Seen at Epstein Becker Green’s Health Law Advisor:
New York State appears poised to become the fourth state to explicitly regulate consumer health data not covered by the federal Health Insurance Portability and Accountability Act (HIPAA).
In May of 2023, Washington State enacted the My Health My Data Act; in June of 2023, Connecticut amended its Data Privacy Act; and in March of 2024, Nevada passed Senate Bill 370. In many respects, NY HIPA is broader in scope and effect than its three predecessors.
New York’s S929 (Health Information Privacy Act or NY HIPA), sponsored by state Senator Liz Krueger (D), establishes requirements for communications to individuals regarding the disposition of their health information; and requires written consent or a designated necessary purpose for the processing of such health information. NY HIPA addresses vulnerabilities unaddressed by HIPAA because it applies to a broader range of private companies and protects health information at risk of disclosure through the commercialization of health data.
[…]
Like the Connecticut and Nevada consumer data protection laws, NY HIPA has no private right of action. Unlike Washington’s law, NY HIPA does not contain numerical thresholds for what constitutes a small business. If enacted, New York’s law would be broader than the Washington law in that it would apply to all entities that process health information. The law would regulate for profit and non-for-profit, small businesses, and non-New York-based companies that collect health data pertaining to a New York-based resident.
Unsurprisingly, NY HIPA has been criticized as overbroad.
Read more at Health Law Advisor.
