In December 2025, New York Governor Kathy Hochul vetoed the New York Health Information Privacy Act (NY HIPA), a proposed law designed to give consumers broader privacy protections for health data not covered by HIPAA.
The bill had aimed to expand privacy rights in ways that went beyond traditional healthcare settings, including applying to employee health information, financial institutions governed by the Gramm-Leach-Bliley Act, and even data that had been de-identified under HIPAA.
It would also have required organizations to maintain a publicly available data retention schedule and dispose of health information according to that schedule. NY HIPA had drawn intense lobbying from both supporters, who wanted stronger consumer protections, and opponents, who warned the law’s broad scope would create uncertainty and compliance challenges.
Governor Hochul’s veto memo cited the law’s breadth and the potential for confusion over which information would be regulated as key reasons for rejecting it. While the legislation technically could still become law if two-thirds of both legislative houses voted to override the veto, historical trends make such overrides highly unlikely.
The veto of NY HIPA matters because it prevents a major expansion of state-level health privacy protections that would have applied to data beyond traditional HIPAA coverage.
If the law had passed, healthcare organizations, and even non-healthcare entities like employers and financial institutions would have faced stricter rules on how they collect, store, and share sensitive health information. The veto means that, for now, these organizations do not have to implement new consent procedures, public retention schedules, or deletion requirements that NY HIPA would have.
In a press release, Senator Liz Krueger and Assemblymember Linda Rosenthal stated, “This bill passed the Legislature almost a year ago, leaving plenty of time for good-faith negotiations on chapter amendments. Unfortunately, despite our repeated requests for engagement, that time was not used until the very last weeks of the year. Now, instead of empowering New Yorkers by giving them control over how their health data is used, the Governor has chosen to allow these companies to keep monetizing our most intimate information to boost their profits.”
Similar to NY HIPA, Virginia’s SB 754, signed by Governor Glenn Youngkin in January 2025, created targeted protections for reproductive and sexual health information. The law bars unauthorized disclosure or sale of such data and allows individuals to sue for violations.
In California, AB 1851 and SB 81, passed in 2025, focused on limiting geofencing near sensitive health facilities and protecting medical information used in immigration matters. Both laws emphasize opt-in consent and restrict law enforcement access without creating a comprehensive health privacy framework.
Washington’s My Health My Data Act (effective March 2024) and Nevada’s SB 370 similarly require consent before collecting or sharing non-HIPAA health data from wearables or online sources. However, enforcement stalled in 2025 amid lawsuits over third-party software development kits, leaving these laws in a state of uncertainty.
Connecticut’s SB 3 expanded protections for telehealth and mental health data, Maryland’s SB 786 regulated electronic health record sharing, and Texas HB 300 addressed biometric data. These incremental updates avoided the sweeping broker restrictions that made NY HIPA controversial and contributed to its veto.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
State health privacy laws can impose stricter protections than federal HIPAA, covering data types or entities HIPAA does not.
Federal HIPAA sets a baseline standard, meaning states can expand protections but cannot weaken HIPAA’s requirements.
Conflicts between state and federal health laws often create compliance uncertainty for healthcare and non-healthcare organizations.