Back to blog

Everything you need to know about the New York Health Information Privacy Act (NYHIPA)

,

Written by Małgorzata Poddębniak

Published February 19, 2025

On January 22, 2025, the New York Assembly passed Senate Bill S929, also known as the New York Health Information Privacy Act (NYHIPA). The bill now awaits Governor Kathy Hochul’s signature. 

The new legislation adopts novel provisions that would make this one of the most stringent privacy laws in the US. It introduces an expansive definition of regulated health information (RHI) and strict consent requirements for processing and sharing data with third parties.

If enacted, NYHIPA will become effective one year after signing. 

This would make New York the fourth state – following Washington, Nevada, and Connecticut – to impose targeted and comprehensive regulations on consumer health-related information that is not otherwise protected by HIPAA. The act would significantly affect how businesses process health and wellness-related information, including their marketing and analytics practices.

Who does NYHIPA apply to

Unlike HIPAA, which primarily applies to healthcare organizations, NYHIPA covers nearly all organizations that process RHI, specifically ones that:

  • Control the processing of RHI of a New York resident.
  • Control the processing of RHI of an individual physically present in New York at the time of processing.
  • Are located in New York and control the processing of RHI.

Note: Non-NY businesses that process data of NY residents must also adhere to this act.

What is regulated health information (RHI)

NYHIPA protects regulated health information (RHI), which is broadly defined as any data reasonably linkable to an individual or a device that is collected or processed in connection with that individual’s physical or mental health. This also applies to location or payment information and any inference about an individual’s mental or physical health.

NYHIPA regulates internet browsing data, search or purchase histories, data collected through online tracking technologies, wellness habits, and reproductive health information. The definition potentially extends to behavioral data indicating that an individual is seeking health services.

Data protected by NYHIPA vs. HIPAA

Protected health information (PHI) regulated by HIPAA refers to information about health status, provision, or payment for health care that can be linked to a specific individual. This includes records of doctors’ visits, prescription medication details, laboratory test results, insurance information, and others. While the definition of PHI is broad, the concept of RHI is more ambiguous and encompasses even more types of data.

Regulated health information (RHI) exemptions

NYHIPA exempts four categories of information: 

  • Data processed by government entities.
  • Protected health information (PHI) governed by HIPAA and HITECH.
  • HIPAA-covered entities to the extent that such entities maintain patient information in the same manner as PHI. 
  • Data collected for clinical trials subject to federal protections for human subjects.
  • De-identified information – health data stripped of all personal identifiers.

The law does not exempt nonprofits, information regulated by the Gramm-Leach-Bliley Act, or public data. Also, HIPAA-covered entities are not exempt with regard to their non-protected health information, such as employee health and wellness data.

What are the requirements of NYHIPA

NYHIPA requires consent for data processing, which can include different operations concerning RHI like collection, use, storage, sharing, analysis, modification, or deletion. In contrast, similar laws in Washington and Nevada require consent only before selling consumer health data. Thus, NYHIPA’s authorization requirements are much stricter and more difficult to fulfill.

Regulated entities cannot process health information unless:

  • The individual has provided an authorization, or
  • The processing is strictly necessary for specific purposes, including providing a requested product or service, protecting against malicious, fraudulent, or illegal activity, and conducting internal business operations. 

Crucially, activities related to marketing, advertising, research and development, or providing products or services to third parties are not strictly necessary, meaning they require a consumer’s authorization.

Valid authorization

Regulated entities must obtain valid authorization before collecting or processing regulated health information for something other than a permissible purpose. 

Importantly, NYHIPA prohibits regulated entities from obtaining authorization within 24 hours after a user creates an account. Organizations must take an additional step to obtain the necessary consent and authorizations during the sign-up process.

A valid authorization must include the following:

  • The types of regulated health information to be processed
  • The nature of the processing activity
  • The specific purposes for such processing
  • The names or the categories of service providers and third parties to which the regulated entity may disclose the individual’s regulated health information and the purposes for such disclosure
  • Any monetary or other valuable consideration the regulated entity may receive in connection with processing the individual’s regulated health information, where applicable
  • Notice that declining authorization will not affect the individual’s experience of using the regulated entity’s products or services
  • The expiration date of the authorization, which may be up to one year from the date authorization was provided
  • The mechanism by which the individual may revoke authorization before expiration
  • The mechanism by which the individual may request access to and deletion of their regulated health information
  • Any other information material to an individual’s decision-making regarding authorization for processing
  • A signature (which may be electronic)

Since the authorization expires after only one year, regulated entities need to implement a process for requesting new authorizations annually. 

Organizations must also let individuals revoke authorization for specific processing activities at any time and immediately stop processing their data after revocation.

Consumer rights

NYHIPA grants consumers the right to access and delete their regulated health information via an effective, efficient, and easy-to-use mechanism through an interface the consumer regularly uses. Notably, consumers may engage an authorized agent to make requests for them. However, the bill doesn’t clarify whether the regulated entities can take steps to validate the requestor’s identity. 

Regulated entities must fulfill deletion and access requests within 30 days and pass deletion requests to their service providers or third parties.

Privacy notice

NYHIPA requires a privacy notice if a regulated entity processes health information for a permissible purpose without authorization. 

The notice must disclose: 

  • The purposes of data collection.
  • The names or categories of third parties and service providers that may receive the data. 
  • How individuals can exercise their privacy rights. 

If the entity materially alters these activities, it must provide a clear and conspicuous notice describing the changes.

Service providers

Regulated entities must enter into agreements with service providers that process RHI on their behalf, similar to business associate agreements (BAA) under HIPAA. 

However, NYHIPA also requires that service providers agree not to combine RHI with any other personal information received from a third party or their relationships with individuals.

Penalties for NYHIPA violations

Violating NYHIPA provisions can result in a civil penalty of up to $15,000 per violation or 20% of revenue obtained from New York consumers within the past fiscal year, whichever is greater. The penalty is payable to the state. 

There is no private right of action, which means consumers cannot sue regulated entities for NYHIPA violations.

Implications of NYHIPA for covered organizations

Consumers are becoming increasingly aware of how their data is used and demanding greater control over their personal information. NYHIPA responds to these concerns by strengthening privacy protections and restricting the use and sale of health-related data without explicit user consent. At the same time, it addresses gaps in federal regulations like HIPAA. 

Given NYHIPA’s expansive definitions, limited exceptions, and strict requirements, all organizations processing health-related information must reassess their data processing and consent practices. If they haven’t previously prioritized patient privacy and security, the introduction of another strict healthcare regulation should give an additional push for adopting appropriate safeguards. 

For one, regulated entities must explore the available methods and service providers, including analytics vendors, that will help them comply with existing and future regulatory requirements. Vendors like Piwik PRO prioritize privacy compliance and security, allowing healthcare companies to collect and process data to benefit patients and businesses.  

Healthcare data privacy continues to evolve rapidly. As consumers become more discerning about which platforms they trust, those who commit to privacy and data security can gain a competitive advantage. 

Next steps

Digital health companies and other industries targeting New York consumers may find it challenging to comply with NYHIPA. Organizations covered by NYHIPA should already start preparing to implement practices that align with the act. They should also review the requirements of health privacy laws implemented last year in Washington, Nevada and Connecticut. 

If you are subject to NYHIPA, these are steps you should take now:

  • Consult with your legal team to assess whether you maintain or collect, directly or indirectly, any personal data that may be reasonably linked to health.
  • Conduct an audit to identify all sources of regulated health information, how it is used, and where it is stored to understand the data flows.
  • Plan updates to your privacy policies, notices, and employee handbooks to reflect NYHIPA’s narrower lawful processing grounds and new authorization requirements.
  • Prepare to adjust your consent management tools to handle the 24-hour waiting period and maintain records of when and how authorizations are granted or revoked. 
  • Ensure your organization can respond quickly to revocation requests by suspending or terminating data processing and deleting revoked data immediately. 
  • Monitor future developments regarding the bill and other state and federal privacy laws. Final amendments or regulatory guidance could alter key provisions of NYHIPA. 

Benefits of using Piwik PRO by healthcare organizations

Piwik PRO offers privacy protection and regulatory compliance while providing actionable insights to improve healthcare services and patient experience. 

Here is how healthcare organizations benefit from choosing Piwik PRO as their analytics vendor:

  • We will sign a business associate agreement (BAA), allowing you to process any type of PHI safely. If you prefer, you can also de-identify your PHI. Both PHI and de-identified data are exempt from NYHIPA requirements. 
  • We offer hosting on select HIPAA-compliant Microsoft Azure data centers located in the US.
  • We implement the best data security practices, which are validated by our ISO 27001 certification and HIPAA compliance attested as part of our SOC 2 Type II report.
  • We don’t share PHI with third parties or reuse it for other purposes.
  • We offer granular data access controls to restrict data access, detailed audit logs, regular privacy and security audits, and more.

Want to learn how Piwik PRO can help you comply with healthcare regulations?

Request a demo of the Enterprise plan or sign up for a free 6-month BAA-covered trial – get HIPAA-compliant analytics with either option:

Get a custom demo
Try out for free

FAQ

What is the purpose of the New York Health Information Privacy Act (NYHIPA)?

The New York Health Information Privacy Act (NYHIPA) aims to regulate the collection, sale, and processing of healthcare information. It restricts the uses and disclosures of personally identifiable consumer data related to health and wellness, excluding the protected health information (PHI) collected by HIPAA-regulated entities.

Who is affected by NYHIPA?

NYHIPA applies to “regulated entities” that collect or process “regulated health information” in New York or about New York residents. It covers entities of all sizes, regardless of revenue, processing thresholds, for-profit status, or physical presence in the state.

What is considered “regulated health information” (RHI) under NYHIPA?

Regulated health information refers to any information that is reasonably linkable to an individual or a device and is collected or processed in connection with an individual’s physical or mental health. This includes location or payment information related to an individual’s physical or mental health or any inference drawn or derived about an individual’s physical or mental health that is reasonably linkable to an individual or a device. RHI is not limited to medical records but covers biometric data, genetic information, and even information that could identify a person indirectly.

Does NYHIPA apply to HIPAA-regulated entities?

NYHIPA exempts PHI, not HIPAA-regulated entities. A HIPAA-regulated entity would be required to comply with NYHIPA if they process health data outside the HIPAA definition of PHI.

What are the key requirements of NYHIPA?

Key requirements include:

  • Obtaining consent through a transparent opt-in process before selling or sharing consumers’ health data.
  • Providing consumers with clear explanations of the types of information collected, the nature of processing activity, the purpose of processing, the categories of third parties with whom the information will be shared, how consent can be revoked, and that use of the product or service will be unaffected by the failure to provide authorization.
  • Ensuring consent is obtained separately from any other transaction and only after 24 hours of the first request or use of a product or service.
  • Deleting personal data within 30 days of a consumer revoking consent and requesting deletion.
  • Processing health data only if it is strictly necessary for providing or maintaining a service or product, with limited exceptions.
  • Providing a “clear and conspicuous notice” publicly available on their websites that describes their RHI processing and sharing practices.

What rights do individuals have under NYHIPA?

The Act provides individuals with the right to access and delete RHI. Regulated entities must fulfill these requests within 30 days.

What are the penalties for violating NYHIPA?

Violations of NYHIPA can result in a civil penalty of up to $15,000 per violation or 20% of revenue obtained from New York consumers within the past fiscal year, whichever is greater. The penalty is payable to the state.

No, there is no private cause of action under NYHIPA, meaning individuals cannot take legal action against regulated entities for NYHIPA violations. However, the New York attorney general can enforce the law through strict penalties.

When does NYHIPA take effect?

NYHIPA will take effect 12 months after the governor signs the bill into law.

Małgorzata Poddębniak

Senior Content Marketer

Senior content marketer at Piwik PRO, copywriter, translator and editor. She started as a freelancer, gaining experience with creating versatile marketing content for various channels and industries. Later, she began working as a translator and editor, specializing in academic articles and essays, mainly in the field of history and politics. After becoming interested in SEO, she moved on to work as a content writer for a technical SEO agency. While there, she designed the company newsletter and planned and created in-depth articles, practical guides, interviews, and other supporting marketing materials. She joined Piwik PRO with extensive knowledge of technology, SEO, and digital marketing. At Piwik PRO, she writes about analytics, privacy, marketing, personalization, and data management and explains product best practices and industry trends for different industries.