NYHIPA expands health data privacy obligations beyond HIPAA for New York-facing websites.
The New York Health Information Privacy Act, passed in 2025, is New York's answer to the wave of state health data privacy laws that followed the HHS OCR guidance on website tracking technologies. Like Washington's My Health My Data Act, NYHIPA covers any entity that handles consumer health data about New York residents, not just HIPAA-covered entities. It includes a private right of action, making class-action litigation a direct risk alongside regulatory enforcement.
Full Name
New York Health Information Privacy Act
Jurisdiction
New York State
Penalties
NYHIPA authorizes enforcement by the New York Attorney General and provides for civil penalties. The private right of action allows individual consumers to bring claims for violations. Specific penalty amounts and litigation exposure depend on the implementing regulations and early case law as they develop from the 2025 enactment.
What It Is
Overview of NYHIPA
NYHIPA regulates the collection, use, sharing, and sale of consumer health data about New York residents by any person or entity that handles such data and either conducts business in New York or targets New York consumers. "Consumer health data" is defined broadly to include physical and mental health conditions, medications, treatments, health care services sought or received, reproductive health, and data that can reasonably be used to infer health status. The law requires affirmative opt-in consent before collecting or sharing consumer health data, with narrow exceptions for operational necessity.
Who It Covers
Scope and private right of action
Any person or entity that handles consumer health data about New York residents and either (a) conducts business in New York or (b) provides products or services intentionally targeting consumers in New York. This extends well beyond HIPAA-covered entities to include general-purpose websites with health-related content, wellness apps, insurance technology platforms, marketing technology companies that process health-adjacent behavioral data, and any organization whose digital properties attract New York consumers.
Exposure Triggers
What website technologies create NYHIPA exposure
NYHIPA's broad definition of consumer health data means that website analytics and advertising technologies on health-related pages may trigger its requirements whenever those technologies collect and share data about New York residents.
Ad pixels and analytics on health-condition-specific pages
Pixels and analytics tools that collect URL-level behavioral data on pages about specific health conditions, medications, symptoms, or treatments may be collecting consumer health data under NYHIPA when that data can be linked to a New York resident. The affirmative consent requirement applies before such data can be collected or shared.
Meta Pixel and retargeting on health-adjacent content
The Meta Pixel sends page URL, referrer, and behavioral event data to Meta. On health-related pages where URLs or page content reveal health-related interests, this transmission may constitute sharing of consumer health data with a third party without the required affirmative consent.
Analytics platforms on wellness, insurance, and health information sites
Any site that attracts New York consumers with content about health conditions, medications, wellness, insurance, or healthcare services may trigger NYHIPA obligations for the analytics and advertising tools it deploys on those pages, regardless of whether it is a covered entity under HIPAA.
Demand Letter Response
NYHIPA enforcement and private right of action
Because NYHIPA includes a private right of action, litigation risk is not limited to New York AG enforcement. Plaintiffs' attorneys who have already developed HIPAA pixel, VPPA, CIPA, and Washington MHMDA practice are evaluating NYHIPA claims as the law takes effect. A demand letter under NYHIPA will likely identify a specific tracking technology on a health-related page and allege that it collected or shared consumer health data without the required affirmative consent. The consent threshold under NYHIPA is higher than under HIPAA: affirmative opt-in is required, and a general-purpose cookie consent banner that does not specifically address health data collection is unlikely to satisfy this standard. Evidence preservation and a technical audit of your third-party script configuration should be immediate priorities if you receive a NYHIPA-related inquiry.
Evidence Support
NYHIPA technical compliance documentation
NYHIPA compliance requires documenting which technologies collect health-related data from New York consumers, what data they share with third parties, and whether affirmative consent was obtained before that collection and sharing occurred.
Health-page script inventory
Lokker identifies every third-party script active on pages with health-related content and documents what data each script collects and transmits, giving you the baseline inventory for a NYHIPA compliance review.
Consent mechanism validation
Consent Validator tests whether analytics and advertising pixels are blocked until affirmative consent is obtained on health-related pages, consistent with NYHIPA's opt-in consent standard.
Historical configuration documentation
Privacy Edge retains scan data indefinitely. For a date range cited in a complaint or enforcement inquiry, Lokker can document which third-party scripts were active on your health-related pages at the time the alleged violations occurred.
Frequently Asked Questions
Common questions about NYHIPA
Is NYHIPA only relevant to healthcare companies?
No. NYHIPA applies to any entity that handles consumer health data about New York residents, regardless of whether it is a HIPAA-covered entity. A general-purpose news site, a wellness app, an insurance comparison platform, or a marketing technology company that processes health-adjacent behavioral data may all be subject to NYHIPA.
How does NYHIPA compare to HIPAA?
HIPAA applies to covered entities (healthcare providers, health plans, clearinghouses) and their business associates. NYHIPA applies to any entity handling consumer health data about New York residents, regardless of HIPAA status. NYHIPA's definition of consumer health data is also broader than HIPAA's PHI definition, potentially capturing data that HIPAA would not reach, including inferred health data and geolocation near health facilities.
How does NYHIPA compare to the Washington My Health My Data Act?
Both laws share a similar structure: broad definition of consumer health data, application beyond HIPAA-covered entities, affirmative consent requirements, and a private right of action. NYHIPA applies to New York residents while MHMDA applies to Washington residents. Organizations with nationwide digital audiences may need to address both laws simultaneously, as well as HIPAA obligations for covered entity properties.
What consent standard does NYHIPA require?
NYHIPA requires affirmative opt-in consent before an entity may collect or share consumer health data. This is a higher standard than a general-purpose cookie consent mechanism that does not specifically reference health data collection. The specific requirements of what constitutes valid affirmative consent under NYHIPA will be clarified through implementing regulations and early enforcement actions.
Defense Counsel Network
Received a NYHIPA demand letter or are under investigation?
Lokker works alongside defense counsel who handle NYHIPA-related website privacy cases. We provide the technical evidence documentation your attorneys need and can make the right introduction to law firms that specialize in this area. Contact us now.