Security and data retention under New York's S-929

The passage of New York's Senate Bill S-929 marks a milestone in health data protection, particularly in its approach to security safeguards and data retention requirements. As organizations prepare for the potential implementation of this law following Governor Hochul's review, understanding how these provisions compare to the established HIPAA framework is essential for developing compliant data governance strategies. 

While many acknowledge the importance of protecting health data, the Business Council has expressed concerns, noting: "We support the underlying intent of this legislation and support the passage of reasonable consumer health data privacy laws that protect consumers in meaningful ways, but we firmly believe it must be done in a way that does not disrupt a businesses or providers ability to improve consumer access to services and products."

Security requirements

HIPAA's security rule framework

The HIPAA Security Rule has served as the cornerstone of health data protection in the United States. It requires covered entities and business associates to:

• Implement administrative, physical, and technical safeguards to protect electronic protected health information (ePHI)
• Conduct risk analyses and implement risk management programs
• Appoint security officers and develop security policies
• Train workforce on security procedures
• Conduct periodic technical and non-technical evaluations

These requirements apply specifically to covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates, with a focus on protected health information (PHI).

Related: What is the HIPAA Security Rule?

S-929's expanded security mandate

New York's approach employs language similar to HIPAA's but expands its scope. S-929 requires regulated entities to "implement reasonable administrative, technical and physical safeguards to protect regulated health information."

As noted in the TechTarget article, New York legislature passes health data privacy law, "Regulated entities also must maintain technical, administrative and physical safeguards to protect consumer information."

The key differences include:

1. Broader applicability

While HIPAA's Security Rule applies only to covered entities and business associates, S-929 applies to any entity that:

• Is located in New York and controls the processing of regulated health information, OR
• Controls the processing of regulated health information of New York residents or individuals physically present in New York

The TechTarget article confirms this broader scope, "The provisions of the bill apply to any entities that process regulated health information pertaining to New York residents as well as New York-based entities that control the processing of regulated health information."

Technology companies, app developers, data brokers, and other non-traditional health information handlers must implement security safeguards comparable to those required in traditional healthcare settings.

The Business Council has raised concerns about this broad jurisdictional reach stating, "By regulating the data of another state's consumers, the bill is subjecting entities to conflicting state laws and regulations."

2. Expanded definition of protected information

HIPAA protects individually identifiable health information created or received by covered entities. S-929, however, protects "regulated health information," defined as: "Any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual."

This includes not only traditional health data but also:

• Location information related to health
• Payment information for health services
• Inferences about physical or mental health derived from other data

This broader definition means security safeguards must protect categories of health-adjacent data that HIPAA doesn't address.

Critics have pointed out that "The bill covers non-health information if health 'might be inferred' and greatly exceeds personal health information protected by HIPAA." This expanded scope creates compliance challenges for businesses.

Data retention

One of the differences between HIPAA and S-929 lies in their approaches to data retention:

HIPAA's limited retention requirements

HIPAA does not specify maximum retention periods for PHI. While the HIPAA Privacy Rule requires covered entities to retain certain documentation (such as policies, procedures, and communications) for six years, it doesn't mandate the deletion of PHI after specific timeframes.

In fact, HIPAA regulations must be balanced against other record-keeping requirements:

• State laws often require medical records to be kept for periods ranging from 5 to 10 years or more
• Medicare requires providers to keep records for at least 5 years
• Other federal regulations may impose additional retention obligations

This has led to healthcare organizations typically retaining medical records for extended periods, sometimes indefinitely, creating potential privacy and security risks as data accumulates.

Related: What is a HIPAA retention policy?

S-929's retention limits

In contrast, S-929 establishes explicit and relatively short retention periods:

• Regulated entities must securely dispose of regulated health information no later than 60 days after it is no longer necessary for:
  • A permissible purpose under the law, OR
  • A purpose for which an individual provided valid authorization
• Regulated entities must publish a data retention schedule detailing these requirements

This 60-day limit represents a shift in health data governance, challenging the common practice of indefinite retention. It imposes a "privacy by default" approach that presumes data should be deleted unless there's a specific reason to keep it.

The Business Council argues that, "This legislation misaligns New York with practices adopted by other states, conflicts with HIPAA, the FTC and other laws, and will confuse consumers from understanding how to protect their sensitive health information."

Implications of these differences

The contrasting approaches to security and data retention between HIPAA and S-929 have implications for data governance and privacy protection.

1. Operationalizing the 60-day deletion requirement

The 60-day disposal requirement in S-929 presents operational challenges:

• Determining necessity: Organizations must develop clear criteria for when data is "no longer necessary" for permissible purposes
• Data mapping: Companies need data maps showing where all regulated health information resides, including backups and archives
• Technical implementation: Systems must support targeted deletion without disrupting other operations
• Documentation: Organizations must maintain records proving timely deletion to demonstrate compliance

For organizations accustomed to HIPAA's more flexible retention approach, this represents a shift in data lifecycle management.

2. Expanded security program scope

Organizations already compliant with HIPAA will need to:

• Expand security risk assessments to include all regulated health information under S-929, not just PHI
• Implement security controls for systems and processes that may previously have fallen outside HIPAA's scope
• Train staff across a broader range of operations on security requirements
• Consider security implications for new categories of health-adjacent data

Non-HIPAA entities entering the regulatory landscape for the first time face even greater challenges in building security programs from the ground up.

3. Documentation and transparency requirements

S-929's requirement to publish data retention schedules introduces transparency obligations not present in HIPAA. This means:

• Organizations must clearly document and communicate retention periods
• Retention practices become visible to consumers and regulators
• Retention decisions may face greater scrutiny

This transparency requirement aligns with modern privacy principles emphasizing individual awareness and control over personal data.

The Business Council has raised concerns about such requirements: "This contradicts the bill's intent to provide consumers with sufficient notice of a regulated entities' data practices at the time they sign up for, or first use, a product or service."

4. Balancing competing requirements

Organizations subject to both HIPAA and S-929 will need to navigate potentially conflicting obligations:

• When HIPAA or other regulations require longer retention than S-929's 60-day limit
• When different security frameworks impose varied control requirements
• When documentation standards differ across regulations

Security and data retention best practices under S-929

Organizations preparing for S-929 compliance should consider the following best practices that go beyond basic HIPAA compliance:

Security enhancements

• Expanded risk assessment: Conduct a risk assessment encompassing all regulated health information, regardless of whether it qualifies as PHI under HIPAA
• Data classification: Implement classification schemes that identify regulated health information under S-929's broader definition
• Security by design: Integrate security requirements into development processes for products and services that may handle health-adjacent information
• Access controls: Implement access controls based on the principle of least privilege for all systems handling regulated health information
• Encryption: Apply encryption both in transit and at rest for all regulated health information, not just ePHI

Data retention strategies

• Purpose specification: Clearly document the specific purpose for collecting each category of regulated health information
• Retention triggers: Define explicit events that start the 60-day deletion countdown
• Automated deletion: Implement technical solutions that can automatically identify and securely dispose of data that has exceeded its retention period
• Deletion verification: Create processes to verify that data has been completely removed from all systems, including backups and archives
• Exception handling: Develop procedures for handling data subject to conflicting retention requirements from other regulations

Strategic implications for different sectors

The security and data retention requirements in S-929 will impact different sectors in varied ways:

Healthcare organizations

Traditional healthcare entities already compliant with HIPAA will need to:

• Expand security programs beyond PHI to all regulated health information
• Implement more aggressive data deletion practices than typically used under HIPAA
• Balance S-929's 60-day deletion requirement against medical record retention laws
• Apply security controls to health-adjacent data previously considered outside regulatory scope
  
  

Technology companies

Tech companies collecting health-adjacent data will face new obligations:

• Implementing healthcare-grade security for consumer applications
• Developing data minimization strategies for products that previously retained data indefinitely
• Training staff on health data privacy who may have no prior experience in this domain
• Rethinking business models that rely on long-term retention of health-adjacent data

The Business Council has raised specific concerns about the impact on healthcare services: "A consumer/patient should not be told they have to wait 24-hours before being able to access telehealth mental health counseling services, but that will be the result under this legislation."

Data brokers

Perhaps most impacted, data brokers dealing in health-adjacent information will need to:

• Restructure business practices around data collection and retention
• Implement granular consent mechanisms that may undermine existing data aggregation models
• Apply security controls to diverse datasets
• Document specific purposes for each data element to justify retention

The Business Council notes, "Under this bill, there will be no way for a regulated entity to make consumers (or patients) aware of their services, like mental health counseling, even when consistent with HIPAA." This could impact how companies communicate with potential patients about available services.

FAQs

Does S-929 include enforcement mechanisms or penalties for non-compliance?

Yes, the bill allows for enforcement by the New York Attorney General, including civil penalties and injunctive relief.

How does S-929 interact with federal regulations like the FTC Act?

Entities must navigate overlapping obligations, as S-929’s requirements may impose stricter standards than federal consumer protection laws.

Will individuals have the right to request deletion of their health data under S-929?

Yes, S-929 gives individuals the right to request deletion of their regulated health information.

Are small businesses exempt from S-929’s requirements?

No, the law applies broadly regardless of business size if regulated health information is processed.

How will S-929 impact mobile health and wellness apps?

These apps may be newly classified as regulated entities and must adopt healthcare-grade privacy and security safeguards.