State Health Privacy Laws Expand Beyond HIPAA: What Healthcare Businesses Need to Know About NYHIPA

New York Joins Growing Wave of State Health Privacy Laws

If you think that patient health data is exclusively regulated by the Health Insurance Portability and Accountability Act (“HIPAA”) – think again. In addition to comprehensive consumer privacy laws (e.g., CCPA), states like Washington, through its My Health My Data Act (MHMDA), are diving headfirst into their own regulations around health information privacy. New York is the latest state to enter the consumer health privacy space by introducing its very own Health Information Privacy Act (NYHIPA), a signal that healthcare entities along with a variety of consumer wellness companies need to take notice.

On January 23, 2025, NYHIPA was approved by NY’s legislature after passing through both the New York Senate and Assembly. From here, NYHIPA will eventually be sent to Governor Hochul’s desk for signature, which means it will become law unless vetoed by Governor Hochul. If signed, NYHIPA would take effect 12 months later.

HIPAA Refresher

HIPAA is a federal law that sets national standards for the protection and handling of protected health information (“PHI”). The law applies primarily to specific “covered entities” – including healthcare providers, health plans, and healthcare clearinghouses – and their “business associates” – meaning, those entities who handle PHI on behalf of covered entities.

HIPAA consists of two rules, the HIPAA Privacy Rule and the HIPAA Security Rule:

Privacy Rule - The Privacy Rule restricts the use and disclosure of PHI without patient consent, except for certain purposes, including treatment, payment, and healthcare operations. The Privacy Rule also provides for certain patient rights, including a right to access and correct health records or to restrict how PHI is used or disclosed.

Security Rule - The HIPAA Rule requires covered entities and their business associates to implement administrative, physical, and technical safeguards to protect PHI from unauthorized access, use, or disclosure.

State health privacy laws apply to entities not covered by HIPAA (i.e., non-covered entities). These laws share some similarities with the Privacy and Security Rule but often diverge in their level of restrictiveness.

What is NYHIPA?

RHI refers to any data that can be reasonably linked to an individual or their device and is collected or processed in relation to that individual’s physical or mental health. Even inferences about a person's health, derived from other data, are considered regulated health information if they are reasonably linkable to an individual or their device. However, it's important to note that de-identified information, which cannot be linked to a specific person, is not considered RHI.

NYHIPA exempts four types of data from the definition of RHI, including data processed by government entities; protected health information (PHI) already governed by HIPAA and the HITECH Act; information managed by HIPAA-covered entities; and data collected for clinical trials, subject to federal protections.

Regulated entities include organizations that meet at least one of the following criteria:

• Entities that control the processing of RHI of an individual who is a New York Resident;

• Entities that control the processing of RHI of an individual who is physically present in New York while that individual is in New York; or

• Entities that are located in New York and control the processing of RHI.

What Are the Requirements?

Under NYHIPA, regulated entities must obtain valid authorization before processing or selling an individual’s RHI, unless strictly necessary (e.g., providing or maintaining a requested product/service or conducting internal business operations). Importantly, marketing, advertising, and research and development activities are excluded from internal business operations under the Act.

Key authorization requirements include:

• Authorization must be requested *at least* 24 hours after initial account creation or first product/service use;

• Individuals must be able to authorize or decline specific types of processing; previously declined activities may not be re-requested;

• Authorizations must clearly describe the types of RHI processed, purposes, third-party sharing, compensation, expiration date, and revocation process;

• Consumers must be informed of how to access or delete their RHI.

How Does NYHIPA Compare to Washington State’s MHMDA?

A likely blueprint for the NYHIPA, Washington’s My Health My Data Act (“MHMDA”), which was signed into law on April 27, 2023, was the first health data privacy law that expanded privacy protections for personal health data that fall outside of HIPAA protections.

Regulated entities may not collect or share consumer health data without proper consent from the consumer or to the extent necessary to provide a product or service requested by the consumer. Consent for collecting or sharing the data must be obtained prior to the collection or sharing of consumer health data, and the request must clearly disclose:

• The categories of consumer health data collected or shared;

• The purpose of collection or sharing;

• The categories of third parties with whom the consumer health data is shared;

• How the consumer can withdraw consent from future collection or sharing.

Regulated entities must also obtain a separate “valid authorization” from a consumer if they sell or offer to sell their health data. The valid authorization must include the following:

• The specific consumer health data intended to be sold;

• The name and contact information of the sellers and purchasers;

• A statement that the consumer may revoke the valid authorization at any time; and

• A statement that the data sold may be subject to disclosure

Key Takeaways

Even if your organization is not subject to HIPAA, with the rise of state-level data privacy laws, such as the MHMDA and pending NYHIPA, you may soon face HIPAA-like privacy and security requirements. These laws apply broadly, even to businesses outside of the healthcare industry, and extend consumer privacy protections to PHI, which is traditionally exempt from many consumer privacy laws.

If the NYHIPA is enacted, consumer wellness companies who are considered regulated entities under the Act should begin preparing to ensure compliance. If you’re not sure if you are a regulated entity or you need assistance gearing up to get in compliance, our team can help. Click here to get started.