Back to blog

Everything you need to know about the New York Health Information Privacy Act (NYHIPA)

,

Written by Małgorzata Poddębniak

Published February 19, 2025

Disclaimer: This blog post is not legal advice. Piwik PRO provides privacy-friendly analytics software, but doesn’t provide legal consultancy. If you’d like to make sure that you comply with HIPAA guidelines, we encourage you to consult an attorney.

SUMMARY

  • The New York Health Information Privacy Act (NYHIPA), passed by the New York Assembly on January 22, 2025, awaits Governor Kathy Hochul’s signature and will take effect one year after signing, introducing stringent privacy regulations for businesses processing regulated health information (RHI).
  • NYHIPA applies broadly to entities processing RHI of New York residents or individuals in New York, covering a wide range of data, including health-related internet browsing, wellness habits, and reproductive health information, unlike the more limited scope of HIPAA’s protected health information (PHI).
  • The act mandates strict authorization requirements for processing RHI, requiring valid authorization with detailed disclosures and prohibiting authorization within 24 hours of account creation, while also granting consumers rights to access and delete their data within 30 days. NYHIPA also explicitly prohibits the sale of RHI.
  • Tools like Piwik PRO Analytics Suite can help organizations balance NYHIPA compliance with actionable insights by offering features like customizable BAAs, data encryption, and granular consent mechanisms, though businesses must also address challenges like the 60-day data disposal requirement and service provider agreements.

On January 22, 2025, the New York Assembly passed Senate Bill S929, also known as the New York Health Information Privacy Act (NYHIPA). The bill now awaits Governor Kathy Hochul’s signature. 

The new legislation adopts novel provisions that would make this one of the most stringent privacy laws in the US. It introduces an expansive definition of regulated health information (RHI) and authorization requirements for processing and sharing data with third parties.

If enacted, NYHIPA will become effective one year after signing. 

This would make New York the fourth state – following Washington, Nevada, and Connecticut – to impose targeted and comprehensive regulations on consumer health-related information that is not otherwise protected by HIPAA. The act would significantly affect how businesses process health and wellness-related information, including their marketing and analytics practices.

Who does NYHIPA apply to

Unlike HIPAA, which primarily applies to healthcare organizations, NYHIPA covers nearly all organizations that process RHI, specifically ones that:

  • Control the processing of RHI of a New York resident.
  • Control the processing of RHI of an individual who is in New York at the time their RHI is processed.
  • Are located in New York and control the processing of RHI.

Note: Non-NY businesses that process data of NY residents must also adhere to this act. There are no revenue, volume, or nonprofit exemptions.

What is regulated health information (RHI)

NYHIPA protects regulated health information (RHI), which is broadly defined as any data reasonably linkable to an individual or a device that is collected or processed in connection with that individual’s physical or mental health. This also applies to location or payment information and any inference about an individual’s mental or physical health.

NYHIPA regulates internet browsing data, search or purchase histories, data collected through online tracking technologies, wellness habits, and reproductive health information. The definition potentially extends to behavioral data indicating that an individual is seeking health services.

Data protected by NYHIPA vs. HIPAA

Protected health information (PHI) regulated by HIPAA refers to information about health status, provision, or payment for health care that can be linked to a specific individual. This includes records of doctors’ visits, prescription medication details, laboratory test results, insurance information, and others. While the definition of PHI is broad, the concept of RHI is more ambiguous and encompasses even more types of data.

NYHIPA applies to any health-related data that falls outside HIPAA protections, including wellness, marketing, behavioral or employee health data, even if collected by a HIPAA-covered entity.

Regulated health information (RHI) exemptions

NYHIPA exempts four categories of information: 

  • Data processed by government entities
  • Protected health information (PHI) governed by HIPAA and HITECH
  • HIPAA-covered entities, but only when maintaining information in accordance with HIPAA rules 
  • Data collected for clinical trials subject to federal protections for human subjects
  • De-identified information – but only if the de-identification satisfies NYHIPA’s specific criteria (technical safeguards, no reidentification, and contractual obligations with data recipients)

The law does not exempt nonprofits, information regulated by the Gramm-Leach-Bliley Act, or public data. Also, HIPAA-covered entities are not exempt with regard to their non-protected health information, such as employee health and wellness data.

COMPARISON

The comparison of 9 HIPAA-compliant web analytics platforms

Compare the main features of Piwik PRO, Freshpaint, Matomo, Mixpanel, Amplitude, Heap, Tealium, Adobe CJA and Piano Analytics.

Download the full comparison

What are the requirements of NYHIPA

NYHIPA requires valid authorization for data processing, which can include different operations concerning RHI like collection, use, storage, sharing, analysis, modification, or deletion. In contrast, similar laws in Washington and Nevada require consent only before selling consumer health data. Thus, NYHIPA’s authorization requirements are much stricter and more difficult to fulfill.

Processing is allowed without authorization only when it is strictly necessary for purposes such as:

  • Providing a requested product or service
  • Detecting or preventing fraud or illegal activity
  • Protecting vital interests
  • Complying with legal obligations
  • Internal operations (excluding marketing or advertising)

These activities are explicitly not considered strictly necessary and require valid authorization.

Valid authorization

Regulated entities must obtain valid authorization before collecting or processing regulated health information for something other than a permissible purpose. 

Importantly, authorization must not be requested within 24 hours after account creation or first use of a product or service. Organizations must take an additional step to obtain the necessary consent and authorizations during the sign-up process.

A valid authorization must include the following:

  • The types of regulated health information to be processed
  • The nature of the processing activity
  • The specific purposes for such processing
  • The names or the categories of service providers and third parties to whom the regulated entity may disclose the individual’s regulated health information, and the purposes for such disclosure
  • Any monetary or other valuable consideration the regulated entity may receive in connection with processing the individual’s regulated health information, where applicable
  • Notice that declining authorization will not affect the individual’s experience of using the regulated entity’s products or services
  • The expiration date of the authorization, which may be up to one year from the date the authorization was provided
  • The mechanism by which the individual may revoke authorization before expiration
  • The mechanism by which the individual may request access to and deletion of their regulated health information
  • Any other information material to an individual’s decision-making regarding authorization for processing
  • Notice of prior authorization refusals (cannot request again if authorization was declined or revoked in the past year)
  • A signature (which may be electronic)

Regulated entities must allow users to view and manage authorizations in their account settings and enable one-click revocation.

Entities must also publicly post either the authorization form or a representative sample.

Since the authorization expires after only one year, regulated entities need to implement a process for requesting new authorizations annually. Organizations must also allow individuals to revoke authorization for specific processing activities at any time and immediately cease processing their data after revocation.

Authorization requests must be presented in a clear, user-friendly format, free of manipulative interface design (“dark patterns”) that could impair or mislead decision-making.

The requirement to provide tailored forms that track when authorization was given and revoke such authorization after one year is likely to create numerous costly compliance issues for regulated entities. Unfortunately, there is no guidance provided on how regulated entities should verify individuals’ rights requests within the 30-day period for responding, while also implementing measures to prevent fraudulent requests.

Consumer rights

NYHIPA grants consumers the right to access and delete their regulated health information via an effective, efficient, and easy-to-use mechanism through an interface the consumer regularly uses. Notably, consumers may engage an authorized agent to make requests for them. However, the bill doesn’t clarify whether the regulated entities can take steps to validate the requestor’s identity. 

Regulated entities must fulfill deletion and access requests within 30 days and pass deletion requests to their service providers or third parties. Deletion by downstream parties must also occur within 30 days unless impossible or disproportionate, which must be documented.

Authorized agents may submit requests on behalf of consumers.

Privacy notice

NYHIPA requires a privacy notice if a regulated entity processes health information for a permissible purpose without authorization. 

The notice must disclose: 

  • The purposes of data collection.
  • The names or categories of third parties and service providers that may receive the data. 
  • How individuals can exercise their privacy rights. 

Any material change in processing requires a separate, clear, and conspicuous notice and an opportunity to delete RHI.

Service providers

Regulated entities must enter into agreements with service providers that process RHI on their behalf, similar to business associate agreements (BAA) under HIPAA. 

NYHIPA service provider agreements must also:

  • Prohibit combining RHI with other personal information
  • Require downstream deletion within 30 days
  • Require reasonable assessments or third-party audits
  • Ensure all subcontractors are contractually bound to equivalent obligations
  • Notify the regulated entity before involving further service providers

Penalties for NYHIPA violations

Violating NYHIPA provisions can result in a civil penalty of up to $15,000 per violation or 20% of revenue obtained from New York consumers within the past fiscal year, whichever is greater. The penalty is payable to the state. 

There is no private right of action under NYHIPA; enforcement is vested exclusively in the New York State Attorney General.

The Attorney General may bring a civil action to obtain injunctive relief, civil penalties, disgorgement of profits, restitution, and any other appropriate relief.

Although private lawsuits are not permitted, regulated entities should expect active enforcement, especially given recent trends in privacy regulation and litigation strategies targeting health-related data.

NYHIPA vs. other state laws

NYHIPA joins Washington and Nevada in targeting consumer health data beyond HIPAA’s scope, suggesting a national shift toward stricter privacy. It shares significant structural and conceptual similarities with Washington State’s My Health My Data Act (MHMDA), which took effect for most entities on March 31, 2024, and applies broadly to any entity collecting health data of Washington consumers.

Unlike Nevada’s SB 370, which focuses primarily on the sale and disclosure of health data, NYHIPA regulates nearly all types of processing and imposes stricter requirements for authorization, timing, and service provider oversight. Maryland’s new law (MODPA), by contrast, is a general data privacy statute and does not specifically target health data in the same way.

NYHIPA is notable for requiring regulated entities to dispose of regulated health information no later than 60 days after it is no longer needed, which makes it stand out from other state privacy laws. The 60-day disposal requirement poses a challenge, as it conflicts with certain sectoral and legal retention obligations – for example, the New York Workers’ Compensation Board requires some claim-related health records to be retained for up to 18 years. Regulated entities will need to reconcile NYHIPA disposal timelines with those statutory obligations and document any such legal basis for extended retention.

What does NYHIPA mean for covered organizations

Consumers are becoming increasingly aware of how their data is used and demanding greater control over their personal information. NYHIPA responds to these concerns by strengthening privacy protections and restricting the use and disclosure, or sale of health-related data without explicit user authorization. At the same time, it addresses gaps in federal regulations like HIPAA. The impact of NYHIPA will vary between different types of businesses in the healthcare industry. 

When it comes to traditional healthcare organizations, HIPAA-covered entities may need to enter into NYHIPA agreements with payment processors (similar to BAAs) to take payments from patients, as payment processors would qualify as service providers. Although traditional medical records maintained by HIPAA-covered entities will likely be exempt, other types of health-related data they collect – such as marketing data, wellness program inputs, or unauthenticated web traffic – may fall under NYHIPA as regulated health information (RHI)..

On the other hand, digital health companies face particularly high compliance burdens, as they often rely on behavioral tracking, personalization, and cross-platform data analytics to deliver services and optimize engagement. NYHIPA’s one-year authorization limit, 24-hour delay rule, and downstream deletion requirements may hinder user onboarding, personalization, and product development workflows.

Companies must analyze online tracking technologies and cookie management tools to determine whether additional disclosure and authorization mechanisms are required.

Given NYHIPA’s expansive definitions, limited exceptions, and strict requirements, all organizations processing health-related information must reassess their data processing and authorization practices. Organizations that have not previously implemented robust privacy-by-design principles – particularly in consumer-facing digital health contexts – will need to accelerate their adoption of data minimization, purpose limitation, and granular consent infrastructure.

The effective date is one year after signature by the Governor, which is an exceptionally short time for digital health companies to implement the required changes. Regulated entities must explore the available methods and service providers, including analytics vendors, that will help them comply with existing and future regulatory requirements. 

Selecting vendors that offer robust consent management, transparent data flows, and NYHIPA-aligned service provider terms – such as Piwik PRO – can help organizations balance compliance with actionable insights. 

How to prepare for NYHIPA

Digital health companies and other industries targeting New York consumers may find it challenging to comply with NYHIPA. Organizations covered by NYHIPA should begin preparing now to implement internal processes, governance mechanisms, and technical safeguards aligned with the Act’s requirements..

If you are subject to NYHIPA, these are steps you should take now:

  • Map your data:
    • Conduct an internal audit to identify all sources of regulated health information, how it is used, and where it is stored
    • Identify all touchpoints where RHI is processed, including employee wellness data, payment processing, and marketing analytics
    • Assess whether data is collected directly from individuals, inferred, or obtained from third parties – and whether it may be linkable to an individual or device in the context of health
  • Review all current data uses and eliminate those that are not considered “strictly necessary”.
  • Document legal bases for any processing that does not rely on authorization.
  • Develop a proper infrastructure for collecting valid authorization:
    • Build systems to track when authorization was given and automatically expire authorization after one year
    • Implement comprehensive and granular authorization mechanisms that allow individuals to provide or revoke authorization for each use of their RHI
    • Ensure no authorization is requested until at least 24 hours after account creation or first use of a service
    • Ensure that authorization requests are not bundled with other transactions and are free of dark patterns
    • Enable one-click revocation in user-facing systems, including customer account settings
  • Establish appropriate agreements with service providers:
    • Update contracts to require service providers not to combine RHI with any other personal information received from third parties or from their own relationships with individuals
    • Include provisions requiring service providers to notify the regulated entity “a reasonable time in advance” before sharing health information with any further service providers
    • Require service providers to allow compliance assessments by the regulated entity or designated assessor
    • Ensure all downstream processors are bound by equivalent contractual obligations (“flow-down” terms)
    • Include data return or deletion clauses upon termination of services
  • Update your technical infrastructure:
    • Implement data segregation mechanisms to prevent mingling of RHI with other data sets across services, systems, or clients
    • Implement retention schedules that ensure RHI is only kept as long as necessary and securely disposed of after processing
    • Create a publicly available retention schedule and securely dispose of RHI within 60 days after it is no longer necessary
    • Where longer retention is required by law (e.g., Workers’ Compensation), document the legal basis and applicable time period
  • Implement ongoing monitoring and training for employees:
    • Provide role-specific training on NYHIPA requirements, particularly for staff involved in product design, marketing, legal compliance, and vendor management
    • Establish internal monitoring mechanisms and escalation workflows for handling rights requests, data breaches, or improper processing

Organizations should be prepared for active enforcement once the law takes effect, as regulators in other states with similarly sweeping privacy laws have signaled aggressive enforcement. Even before formal enactment, NYHIPA reflects a broader shift toward regulating non-HIPAA health data, and regulators are expected to scrutinize data practices involving behavioral and inferred health information.

The steps outlined above should become baseline compliance measures for all healthcare companies to prepare for NYHIPA and other existing and upcoming legal requirements.

Supporting your healthcare organization’s compliance journey with Piwik PRO

Piwik PRO offers privacy protection and regulatory compliance while providing actionable insights to improve healthcare services and patient experience. 

Here is how healthcare organizations benefit from choosing Piwik PRO as their analytics vendor:

  • We will sign a business associate agreement (BAA), allowing you to process any type of PHI safely. If you prefer, you can also de-identify your PHI. Both PHI and de-identified data are exempt from NYHIPA requirements. 
  • We offer hosting on select HIPAA-compliant Microsoft Azure data centers located in the US.
  • We implement the best data security practices, which are validated by our ISO 27001 certification and HIPAA compliance attested as part of our SOC 2 Type II report.
  • We don’t share PHI with third parties or reuse it for other purposes.
  • We offer granular data access controls to restrict data access, detailed audit logs, regular privacy and security audits, and more.

Want to learn how Piwik PRO can help you comply with healthcare regulations?

Get a custom demo

FAQ

What is the purpose of the New York Health Information Privacy Act (NYHIPA)?

The New York Health Information Privacy Act (NYHIPA) aims to regulate the collection, sale, and processing of healthcare information. It restricts the uses and disclosures of personally identifiable consumer data related to health and wellness, excluding the protected health information (PHI) collected by HIPAA-regulated entities.

Who is affected by NYHIPA?

NYHIPA applies to “regulated entities” that collect or process “regulated health information” in New York or about New York residents. It covers entities of all sizes, regardless of revenue, processing thresholds, for-profit status, or physical presence in the state.

What is considered “regulated health information” (RHI) under NYHIPA?

Regulated health information refers to any information that is reasonably linkable to an individual or a device and is collected or processed in connection with an individual’s physical or mental health. This includes location or payment information related to an individual’s physical or mental health or any inference drawn or derived about an individual’s physical or mental health that is reasonably linkable to an individual or a device. RHI is not limited to medical records but covers biometric data, genetic information, and even information that could indirectly identify a person.

Does NYHIPA apply to HIPAA-regulated entities?

NYHIPA exempts PHI, not HIPAA-regulated entities. A HIPAA-regulated entity would be required to comply with NYHIPA if they process health data outside the HIPAA definition of PHI.

What are the key requirements of NYHIPA?

Key requirements include:

  • Obtaining consent through a transparent opt-in process before selling or sharing consumers’ health data.
  • Providing consumers with clear explanations of the types of information collected, the nature of processing activity, the purpose of processing, the categories of third parties with whom the information will be shared, how consent can be revoked, and that use of the product or service will be unaffected by the failure to provide authorization.
  • Ensuring consent is obtained separately from any other transaction and only after 24 hours of the first request or use of a product or service.
  • Deleting personal data within 30 days of a consumer revoking consent and requesting deletion.
  • Processing health data only if it is strictly necessary for providing or maintaining a service or product, with limited exceptions.
  • Providing a “clear and conspicuous notice” publicly available on their websites that describes their RHI processing and sharing practices.

What rights do individuals have under NYHIPA?

The Act provides individuals with the right to access and delete RHI. Regulated entities must fulfill these requests within 30 days.

What are the penalties for violating NYHIPA?

Violations of NYHIPA can result in a civil penalty of up to $15,000 per violation or 20% of revenue obtained from New York consumers within the past fiscal year, whichever is greater. The penalty is payable to the state.

Can individuals take legal action against regulated entities for NYHIPA violations?

No, there is no private cause of action under NYHIPA, meaning individuals cannot take legal action against regulated entities for NYHIPA violations. However, the New York attorney general can enforce the law through strict penalties.

When does NYHIPA take effect?

NYHIPA will take effect 12 months after the governor signs the bill into law.

Małgorzata Poddębniak

Senior Content Marketer

Senior content marketer at Piwik PRO, copywriter, translator and editor. She started as a freelancer, gaining experience with creating versatile marketing content for various channels and industries. Later, she began working as a translator and editor, specializing in academic articles and essays, mainly in the field of history and politics. After becoming interested in SEO, she moved on to work as a content writer for a technical SEO agency. While there, she designed the company newsletter and planned and created in-depth articles, practical guides, interviews, and other supporting marketing materials. She joined Piwik PRO with extensive knowledge of technology, SEO, and digital marketing. At Piwik PRO, she writes about analytics, privacy, marketing, personalization, and data management and explains product best practices and industry trends for different industries. | LinkedIn Profile