYHIPA seeks to regulate any and all information that could be linked to health or wellness, including device data. The information regulated is any information that is reasonably linkable to an individual or a device, collected or processed in connection with the physical or mental health of an individual, including location or payment information that relates to an individual’s physical or mental health or any inference drawn or derived about an individual’s physical or mental health that is reasonably linkable to an individual or a device. HIPAA-protected health information and deidentified information would be exempt from regulation.
What are the processing restrictions?
“Processing” would need to be narrowly tailored to the specific product or service requested by an individual, unless an explicit authorization is obtained. Processing, as defined under NYHIPA, generally means any operation performed on health information, including the collection, use, disclosure, access, sale, sharing, creation, generation, or deidentification of health information.
Regulated entities cannot process health information unless:
- the individual has provided an authorization; or
- the processing is strictly necessary for certain enumerated purposes, including providing or maintaining a specific product or service requested by such individual or conducting the regulated entity’s internal business operations.
Most importantly, and what will surely cause angst within the digital health community, internal business operations expressly exclude any activities related to marketing, advertising, research and development, or providing products or services to third parties without explicit authorization from the individual authorizing such activities.
When can an authorization be obtained and what must the authorization include?
NYHIPA will prohibit an authorization from being obtained from an individual for 24 hours after account creation or first use of the product or service. Opt-in consent will not be enough, as individuals will be required to obtain explicit authorization for each activity not deemed strictly necessary to the products or services requested by the individual.
The authorization must
- be made separately from any part of a transaction;
- (ii) be made at least 24 hours after the individual creates an account or first uses the requested product or service; and
- allow the individual to provide or withhold authorization separately for each category of processing activity, among other requirements.
For individuals who have an online account with the entity – which will be the case for most digital health companies – the regulated entity must provide, “in a conspicuous and easily accessible place within the account settings,” a list of all processing activities for which the individual has provided authorization and, for each processing activity, allow the individual to revoke authorization in the same place “with one motion or action.” Entities cannot make a product or service contingent on providing authorization and cannot discriminate against an individual for withholding authorization, such as by charging different prices for products or services, including through the use of discounts or other benefits.
Is a privacy notice required?
NYHIPA would require a privacy notice if a regulated entity processes health information for a permissible purpose without an authorization. The notice would need to include the information processed, the nature of the processing activity, the “specific purposes” for such processing, names or categories of service providers and third parties to whom information is disclosed and the purpose of the disclosure, and the mechanism by which the individual may request access to and deletion of their health information. Notably, if the regulated entity materially alters its processing activities, the regulated entity would need to provide a clear and conspicuous notice, separate from a privacy policy, terms of service, or similar document, that describes any material changes to the processing activities and provide the individual with an opportunity to request deletion of the individual’s health information. Note that unlike other consumer data privacy laws, the only exception to the deletion requirement under NYHIPA as proposed allows retention “to the extent necessary to comply with the regulated entity’s legal obligations.”
What are other key requirements digital health companies should be aware of?
NYHIPA will require service providers to segregate health information by regulated entity. Regulated entities would need to enter into a written agreement with service providers. The required terms for those agreements generally look similar to other consumer data privacy laws. However, NYHIPA also requires that the service provider:
- not combine the health information which the service provider receives from or on behalf of the regulated entity with any other personal information which the service provider receives from or on behalf of another party or collects from its own relationship with individuals; and
- (ii) notify the regulated entity “a reasonable time in advance” before sharing health information with any further service providers.
All websites and communications would need to be reasonably accessible to individuals with disabilities and available in languages in which the regulated entity provides information via its website and services.
When could this law be effective and what are the possible penalties?
NYHIPA would go into effect one year after the bill is signed into law.
The New York Attorney General would have authority to enforce the law, including civil penalties of the greater of $50,000 per violation or 20% of the revenue obtained from New York consumers within the past fiscal year, among other remedies. The Attorney General also has authority to promulgate implementing rules and regulations.
What are the practical impacts of NYHIPA?
NYHIPA will pose significant financial and operational hurdles to digital health companies. Regulated entities would be required to upgrade websites and user workflows for each of the processing activities for which the regulated entity would seek authorization from an individual, as well as any necessary upgrades to meet the new accessibility requirements. The 24-hour moratorium on requesting authorization will effectively create a barrier to activities that improve the patient experience, engagement, and education. Service providers will experience financial impact as a result of implementing the requirements to segregate each regulated entity’s health information. Finally, NYHIPA will require digital health companies to comply with yet another state consumer privacy law that materially differs from other state privacy laws.
What digital health companies should do next?
NYHIPA has passed both legislative houses and only awaits the Governor’s signature to become law. As noted above, the effective date for the law would be one year after signature by the Governor. That one-year period is an incredibly short time for digital health companies to implement the changes that would be required to comply with NYHIPA. Therefore, if enacted, digital health companies with patients or customers in New York should immediately begin planning for compliance with NYHIPA.
Health care data privacy continues to rapidly evolve. Thus, digital health companies should closely monitor any new developments and continue to take necessary steps towards compliance. If you have any questions on compliance with consumer health data privacy laws or other recent changes to health care data privacy laws, please contact any of the authors or any of the Partners or Senior Counsel in Foley’s Cybersecurity and Data Privacy Group or Health Care Practice Group.
