On January 22, the NY State legislature passed what is arguably the most onerous and restrictive U.S. state privacy law to date – the NY Health Information Privacy Act (“NYHIPA”). If signed by the Governor in its current form, NYHIPA will impose sweeping obligations on companies located both in New York and outside of New York. Indeed, the law goes beyond federal HIPAA in both obligations and scope, potentially rendering compliance for companies that provide basic wellness services (like a meditation app) far more costly than that of HIPAA-regulated hospitals and healthcare providers. These obligations include obtaining prescriptive authorizations for all processing activities that are not “strictly necessary” for a narrow set of purposes, and compliance with access and deletion rights with limited exceptions and no express verification procedures.
While NYHIPA specifically governs the processing of “regulated health information,” given the broad definition of this term and expansive extraterritorial applicability of the law, many entities (both for- and non-profit) will need to determine potential compliance obligations.
If signed into law in its current form, consumers will likely find fewer wellness and health-related services, with New York residents likely feeling the brunt of the impact.
Below we discuss some of the most concerning aspects of the law as well as the potential impacts on regulated entities.
Expansive Scope of NYHIPA
Regulated Data
NYHIPA applies to “regulated health information” (“RHI”), defined as “any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual.” It also applies to any inferences drawn about an individual’s physical or mental health.
While at first blush this definition appears similar to those in other health-related laws such as in Washington, Nevada, and Connecticut, the NY definition is actually much broader. First, NYHIPA makes clear that location and payment information related to an individual’s health is covered, and unlike other state health privacy laws, NYHIPA: (a) does not limit in-scope location information to a certain radius of coverage (meaning even location information indicating that an individual was miles from a clinic or hospital could potentially be in scope); and (b) with no exception for entities covered by financial privacy laws such as the GLBA, could apply even to entities simply processing payment transactions involving health services/products, as well as their fintech service providers. Second, by broadly covering data processed “in connection with” physical or mental health, NYHIPA could extend to products/services that are not traditionally considered to reveal an individual’s mental or physical health condition/diagnosis, such as the use of a meditation app, participation in exercise classes, food purchases, and mere visits to informational websites about health and wellness.
Regulated Entities
NYHIPA applies to any entity (whether for or not-for profit) that:
- Controls the processing of RHI of NY residents,
- Controls the processing of RHI of an individual who is physically present in NY, or
- Is located in NY and controls the processing of RHI
Unlike other state privacy laws that largely apply solely to residents of that state, NYHIPA imposes significant burdens on companies located in NY because it applies to any RHI they process regardless of whether the individual is located in or outside of NY. NY entities will face elevated challenges to compliance, including determining how to comply with potentially conflicting health privacy laws in other states, while also implementing NYHIPA’s burdensome obligations on a nationwide basis. This will likely drive many NY health-related businesses and service providers outside of NY to avoid operational impacts and costs. Given the breadth of NYHIPA, businesses providing fitness or wellness services like meditation apps and health information sites may deactivate those services in New York entirely to reduce risk, resulting in fewer options for consumers. And with no provisions limiting the law’s applicability based on company size, NYHIPA’s impacts will hit businesses both large and small. Moreover, health and wellness businesses located outside of New York may stop offering services to residents or individuals located in New York.
Stringent Authorization Requirement
Authorization Applicability
Other U.S. state health privacy laws require businesses to collect consent or HIPAA-style authorizations to “sell” consumer health information to third parties. NYHIPA doesn’t afford consumers such a choice and appears to outright prohibit the “sale” of RHI. NYHIPA also requires businesses to collect a very prescriptive authorization for any RHI processing activities that are not “strictly necessary” for: (1) providing a “specific” product or service requested by an individual, (2) conducting “internal business operations,” (3) legal protection and compliance with laws, (4) protecting an individual’s vital interests, or (5) security and fraud prevention purposes.
At first blush, the ability to continue to process RHI for “internal business operations” seems promising, but unlike other laws, NYHIPA’s internal business operations exception expressly excludes common internal activities related to marketing, advertising, research and development, or providing products or services to third parties. Companies processing RHI must obtain authorization before using RHI even for purposes of product improvement, research and development, notifying users about new products and services, or internal product analytics, activities which help to strengthen and improve the very products and services that users seek. While state health privacy laws have been promulgated to fill the gap and cover the wide range of entities processing health data that are not covered by HIPAA, NYHIPA’s authorization requirements go well beyond the spirit and intent of HIPAA – HIPAA specifically allows companies, without authorization, to engage in many important internal business activities that respect consumer privacy while also providing consumers with better services, such as first-party marketing, research and development, analytics, and product improvement.
Authorization Timing and Form Requirements
NYHIPA imposes first-of-its-kind authorization requirements, including a prohibition on any attempt at collecting authorization until at least 24 hours after an individual creates an account or first uses the requested product or services. This means that businesses cannot include the authorization form and process in their typical intake or check out flows, and consumers who want access to product features or notifications that are not strictly related to providing the product or service sought will have to wait before being able to use such features.
The authorization form itself also contains prescriptive disclosure requirements, must be signed by the consumer (including in electronic form), and expires after only one year (meaning regulated entities must also implement a process to seek new authorizations each year). Moreover, companies seeking authorization for multiple processing activities must provide granular choices, allowing consumers to provide authorization for some or all of the activities(which can also be granularly revoked at any time). Where users maintain online accounts, companies must develop tools that allow users to view and revoke each authorized processing activity through their accounts.
Authorization Requirement Impacts
In addition to the operational difficulties of capturing authorization from consumers, the authorization requirements will also likely prove crippling to backend company operations. While in theory a company can obtain consumer authorization for internal operations like research and development and product improvement, the internal resources necessary to track which consumers have provided authorization for which processing purposes, and which consumers subsequently revoked authorization to any/all of the purposes for which they previously gave consent, will likely result in stifling innovation and patient engagement in the health services industry. This is because companies will not be able to operationalize these granular processing authorizations and, in many instances, will be left with little to no data that can be used for these purposes.
Data Subject Rights With No Verification
Another very troubling aspect of NYHIPA is that although Section 1124 of the law contains a broad requirement for companies to develop and maintain appropriate security protections, the law also extends nearly unfettered data access and deletion rights that do not expressly consider security risks to consumers. Consumers (or their authorized agents) may ask for access to all of their RHI or deletion of any RHI, and companies must comply with these requests (and flow them down to service providers and other third parties) within 30 days (with no extension possible). There are no exceptions to access requests, and companies must also provide access to any RHI held by service providers on their behalf. For deletion requests, the only exception is where RHI must be maintained for legal purposes.
Moreover, NYHIPA lacks any identity verification requirements. This means that bad actors posing as authorized agents may find it easier to exploit the law to obtain access to a consumer’s most sensitive health information. Companies will be forced to decide what verification they can reasonably request without risking violating these provisions and the stringent time requirements for a response.
Enforcement and Next Steps
NYHIPA will go into effect one year after the date on which the Governor signs it into law. NYHIPA does not contain a private right of action, but the NY AG will have the ability to enforce the law through injunctive relief (including disgorgement), as well as financial penalties of up to $15,000 per violation or 20% of revenue obtained from NY consumers over a fiscal year, whichever is higher.
If signed by the Governor in its current form without chapter amendments addressing some of the most troubling aspects of the law as discussed above, NYHIPA will impose onerous requirements on both NY businesses and businesses outside of NY processing RHI of individuals in NY. Given the broad definitions in the law and its limited exceptions, all companies that process any health-related information that is potentially in scope should begin determining how they will comply with the law’s onerous requirements, both from a legal compliance perspective as well as an operational perspective.
