The passage of New York's Senate Bill S-929 marks a milestone in health data protection, particularly in its approach to security safeguards and data retention requirements. As organizations prepare for the potential implementation of this law following Governor Hochul's review, understanding how these provisions compare to the established HIPAA framework is essential for developing compliant data governance strategies.
While many acknowledge the importance of protecting health data, the Business Council has expressed concerns, noting: "We support the underlying intent of this legislation and support the passage of reasonable consumer health data privacy laws that protect consumers in meaningful ways, but we firmly believe it must be done in a way that does not disrupt a businesses or providers ability to improve consumer access to services and products."
The HIPAA Security Rule has served as the cornerstone of health data protection in the United States. It requires covered entities and business associates to:
These requirements apply specifically to covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates, with a focus on protected health information (PHI).
Related: What is the HIPAA Security Rule?
New York's approach employs language similar to HIPAA's but expands its scope. S-929 requires regulated entities to "implement reasonable administrative, technical and physical safeguards to protect regulated health information."
As noted in the TechTarget article, New York legislature passes health data privacy law, "Regulated entities also must maintain technical, administrative and physical safeguards to protect consumer information."
The key differences include:
While HIPAA's Security Rule applies only to covered entities and business associates, S-929 applies to any entity that:
The TechTarget article confirms this broader scope, "The provisions of the bill apply to any entities that process regulated health information pertaining to New York residents as well as New York-based entities that control the processing of regulated health information."
Technology companies, app developers, data brokers, and other non-traditional health information handlers must implement security safeguards comparable to those required in traditional healthcare settings.
The Business Council has raised concerns about this broad jurisdictional reach stating, "By regulating the data of another state's consumers, the bill is subjecting entities to conflicting state laws and regulations."
HIPAA protects individually identifiable health information created or received by covered entities. S-929, however, protects "regulated health information," defined as: "Any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual."
This includes not only traditional health data but also:
This broader definition means security safeguards must protect categories of health-adjacent data that HIPAA doesn't address.
Critics have pointed out that "The bill covers non-health information if health 'might be inferred' and greatly exceeds personal health information protected by HIPAA." This expanded scope creates compliance challenges for businesses.
One of the differences between HIPAA and S-929 lies in their approaches to data retention:
HIPAA does not specify maximum retention periods for PHI. While the HIPAA Privacy Rule requires covered entities to retain certain documentation (such as policies, procedures, and communications) for six years, it doesn't mandate the deletion of PHI after specific timeframes.
In fact, HIPAA regulations must be balanced against other record-keeping requirements:
This has led to healthcare organizations typically retaining medical records for extended periods, sometimes indefinitely, creating potential privacy and security risks as data accumulates.
Related: What is a HIPAA retention policy?
In contrast, S-929 establishes explicit and relatively short retention periods:
This 60-day limit represents a shift in health data governance, challenging the common practice of indefinite retention. It imposes a "privacy by default" approach that presumes data should be deleted unless there's a specific reason to keep it.
The Business Council argues that, "This legislation misaligns New York with practices adopted by other states, conflicts with HIPAA, the FTC and other laws, and will confuse consumers from understanding how to protect their sensitive health information."
The contrasting approaches to security and data retention between HIPAA and S-929 have implications for data governance and privacy protection.
The 60-day disposal requirement in S-929 presents operational challenges:
For organizations accustomed to HIPAA's more flexible retention approach, this represents a shift in data lifecycle management.
Organizations already compliant with HIPAA will need to:
Non-HIPAA entities entering the regulatory landscape for the first time face even greater challenges in building security programs from the ground up.
S-929's requirement to publish data retention schedules introduces transparency obligations not present in HIPAA. This means:
This transparency requirement aligns with modern privacy principles emphasizing individual awareness and control over personal data.
The Business Council has raised concerns about such requirements: "This contradicts the bill's intent to provide consumers with sufficient notice of a regulated entities' data practices at the time they sign up for, or first use, a product or service."
Organizations subject to both HIPAA and S-929 will need to navigate potentially conflicting obligations:
Organizations preparing for S-929 compliance should consider the following best practices that go beyond basic HIPAA compliance:
The security and data retention requirements in S-929 will impact different sectors in varied ways:
Traditional healthcare entities already compliant with HIPAA will need to:
Tech companies collecting health-adjacent data will face new obligations:
The Business Council has raised specific concerns about the impact on healthcare services: "A consumer/patient should not be told they have to wait 24-hours before being able to access telehealth mental health counseling services, but that will be the result under this legislation."
Perhaps most impacted, data brokers dealing in health-adjacent information will need to:
The Business Council notes, "Under this bill, there will be no way for a regulated entity to make consumers (or patients) aware of their services, like mental health counseling, even when consistent with HIPAA." This could impact how companies communicate with potential patients about available services.
Yes, the bill allows for enforcement by the New York Attorney General, including civil penalties and injunctive relief.
Entities must navigate overlapping obligations, as S-929’s requirements may impose stricter standards than federal consumer protection laws.
Yes, S-929 gives individuals the right to request deletion of their regulated health information.
No, the law applies broadly regardless of business size if regulated health information is processed.
These apps may be newly classified as regulated entities and must adopt healthcare-grade privacy and security safeguards.