The New York Health Information Privacy Act (NYHIPA) could significantly affect how New Yorkers access digital health services. If it becomes law, digital health companies may find it tough to keep patients engaged and improve their services. This is due to the new rules and requirements that could place financial and operational burdens on these companies.
As of January 23, 2025, NYHIPA has passed both the New York Senate and Assembly and is heading to the Governor for a potential signature. If signed into law, it will change how digital health companies manage consumer health information in New York.
Who Will Be Affected?
NYHIPA will apply to any health care organization dealing with patients or customers linked to New York. This includes:
- Organizations processing health information for New York residents.
- Entities handling health information for individuals present in New York.
- Those located in New York managing health data.
Some entities, like those protected by HIPAA, might be exempt, but only if they treat patient information similarly to HIPAA standards. However, personal health information collected during routine operations may still fall under NYHIPA’s scrutiny.
What Information is Covered?
NYHIPA aims to regulate any information tied to health or wellness, including data from devices. This encompasses data connected to a person’s physical or mental health, such as location or payment details, as long as it can be associated with an individual or device. HIPAA-protected data and anonymous information would not be regulated under this act.
Restrictions on Data Processing
Entities must specifically tailor their data processing to the product or service requested by the individual unless they have clear authorization. “Processing” includes collecting, using, disclosing, or selling health information. Businesses cannot process health data without:
- The individual’s authorization.
- Necessary processing for maintaining requested services or internal operations.
Importantly, processing for marketing or third-party services is prohibited without specific individual consent, a point sure to raise concerns in the digital health field.
Authorization Requirements
NYHIPA mandates a 24-hour period where no authorization can be sought after account creation or first use of a service. Individuals must give explicit consent for each activity that is not essential for the requested service. Authorizations must:
- Be separate from any transaction.
- Occur 24 hours after the initial account or service use.
- Allow individuals to control consent for different processing activities.
For those with an account, companies must clearly show processing activities and allow easy revocation of authorization. They can’t make services contingent on providing consent or unfairly penalize individuals for withholding it.
Is a Privacy Notice Necessary?
If an entity processes health data for a valid reason without needing authorization, it must provide a privacy notice. This notice should detail the processing activities, purposes, and third parties involved. Any significant changes in processing require a new, clear notice along with the option for individuals to request data deletion.
Key Requirements for Digital Health Companies
NYHIPA compels companies to keep health information segregated by entity and to establish written agreements with service providers. These agreements should prevent the mixing of health data received from one source with information from others. Service providers must also notify the regulated entity before sharing health data with third parties.
All communications must be accessible to people with disabilities and offered in the languages the companies already use.
When Will This Law Take Effect and What are the Penalties?
NYHIPA would take effect a year after becoming law. The New York Attorney General would enforce it, imposing civil penalties of up to $50,000 per violation or 20% of revenue from New York customers in the past year.
What Does This Mean for Digital Health Companies?
NYHIPA could create significant challenges for digital health companies. They will need to overhaul their websites and workflows to meet these new demands and accessibility requirements. The mandatory 24-hour waiting period for seeking authorization could hinder patient engagement and care improvements. Additionally, the law introduces a new layer of complexity as companies must align with yet another state privacy law.
Next Steps for Digital Health Companies
With NYHIPA awaiting the Governor’s signature, digital health companies must start early preparations for compliance. The effective date will be one year post-signature, providing a limited timeframe to implement necessary changes. As health data privacy continues to evolve, staying informed about developments is crucial.
