New York on Brink of Far-Reaching New Health Data Privacy Law: Our Takeaways

On January 22, 2025, the New York Assembly passed Senate Bill S929, also known as the New York Health Information Privacy Act (NYHIPA). The bill now awaits the signature of Governor Kathy Hochul. This expansive new legislation would make New York the fourth state—after , Nevada and —to impose targeted and comprehensive regulations on consumer health-related information that is not otherwise protected by HIPAA. As with those laws, NYHIPA is notable for its expansive definition of regulated health information (RHI) and imposition of strict consent requirements on certain uses of such data and sharing with third parties.

Here are some highlights:

1. The bill broadly defines RHI.

NYHIPA broadly defines RHI to include “any information reasonably linkable to an individual or device and is collected and processed in connection with the physical or mental health of an individual.” The definition includes not only information traditionally associated with health and medical conditions and treatment, but also location and payment information that relates to physical or mental health, and, importantly, any inferences drawn or derived about an individual’s health.

As with similar laws in Washington, Nevada and Connecticut, the covered information potentially extends to behavioral data that indicates that an individual is seeking health services, such as some internet browsing information. Such broad application may impact covered entities’ advertising and marketing activities, even when those activities are not directly based upon information that is generally considered to be health data.

2. The bill would apply to organizations of all sizes, both in and out of New York.

In keeping with similar health data privacy laws, NYHIPA does not contain any revenue or volume thresholds. This means that, barring any applicable exemptions, the law regulates any entity that (i) controls the processing of RHI of any New York resident or of any individual that is physically present in New York, while that individual is in New York, or (ii) is located in New York and controls the processing of RHI.   

Although NYHIPA contains familiar exemptions for HIPAA-covered entities and protected health information governed by HIPAA, the law does not exempt nonprofits, any information regulated by the Gramm-Leach-Bliley Act, or public data.  

3. The bill contains strict authorization requirements.

Regulated entities would be required to obtain authorization for the use or sharing of any RHI that is not “strictly necessary” to provide services requested by the user. Strictly necessary processing includes providing a requested product or service, protecting against malicious, fraudulent or illegal activity, and conducting internal business operations. The bill makes clear that “activities related to marketing, advertising, research and development, or providing products or services to third parties” are not strictly necessary, and thus would appear to require specific authorization by the consumer. This exclusion would have major ramifications for digital health companies and other entities engaged in marketing and advertising involving consumers who may be interested in health-related services, and would introduce restrictions regarding consumer health data that are not currently present in any U.S. state and much more limiting that what HIPAA imposes on covered entities.

The expansive restrictions on processing RHI may be interpreted to extend to any sharing of RHI with a third party that is not strictly necessary or otherwise permitted by the bill’s relatively narrow exceptions for processing RHI without express authorization. In any event, the bill appears to include a blanket prohibition on “sales” of RHI to third parties, defined as any sharing of RHI for monetary or other valuable consideration. 

Obtaining valid authorization would require regulated entities to provide extensive disclosures and collect the user’s signature. In a step not seen in any similar law, NYHIPA prohibits regulated entities from obtaining authorization within the first 24 hours after a user creates an account. This seemingly imposes an additional step for entities that may already be obtaining necessary consents and authorizations during the sign-up process. 

Covered entities must provide individuals the ability to revoke authorization for specific processing activities at any time, upon which all processing of the individual’s data for that purpose must “immediately cease.” In addition to providing the right to revoke authorization, NYHIPA also provides individuals rights to access and delete RHI.

4. Specific notice is required in many circumstances.

If a regulated entity processes RHI for any purpose that was not specifically authorized, it must provide a privacy notice that discloses the specific purposes for collecting the data, the names or categories of third parties and service providers that may receive the data, and how the individual may exercise their privacy rights. If the regulated entity materially alters such activities, it must provide a clear and conspicuous notice of those changes.

5. The bill provides for attorney general enforcement and potentially steep penalties.

The Office of the New York State Attorney General may bring enforcement actions under NYHIPA. Covered businesses face potentially high civil penalties for noncompliance, including fines of up to $15,000 per violation, or 20 percent of the revenue the business obtained from the New York consumers within the past fiscal year, whichever is greater.

Recommended Next Steps

The legislation, which is slated to take effect one year after being signed, would put New York on the growing list of states implementing comprehensive privacy legislation specific to consumer health data.  Among other impacts, the proposed strict prohibitions on sharing with third parties should be closely evaluated by digital health companies and other regulated entities engaged in first- or third-party marketing and advertising.  Businesses across states and industries should work with legal counsel to assess whether they maintain or collect, directly or indirectly, any personal data that may be reasonably linked to health. A similar analysis is recommended in connection with other health privacy laws in Washington, Nevada and Connecticut, which took effect last year.

We will continue to provide updates and guidance on these and other consumer privacy laws as they develop.

Published On

January 28, 2025

Authors

Partner

Brandon Reilly

San Francisco

714.338.2701

Associate

Amy E. MacDonald

Boston

617.646.1421

Associate

Emily Whitely

New York

212.790.4570

New York on Brink of Far-Reaching New Health Data Privacy Law: Our Takeaways

On January 22, 2025, the New York Assembly passed Senate Bill S929, also known as the New York Health Information Privacy Act (NYHIPA). The bill now awaits the signature of Governor Kathy Hochul. This expansive new legislation would make New York the fourth state—after , Nevada and —to impose targeted and comprehensive regulations on consumer health-related information that is not otherwise protected by HIPAA. As with those laws, NYHIPA is notable for its expansive definition of regulated health information (RHI) and imposition of strict consent requirements on certain uses of such data and sharing with third parties.

Here are some highlights:

1. The bill broadly defines RHI.

NYHIPA broadly defines RHI to include “any information reasonably linkable to an individual or device and is collected and processed in connection with the physical or mental health of an individual.” The definition includes not only information traditionally associated with health and medical conditions and treatment, but also location and payment information that relates to physical or mental health, and, importantly, any inferences drawn or derived about an individual’s health.

As with similar laws in Washington, Nevada and Connecticut, the covered information potentially extends to behavioral data that indicates that an individual is seeking health services, such as some internet browsing information. Such broad application may impact covered entities’ advertising and marketing activities, even when those activities are not directly based upon information that is generally considered to be health data.

2. The bill would apply to organizations of all sizes, both in and out of New York.

In keeping with similar health data privacy laws, NYHIPA does not contain any revenue or volume thresholds. This means that, barring any applicable exemptions, the law regulates any entity that (i) controls the processing of RHI of any New York resident or of any individual that is physically present in New York, while that individual is in New York, or (ii) is located in New York and controls the processing of RHI.   

Although NYHIPA contains familiar exemptions for HIPAA-covered entities and protected health information governed by HIPAA, the law does not exempt nonprofits, any information regulated by the Gramm-Leach-Bliley Act, or public data.  

3. The bill contains strict authorization requirements.

Regulated entities would be required to obtain authorization for the use or sharing of any RHI that is not “strictly necessary” to provide services requested by the user. Strictly necessary processing includes providing a requested product or service, protecting against malicious, fraudulent or illegal activity, and conducting internal business operations. The bill makes clear that “activities related to marketing, advertising, research and development, or providing products or services to third parties” are not strictly necessary, and thus would appear to require specific authorization by the consumer. This exclusion would have major ramifications for digital health companies and other entities engaged in marketing and advertising involving consumers who may be interested in health-related services, and would introduce restrictions regarding consumer health data that are not currently present in any U.S. state and much more limiting that what HIPAA imposes on covered entities.

The expansive restrictions on processing RHI may be interpreted to extend to any sharing of RHI with a third party that is not strictly necessary or otherwise permitted by the bill’s relatively narrow exceptions for processing RHI without express authorization. In any event, the bill appears to include a blanket prohibition on “sales” of RHI to third parties, defined as any sharing of RHI for monetary or other valuable consideration. 

Obtaining valid authorization would require regulated entities to provide extensive disclosures and collect the user’s signature. In a step not seen in any similar law, NYHIPA prohibits regulated entities from obtaining authorization within the first 24 hours after a user creates an account. This seemingly imposes an additional step for entities that may already be obtaining necessary consents and authorizations during the sign-up process. 

Covered entities must provide individuals the ability to revoke authorization for specific processing activities at any time, upon which all processing of the individual’s data for that purpose must “immediately cease.” In addition to providing the right to revoke authorization, NYHIPA also provides individuals rights to access and delete RHI.

4. Specific notice is required in many circumstances.

If a regulated entity processes RHI for any purpose that was not specifically authorized, it must provide a privacy notice that discloses the specific purposes for collecting the data, the names or categories of third parties and service providers that may receive the data, and how the individual may exercise their privacy rights. If the regulated entity materially alters such activities, it must provide a clear and conspicuous notice of those changes.

5. The bill provides for attorney general enforcement and potentially steep penalties.

The Office of the New York State Attorney General may bring enforcement actions under NYHIPA. Covered businesses face potentially high civil penalties for noncompliance, including fines of up to $15,000 per violation, or 20 percent of the revenue the business obtained from the New York consumers within the past fiscal year, whichever is greater.

Recommended Next Steps

The legislation, which is slated to take effect one year after being signed, would put New York on the growing list of states implementing comprehensive privacy legislation specific to consumer health data.  Among other impacts, the proposed strict prohibitions on sharing with third parties should be closely evaluated by digital health companies and other regulated entities engaged in first- or third-party marketing and advertising.  Businesses across states and industries should work with legal counsel to assess whether they maintain or collect, directly or indirectly, any personal data that may be reasonably linked to health. A similar analysis is recommended in connection with other health privacy laws in Washington, Nevada and Connecticut, which took effect last year.

We will continue to provide updates and guidance on these and other consumer privacy laws as they develop.

Join our newsletter to stay up to date on features and releases.

ATTORNEY ADVERTISING, pursuant to New York DR 2-101(f)

© 2025 Manatt, Phelps & Phillips, LLP. All rights reserved.

Newsletter Subscription