Last month, New York state lawmakers passed the New York Health Information Privacy Act (HIPA). If Governor Kathy Hochul approves it, New York will become the toughest state in the U.S. for health data privacy.
HIPA aims to protect what it calls “regulated health information.” This is similar to the My Health, My Data Act in Washington, which was the first to establish specific protections for health data in 2023.
Unlike some state laws that only cover residents, HIPA would protect all individuals physically present in New York, regardless of their home state. This means any business operating in New York or processing data from New York residents must comply with the law.
Ron De Jesus, a privacy officer at Transcend, highlights that this law’s broad reach makes it quite unique. The protected health information includes anything that can be linked to a person and relates to their physical or mental health. This definition is broader than similar laws in Connecticut or Nevada, which are more limited and do not split physical and mental health data.
The bill is still waiting for the governor’s sign-off but is expected to take effect one year afterward. HIPA gives individuals the right to access and delete their health data. It also mandates that companies must follow specific timelines for retaining or deleting this information.
However, there are some exceptions. HIPA does not cover information already protected by existing laws, like HIPAA, which governs healthcare providers. It also prohibits businesses from selling regulated health data to third parties without individual consent, except in situations where data processing serves a legitimate purpose, like delivering a requested service or enhancing security.
De Jesus points out that HIPA’s unique aspect is its application to any company with information on anyone linked to New York. For instance, if a New York student studies in Texas, their university will have to comply with New York law when handling that student’s health data.
This broad law may face challenges from businesses. If violations occur, the state attorney general can impose fines of up to $15,000 each or reclaim 20% of any revenue made from New York consumers in the past year—whichever is more significant. The attorney general also has the authority to create additional rules, making compliance even more complex for businesses.
Privacy experts worry about this expansive coverage since it means more work for companies trying to figure out if they fall under the law, especially when it comes to identifying New York residents. It presents challenges for compliance from both a legal and practical standpoint.
Source link
data privacy,data privacy law,health data,kathy hochul,new york,state & local news
