What you need to know about New York's health privacy law

On January 21, 2025, the New York state legislature passed Senate Bill S-929, a health privacy law that expands protections beyond those offered by federal HIPAA regulations. As this legislation awaits Governor Kathy Hochul's signature, organizations that handle health-related data should begin preparing for compliance with what may be one of the nation's most stringent health privacy frameworks.

As the TechTarget article “New York legislature passes health data privacy law”, notes, "Much like Washington State's My Health, My Data Act, New York's legislation aims to give consumers additional rights related to the sale of their health information."

A new paradigm for health data protection

What makes New York's approach particularly noteworthy is its broad scope and applicability. Unlike many existing privacy laws that focus narrowly on specific types of entities or data categories, S-929 casts a wide net designed to capture the many ways health information is collected, processed, and monetized.

However, this broad approach has drawn criticism from the business community. The Business Council in New York argues that "the definitions for 'regulated health information' and 'regulated entities' deviate from this intent. Additionally, the bill covers non-health information if health 'might be inferred' and greatly exceeds personal health information protected by HIPAA."

Who must comply?

The legislation introduces the concept of "regulated entities," which includes any organization that:

• Is located in New York and controls the processing of regulated health information, OR
• Controls the processing of regulated health information belonging to New York residents or individuals physically present in New York

The TechTarget article explains that "The provisions of the bill apply to any entities that process regulated health information pertaining to New York residents as well as New York-based entities that control the processing of regulated health information."

Importantly, the law does not establish minimum thresholds based on revenue or data processing volume. This means that companies of all sizes—from startups to multinational corporations—will need to comply if they handle health data related to New Yorkers.

As noted by the National Law Review, the bill "applies to 'individuals,' not solely 'consumers': The bill does not limit its application only to consumers acting in their individual or household context (and not in a professional or employment context). Instead, it applies to all 'individuals' (which term is not defined)."

Critics point out definitional challenges, with the Business Council noting that "key definitions within the proposed law are vague at best and fail to clearly delineate roles, specifically 'regulated entity,' 'third-party,' and 'service provider.'"

What data is protected?

The bill defines "regulated health information" broadly as "any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual." This includes:

• Traditional health data
• Location information related to health
• Payment information for health services
• Inferences drawn about an individual's physical or mental health

This definition captures many data types that fall outside HIPAA's protected health information (PHI) framework, addressing a gap in current federal regulations. Notably, as clarified in the National Law Review, "de-identified data (that meets the bill's requirements) is exempt from the law's application."

Requirements and restrictions

Limited processing grounds

Under S-929, regulated entities can only process health information under two circumstances:

• With valid authorization from the individual, OR
• When processing is "strictly necessary" for specific enumerated purposes

The TechTarget article clarifies that "It would be unlawful for a regulated entity to sell an individual's health information to a third party or otherwise process the information unless there is valid authorization or the processing is strictly necessary to provide the company's products or services as requested."

This "strictly necessary" standard represents a higher bar than the "reasonable" or "legitimate interest" standards found in many privacy frameworks. Permissible purposes include:

• Providing a requested product or service
• Conducting internal business operations
• Protecting against illegal activity
• Detecting and responding to security incidents
• Protecting vital interests of individuals
• Addressing legal claims
• Complying with legal obligations
  
  

The "valid authorization" standard

For consent to be considered valid under the law, regulated entities must satisfy 11 distinct conditions, including:

• Waiting at least 24 hours after an individual creates an account or first uses services before requesting authorization
• Enabling granular consent options that allow individuals to authorize certain processing activities while declining others
• Providing an easily accessible list of all authorized processing activities within account settings
• Allowing one-click revocation of authorization
• Disclosing third parties who may receive the data

However, the Business Council argues that "the authorization requirements are operationally impossible for healthcare providers and will create a delay in services for all platforms, detrimentally impacting a consumer's ability to receive, and an entity's ability to provide, services." They specifically highlight concerns about the 24-hour waiting period: "A consumer/patient should not be told they have to wait 24-hours before being able to access telehealth mental health counseling services, but that will be the result under this legislation."

According to the National Law Review, "a regulated entity must disclose the names 'where readily available' or categories of both service providers and third parties to whom information may be disclosed and the purposes for such disclosure, including the circumstances under which the entity may disclose such data to law enforcement (particularly relevant with respect to reproductive health data post-Dobbs)"

Additional requirements include:

• Revealing whether the entity receives monetary or other valuable consideration for processing the individual's health information
• Prohibiting quality of service penalties for individuals who decline to provide authorization
• Requiring renewal of authorization annually

As noted by the National Law Review, "a regulated entity must publish on its website a sample authorization form."

These requirements go far beyond the typical "check the box" consent mechanisms prevalent in today's digital authorization practices, forcing organizations to implement meaningful consent processes.

Prohibition on sales

S-929 directly addresses the growing market for health data by prohibiting the sale of regulated health information without explicit authorization. The TechTarget article reports that "The law would make it illegal for these entities to sell an individual's regulated health information without explicit consent." The definition of "sale" is intentionally broad, covering exchanges for "monetary or other valuable consideration," thereby closing loopholes that exist in other privacy frameworks.

Individual rights and communications

The legislation grants individuals the right to access and delete their regulated health information. It also imposes strict requirements on how entities communicate with individuals about their data:

• Communications must use plain, straightforward language
• Technical and legal jargon should be avoided
• Interfaces must be ones that individuals regularly use
• Information must be accessible to individuals with disabilities
• Communications must be available in languages provided on the entity's websites and services

The TechTarget article notes that "All communications from entities covered by this law must provide straightforward communications and an efficient mechanism through which individuals can revoke authorization at any time."

These requirements aim to ensure that individuals can understand how their health data is being used and make informed decisions.

Security and data retention requirements

S-929 requires regulated entities to implement "reasonable administrative, technical and physical safeguards" to protect regulated health information—a standard similar to HIPAA but applicable to a much broader range of entities.

The law's data retention provisions are particularly strict, mandating that regulated entities securely dispose of regulated health information within 60 days after it is no longer necessary for a permissible purpose or authorized use. Additionally, entities must publish a data retention schedule detailing these requirements.

This approach directly addresses the problem of indefinite data retention that plagues many digital services today, where health-related information might be stored for years after its original purpose has been served.

Enforcement and penalties

The New York Attorney General will have authority to enforce S-929, with the power to seek:

• Injunctive relief
• Restitution
• Disgorgement
• Civil fines up to the greater of $15,000 per violation or 20% of the revenue obtained from New York consumers in the past fiscal year
• Other appropriate remedies

TechTarget explains the enforcement structure: "There would be no private right of action under the New York Health Information Privacy Act, meaning individuals would not be able to take legal action against covered entities for violating this law. However, the New York attorney general will be able to enforce the law through strict penalties, such as a $15,000 civil monetary penalty per violation, or 20% of the revenue obtained from New York consumers in the last fiscal year, whichever is greater."

The Business Council has expressed concern about these enforcement provisions, stating that "the vague, inconsistent definitions and standards of this bill, coupled with these aggressive enforcement provisions, will make providing health-related services to New York consumers more expensive than any other state."

Exemptions and implementation timeline

The law provides targeted exemptions for HIPAA-covered entities (with respect to protected health information) and clinical trial data subject to the Common Rule. This prevents duplicative regulation while ensuring that gaps in existing frameworks are addressed.

However, the Business Council argues that "this legislation imposes obligations and requirements that surpass and are inconsistent with HIPAA. In exceeding standards set out by HIPAA, the bill intentionally prohibits marketing activities that are allowed under HIPAA."

If signed by Governor Hochul, the law will take effect one year after enactment, giving organizations time to implement necessary changes. The TechTarget article confirms that "The New York Health Information Privacy Act will take effect one year after the governor signs it into law." However, the bill authorizes the creation of implementing regulations immediately following its passage, which means clarifying guidance may be available sooner.

Why this law matters

New York's health privacy law represents a change in how we think about health data protection in several  ways:

Beyond traditional healthcare

In the post-pandemic digital health landscape, health data is no longer confined to medical records or clinical settings. Health apps, wearables, search queries, location tracking, and countless other digital services collect and process health-related information that falls outside HIPAA's purview. S-929 recognizes this reality by protecting health information regardless of who collects it.

Addressing the data broker problem

A thriving market exists for health-adjacent data, with data brokers aggregating and selling information that can reveal sensitive details about individuals' health conditions, behaviors, and concerns. By prohibiting sales without explicit authorization, S-929 directly challenges this business model.

Inferences and derived data

The law's inclusion of "inference drawn or derived about an individual's physical or mental health" as regulated health information acknowledges that advanced analytics can create sensitive health profiles even from seemingly innocuous data points. This forward-looking approach addresses privacy risks posed by artificial intelligence and machine learning.

Meaningful control

By establishing stringent requirements for valid authorization and prohibiting quality of service penalties, S-929 aims to provide individuals with genuine control over their health information—not merely theoretical rights that are impractical to exercise. This is particularly relevant with respect to reproductive health data post-Dobbs, where the disclosure of health information to law enforcement has taken on new significance.

Preparing for compliance

Organizations that may be subject to S-929 should begin preparing now, even as the bill awaits the governor's signature. Steps include:

• Data mapping: Identify all health-related information collected, processed, or stored about New York residents
• Review processing activities: Determine which processing activities rely on consent versus "strictly necessary" purposes
• Update consent mechanisms: Begin designing consent flows that meet the 11 criteria for valid authorization
• Develop retention policies: Create and document retention periods for different categories of health information
• Implement security measures: Review and enhance security safeguards for regulated health information
• Train staff: Educate employees about the new requirements and their implications

FAQs

How will S-929 impact telehealth platforms operating outside of New York?

Telehealth platforms outside New York must comply if they handle data from New York residents or individuals physically present in the state.

Does the law apply to nonprofit organizations or small businesses?

Yes, the law applies to all entities regardless of size or nonprofit status if they process regulated health information tied to New York.

Are employers covered under this law when processing employee health data?

Yes, the law applies broadly to all individuals, not just consumers, and could include employee-related health data.

Will mobile apps that track fitness or menstruation be affected?

Yes, health and wellness apps are subject to the law if they collect data tied to an individual's health and serve New Yorkers.

Does the law affect how schools or universities handle student health data?

Educational institutions processing student health data may fall under the law’s scope if the data relates to physical or mental health.