New York legislature passes health data privacy law

The New York State Senate and Assembly passed the New York Health Information Privacy Act, a health data privacy law that aims to govern companies that sell and collect health data. If signed into law by the Governor, it would provide additional rights to consumers surrounding the sale of their private health information, while establishing strict noncompliance penalties for regulated entities.

The bill shares similarities with Washington State's My Health, My Data Act, which was signed into law in May 2023 and gives consumers the right to withdraw consent, request data deletion and prohibit the collection of health data without consent.

New York State Senator Liz Krueger introduced the Senate bill (S.929) along with several co-sponsors. The Assembly version of the bill (A.2141) passed in the Assembly's science and technology committee on Jan. 22, 2025, and will move on to the Governor's desk.

The provisions of the bill apply to any entities that process regulated health information pertaining to New York residents as well as New York-based entities that control the processing of regulated health information.

Under this law, regulated health information means "any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual."

The law would make it illegal for these entities to sell an individual's regulated health information without explicit consent. Specifically, it would be unlawful for a regulated entity to sell an individual's health information to a third party or otherwise process the information unless there is valid authorization or the processing is strictly necessary to provide the company's products or services as requested.

What's more, all communications from entities covered by this law must provide straightforward communications and an efficient mechanism through which individuals can revoke authorization at any time.

If an individual does choose to revoke authorization, the regulated entity must immediately cease all processing activities, with the exception of those related to the entity's legal obligations.

Regulated entities also must maintain technical, administrative and physical safeguards to protect consumer information.

There would be no private right of action under the New York Health Information Privacy Act, meaning individuals would not be able to take legal action against covered entities for violating this law. However, the New York attorney general will be able to enforce the law through strict penalties, such as a $15,000 civil monetary penalty per violation, or 20% of the revenue obtained from New York consumers in the last fiscal year, whichever is greater.

The New York Health Information Privacy Act will take effect one year after the governor signs it into law.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.