The New York Health Information Privacy Act

The New York Health Information Privacy Act (NY HIPA) is a new law aimed at strengthening the privacy and security of health-related information for New York residents. Enacted on January 22, 2025, NY HIPA introduces comprehensive regulations governing the collection, processing, and sharing of health data.

As of now, this bill has passed the New York State Legislature and is waiting for the governor’s signature. Once signed, NY HIPA will come into effect one year later.  This provides time for various entities to comply with its provisions.

NY HIPA is one of many recently considered and passed state privacy laws.  The act has similarities to Washington State’s My Health My Data Act (MHMDA), which adds many new requirements for Washington businesses regarding the collection of “consumer health data.” MHMDA is the cause of a recently filed and potentially precedent-setting class action.  This class action lawsuit was recently filed alleging mobile phone apps allowed third-party software to illegally collect personal health information (PHI) by harvesting location data from millions of users. Unlike Washington’s MHMDA, NY HIPA does not provide a private right of action for individuals to sue.   However, the attorney general is authorized by New York HIPA to enforce the law and impose substantial fines for any violations.

Key Provisions of NYHIPA:

• Definition of Regulated Health Information (RHI): NYHIPA defines RHI broadly, covering any data related to an individual’s physical or mental health, healthcare services received, or payment information. RHI is similar to Private Health Information (PHI) as defined by the Washington State law.  This includes data from health apps, wearable devices, and other consumer-facing technologies.
  
• Scope of Applicability: Any entity that handles the health information of New York residents, regardless of its location or industry, is subject to this act. This includes businesses beyond the traditional healthcare sector, such as fitness app developers and wellness product websites. Extra care should be taken to understand if your content could be health care data.  For example, allergy information or how to sleep better content is often considered health care data. 
  
• Consent Requirements:  Individuals must provide explicit consent via a consent form before entities or third parties on their sites can collect, use, or share user health information. The consent form must specify the types of data collected, the reasons for processing, and any involved third parties.
  
• Privacy Policy and Individual Rights: NY HIPA grants individuals rights similar to those under HIPAA.  This includes the rights to access, correct, and delete their health information. Your privacy policy should note these rights and make it clear that PHI is protected.
  
• Data Security Obligations: Entities collecting individuals data are required to implement robust security measures to protect health information from unauthorized access, breaches, or misuse.

Website Owners Need to Take Action to Achieve Compliance With This Law:

1. Assess Data Practices: Identify and document any health-related data collected, processed, or stored by your website.  This means evaluating all the pages on your website to decide if it qualifies under the broad definition of RHI.  See details on what is RHI.
   
2. Obtain Explicit Consent: Implement clear and comprehensive consent mechanisms before collecting health information. Ensure users understand what data is collected and how it will be used.
   
3. Detect and Monitor Data Sharing: Use a tool like PrivacyEdge to scan and report on third party data sharing from your sites.
   
4. Enhance Privacy Policies: Update your website’s privacy policy to reflect NYHIPA requirements, detailing data collection practices, user rights, and security measures.
   
5. Implement Security Measures: Adopt appropriate technical and organizational measures to safeguard health data, such as encryption, access controls, and regular security assessments.
   
6. Facilitate User Rights: Establish processes that allow users to access, correct, or delete their health information upon request.
   
7. Train Staff: Educate employees and contractors about NYHIPA requirements and best practices for handling health information.
   
8. Monitor Compliance: Regularly review and update data protection practices using a tool like PrivacyEdge to ensure ongoing compliance with NYHIPA.

By proactively addressing these areas, website owners can align with NYHIPA’s requirements and contribute to the protection of individual health information. Let Lokker help you automate and protect your company from these privacy risks.  Schedule a free consent analysis to learn more.