New York Health Data Privacy Act Passes

In January 2025, the New York Legislature passed the New York Health Data Privacy Act (NYHDPA). Pending the Governor’s signature, the law will create restrictions for companies that sell and collect health data and provide consumers with additional rights regarding their health information.

The law applies to “regulated entities,” which are defined as entities that:

• Control the processing of regulated health information of an individual who is a New York resident.
• Control the processing of regulated health information of an individual who is physically present in New York.
• Are located in New York and control the processing of regulated health information.

A regulated entity may also be a service provider depending upon the context in which regulated health information is processed.

The NYHDPA defines “regulated health information” as “any information that is reasonably linkable to an individual or a device and is collected or processed in connection with the physical or mental health of an individual. Location or payment information that relates to an individual’s physical or mental health or any inference drawn or derived about an individual’s physical or mental health that is reasonably linkable to an individual or a device.”

What the New York Health Data Privacy Act Means for Businesses

The law has the following restrictions and requirements for regulated entities:

• All notices, disclosures, and other forms of communication must use straightforward language, and be provided through a channel individuals regularly use. Notices must disclose the types of data being processed and the purpose.
• Selling an individual’s regulated health information is not allowed without authorization.
• Processing health information is not allowed unless authorized by the individual or unless it is necessary to provide the requested service or product.
• A request for data processing authorization must be made separately from a transaction and made at least 24 hours after the individual creates an account or requests services.
• Authorizations must include the types of information processed, the purpose for processing, and names of any third parties the entity may share the data with.
• Provide an easy-to-use mechanism to revoke authorization.
• Obtain new authorization if the processing activities are altered.
• Develop and maintain safeguards to protect health information.
• Securely dispose of health information no later than sixty days after it is no longer needed to serve its intended purpose.

Individual Rights

The law provides individuals with the following rights:

• The ability to access their health information within 30 days of request.
• The ability to have their data deleted within 30 days of request.

Enforcement

The New York Attorney General is responsible for enforcing the law. Penalties can be up to $15,000 per violation.

The New York Health Data Privacy Act includes exemptions for federal, state, and local governments, entities and data covered by HIPAA, and information collected for clinical trials.

The law will go into effect one year after it is signed by the Governor.

CompliancePoint has a team dedicated to helping healthcare organizations with cybersecurity and data privacy, so they can maintain compliance laws like the New York Health Data Privacy Act and HIPAA. Contact us at connect@compliancepoint.com to learn more about our services.