New York takes bold step in health data privacy with new legislation

New York State Senators introduced Senate Bill S. 929, the New York Health Information Privacy Act. This act protects health information by establishing strict consent requirements and individual rights regarding health data. 

What happened

New York State Senators Liz Krueger, Amanda Brouk, Leroy Comrie, Jessica Fernandez, Pat Ryan Hinchey, Emily Hoylman-Sigal, Cordell Cleare Jackson, John Liu, Michelle Hinchey, and Webb introduced Senate Bill S. 929 during the 2025-2026 Regular Sessions. The bill aims to amend the General Business Law by establishing the New York Health Information Privacy Act.

The proposed legislation seeks to improve the protection of health information by defining key terms such as "regulated health information," outlining requirements for communication with individuals regarding their health data, and lawful processing of this information. The bill was read twice and ordered printed, subsequently being committed to the Committee on Internet and Technology for further consideration.

Going deeper

1. Deidentified information: Data that cannot be linked to a specific individual and is processed with safeguards to prevent reidentification.
2. Regulated health information: Any information linked to an individual’s physical or mental health, including the location or payment information, but excluding de-identified information.
3. Process/processing: Operations performed on regulated health information, including collection, use, sharing, and deletion.
4. Regulated entity: An organization that controls the processing of regulated health information of individuals who are New York residents or are present in New York.
5. Sell: Sharing regulated health information for monetary or valuable consideration, excluding transfers during mergers or acquisitions.
6. Service provider: An entity that processes regulated health information on behalf of a regulated entity.
7. Third-party: Any entity other than the individual, regulated entity, or service provider involved in transactions concerning regulated health information.
8. Requirements for communications: All communications to individuals must use plain language and be accessible to persons with disabilities.
9. Individual rights: Individuals have the right to access and request deletion of their regulated health information.
10. Lawfulness of processing: It is unlawful for a regulated entity to sell an individual's health information or process it without valid authorization unless necessary for specific purposes like providing services or legal compliance.
11. Security: Obligations for protecting regulated health information from unauthorized access or breaches.
12. Enforcement: Mechanisms for enforcing compliance with the act's provisions.
13. Contracts and waivers: Any contracts or waivers that contradict the act's provisions are void and unenforceable.

What was said 

The bill’s summary notes, “Provides for the protection of health information; establishes requirements for communications to individuals about their health information; requires either written consent or a designated necessary purpose for the processing of an individual's health information.”

Why it matters 

The New York Health Information Privacy Act contrasts with the existing Health Insurance Portability and Accountability Act (HIPAA), which controls the privacy and security of health information but does not address the sale or monetization of such data. While HIPAA sets baseline standards for safeguarding health information, S. 929 builds upon these protections by imposing stricter rules on consent and individual rights.

Related: HIPAA Compliant Email: The Definitive Guide

FAQs

What are the individual rights regarding their health information?

Individuals have the right to access their health information, request corrections, and ask for deletion of their data. They must also be informed about how their data is processed and have the ability to revoke consent at any time.

What constitutes valid consent under this new legislation?

Valid consent must be obtained separately from other transactions, clearly state the types of data being processed, detail the purposes of the processing, and inform individuals about their rights regarding revocation of consent and access to their data.

Are there exceptions to the consent requirement?

Yes, there are specific circumstances under which regulated entities may process health information without consent.