On January 22, the New York state legislature passed the New York Health Information Privacy Act (S929 / A2141) (“NYHIP”). If signed into law, NYHIP would join Washington and Nevada in a growing trend of states regulating consumer health information. Though NYHIP contains many similarities with laws in Washington and Nevada, there are a few unique provisions, as discussed below. Among them, NYHIP applies to “Regulated Health Information” or “RHI” that is defined as “any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual.” Unlike the health privacy laws in Washington and Nevada, NYHIP does not provide an inclusive list of health data.
NYHIP would require regulated entities to obtain a “valid authorization” prior to processing RHI unless such processing is “strictly necessary” for certain enumerated purposes, including providing a product or service requested by the individual or certain limited internal business operations. NYHIP does not clarify what it means for a processing activity to be considered “strictly necessary.”
Where such an authorization is required, a valid authorization must, among other requirements:
- Be made at least twenty-four (24) hours after an individual creates an account or first uses the requested product or service; and
- If multiple categories of processing are involved, provide an ability to “provide/withhold” authorization for each category separately.
The Governor is still awaiting the bill’s delivery to her desk. Once received by the Governor, she has 10 days to sign the bill, veto the bill, or sign the bill with “chapter amendments” (i.e., additional agreed-to changes that the bill sponsors commit to incorporating). The Governor’s failure to sign or veto the bill within the 10-day period means that it automatically becomes law.
Some other notable provisions of NYHIP include the following:
- Scope & Exemptions: NYHIP applies to “regulated entities” that (1) control the processing of RHI of state residents, (2) is located in New York and controls the processing of RHI, and (3) control the processing of RHI of an individual who is physically present in New York while that individual is in New York. This last clause is unique to NYHIP and could capture tourists visiting the state. NYHIP does not contain exemptions typically seen in other state privacy laws, such as exemptions for employee data, GLBA-regulated data, public data, or activities carried out for public health activities. NYHIP does, however, exempt HIPAA-covered data and information collected as part of a “clinical trial” conducted pursuant to human subject research frameworks.
- Retention Schedule: NYHIP requires regulated entities to maintain a publicly available retention schedule and dispose of an individual’s PHI pursuant to such schedule within a reasonable time once “it is no longer necessary to maintain” for the purposes for which it was collected.
- Service Provider Contract: NYHIP provides a prescriptive list of what must be included within a contract between the service provider and the regulated entity. Specifically, NYHIP details that such agreement must, among other requirements, (1) impose a duty of confidentiality, (2) prohibit the service provider from combining RHI it receives with personal information it has from other individuals, and (3) require the service provider to cooperate with “reasonable assessments” by the regulated entity for purposes of evaluating compliance.
- Enforcement: NYHIP provides for enforcement by the state Attorney General, where they can seek civil penalties of up to $15,000 per violation or 20% of revenue obtained from NY consumers in the past year (whichever is greater). The AG also has authority to promulgate rules and regulations to effectuate the law. There is no express private right of action.