Governor Hochul Vetoes New York Health Information Privacy Act
The New York Health Information Privacy Act (NYHIPA) was passed by the New York Assembly and Senate earlier this year and headed to New York Governor Kathy Hochul’s desk on December 8, 2025, to await her signature; however, on December 19, 2025, Governor Hochul vetoed the healthcare privacy law.
The federal Health Insurance Portability and Accountability Act (HIPAA) covers protected health information that is created, collected, stored, or transmitted by healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities; however, a vast amount of personally identifiable health data is created, collected, stored, and transmitted by entities not bound by the HIPAA Rules.
Many state residents mistakenly believe that all health information is covered by HIPAA and must be protected, when that is not the case. NYHIPA “creates a legal framework for residents to reclaim and retain control of their healthcare information,” introducing HIPAA-like protections for personally identifiable health data not covered by the HIPAA Rules (A full breakdown of the requirements of NYHIPA is detailed below).
NYHIPA has similarities to other comprehensive state healthcare privacy laws, such as the My Health My Data Act in Washington state, and introduces far-reaching healthcare data privacy changes. While there is an exemption for HIPAA-covered entities and their business associates that are compliant with the HIPAA Rules, NYHIPA has a broad reach and covers many individuals and organizations, which will face a significant compliance burden if NYHIPA becomes law.
NYHIPA has strong support, having passed a Rules Committee vote 16-3 and a floor vote 49-10 on January 21, 2025; however, it failed to be signed into law by Governor Hochul. That does not mean the bill is dead in the water, as the Governor’s veto can be overridden. That requires the House and Senate to vote to make the bill law, which requires at least a 2/3 majority in both houses.
January 28, 2025: The New York Health Information Privacy Act
The New York Health Information Privacy Act aims to better protect the health information of New York residents and visitors to the State by regulating health data not already regulated by HIPAA. Although the Act exempts HIPAA-covered entities, it may still have implications for how covered entities collect, store, use, and disclose certain types of data.
According to the preamble of the New York Health Information Privacy Act, most residents of New York State are under the impression that HIPAA protects their health data from being accessed by third parties and sold to other organizations in all circumstances. The preamble adds that many residents do not understand how much health data is collected, used, and sold by tracking technologies on websites and mobile apps not covered by HIPAA.
Consequently, the stated purpose of the New York Health Information Privacy Act is to “create a legal framework for residents to reclaim and retain control of their healthcare information.” The Act aims to achieve its stated purpose by requiring all regulated entities, service providers, and other third parties to safeguard the security, confidentiality, and integrity of regulated health information, and by giving residents rights similar to individuals’ rights provided by HIPAA.
Who the New York Health Information Privacy Act Applies To
The New York Health Information Privacy Act applies to individuals and organizations that process – or that are involved in the processing of – the regulated health information of a New York resident or of any individual who is in New York at the time the health information is processed – regardless of where the processing takes place. It also applies to individuals and organizations located in New York that process the regulated health information of non-New York residents.
There are three types of individuals or organizations covered by the New York Health Information Privacy Act. “Regulated entities” are individuals or organizations that “control” regulated health information – much like HIPAA covered entities. “Service providers” are individuals or organizations that process regulated health information on a regulated entity’s behalf – much like business associates. “Third parties” are the equivalent of subcontractors in HIPAA.
Exemptions exist for regulated entities that are local, state, or federal government agencies, for municipal corporations, and for HIPAA-covered entities. There is also an exemption for health information collected for clinical trials, provided the information is collected in compliance with the FDA’s Rule for the Protection of Human Subjects (21 CFR Part 50). There are no exemptions for employment records, student health information, financial institutions, or nonprofit entities.
Regulated Health Information vs Protected Health Information
With regard to the exemption for HIPAA-covered entities, it is important to be aware that the exemption only applies to health information protected by HIPAA. The definition of regulated health information in the New York Health Information Privacy Act is broader than the definition of Protected Health Information in HIPAA, and includes information that would not have HIPAA-protected status if it were maintained separately and outside of a designated record set.
Therefore, if a HIPAA covered entity collects, stores, uses, or discloses information that could identify the location of an individual, a device used by the individual, or the individual’s payment information – and the information relates to the individual’s physical or mental health – the information would have to be maintained in a designated record set alongside HIPAA-protected individually identifiable health information in order for the exemption to apply.
It is also important to be aware that the definition of regulated health information in the New York Health Information Privacy Act does not distinguish between electronic health information and health information in other formats. Despite the preamble to the Act focusing on tracking technologies, websites, and mobile apps, the New York Health Information Privacy Act applies to health information in all formats – i.e., spoken, paper records, and electronic data.
Permitted Uses and Disclosures of Regulated Health Information
Other than when an individual authorizes the use or disclosure of regulated health information, the New York Health Information Privacy Act lists seven occasions when it is permitted to process regulated health information:
- When providing or maintaining a specific product or service requested by the subject of the health information.
- When conducting internal business operations other than activities related to marketing, advertising, R&D, etc.
- When protecting against malicious, fraudulent, or illegal activity.
- When detecting, responding to, or preventing security incidents and threats.
- When protecting the vital interests of an individual.
- When investigating, establishing, preparing for, or defending legal claims.
- When complying with the regulated entity’s legal obligations.
The definition of “process” includes (but is not limited to) the collection, creation, use, access, sale, analysis, storage, or transmission of regulated health information. There is no equivalent standard to HIPAA’s minimum necessary standard, and regulated entities must securely dispose of/delete individuals’ regulated health information within sixty days after it is no longer necessary to keep the information for a permissible purpose, or if an authorization has expired.
Individuals’ Rights under the New York Health Information Privacy Act
The New York Health Information Privacy Act gives individuals – or their “authorized agents” – the right to request access to their regulated health information and request its disposal/deletion. There are no opportunities to request that regulated health information is corrected if errors are identified following an access request, nor to request an accounting of disclosures to see who regulated health information has been shared with or disclosed to.
Regulated entities must provide access to or dispose of/delete the information within thirty days of a request being received. They are also responsible for contacting all service providers and third parties with whom regulated health information has been shared to inform the service provider/third party of the disposal/deletion request. Service providers and third parties must confirm to the regulated entity that the information has been disposed of/deleted within thirty days.
Potential NYHIPA Compliance Challenges for HIPAA Covered Entities
In its current state, the New York Health Information Privacy Act (HIPA) holds numerous potential compliance challenges for HIPAA-covered entities. Some potential compliance challenges can be avoided by maintaining all the information collected and stored about an individual in a HIPAA-protected designated record set, as this would avoid having to maintain audit trails for two sets of information, two types of authorization forms, etc.
However, due to the there being no exemptions in HIPA for financial institutions, and due to the definition of regulated health information being broader than the definition of Protected Health Information, it may be necessary for HIPAA covered entities to enter into HIPA agreements with payment processors (similar to Business Associate Agreements) in order to take payments from patients and plan members, as payment processors would qualify as service providers.
January 22, 2025: New York Assembly and Senate Pass New York Health Information Privacy Act
Although Passed, There Still May be Changes to New York’s HIPA
The New York Assembly and Senate passed the New York Health Information Privacy Act on January 22, 2025, but it will not become effective until one year after it is signed into law by New York Governor Kathy Hochul. During this time, some areas of the Act may be rewritten to provide clarification. In addition, New York’s Attorney General is authorized by HIPA to “promulgate rules and regulations as necessary to effectuate and enforce the provisions of [the Act]”.
Nonetheless, regulated entities and service providers should prepare for NY HIPA now. Individuals and organizations that process regulated health data should conduct an internal audit to map the sources of data, how it is used, and where it is stored. It may also be necessary to review existing privacy policies to ensure they comply with the consent management requirements of the Act. Individuals and organizations unsure about how to prepare for NY HIPA are advised to seek professional compliance advice.
FAQs about the New York Health Information Privacy Act (HIPA)
Are HIPAA business associates exempt from the New York HIPA?
HIPAA business associates are exempted from the New York HIPA in respect of services provided for or on behalf of a HIPAA covered entity that involve the use and disclosures of Protected Health Information. However, if a HIPAA business associate provides a service to or on behalf of a HIPA-regulated entity as a service provider, the business associate is not exempt from the New York HIPA and must keep HIPAA-regulated data separate from HIPAA-regulated data.
There may be circumstances in which some business associates/service providers provide a service for HIPAA-covered entities, HIPA-regulated entities, and entities covered by neither Act (i.e., Managed Service Providers). In such cases, it may be necessary to segregate operations for the different types of entity, or implement safeguards that meet the most stringent compliance requirements – even if it means protecting some types of non-health data more than necessary.
Is there a difference between individuals’ rights under HIPA and individuals’ rights under HIPAA?
There is a subtle difference between individuals’ rights under the New York Health Information Privacy Act and individuals’ rights under HIPAA inasmuch as individuals covered by the New York Health Information Privacy Act can request access to – and deletion of – all the regulated health information held by a regulated entity or service provider. Individuals under HIPAA can only request access to Protected Health Information maintained in a designated record set.
Does New York’s HIPA apply to health records maintained by an employer?
New York’s HIPA applies to health records maintained by an employer in their role as an employer, but not to health records maintained by an employer to self-administer a qualifying self-insured health plan as these are covered by HIPAA. However, if a self-insured health plan is exempt from HIPAA (i.e., because the employer has fewer than fifty employees), New York’s HIPA applies to all health records maintained by the employer.
Does NY HIPA have breach notification requirements?
NY HIPA does not have breach notification requirements because, since 2005, breach notifications have been a requirement of New York’s General Business Statute §899-aa. The breach notification requirements in New York require HIPAA covered entities to notify the State Attorney General, Department of State, Department of Financial Services, and the Division of State Police of any electronic data breaches in addition to notifying HHS’ Office for Civil Rights and affected individuals.
What are the penalties for violating HIPA?
The penalties for violating HIPA are a fine of up to $15,000 per violation or up to 20% of the revenue obtained from New York residents – whichever is the greater amount. In addition, if a HIPA regulated entity or service provider has profited from the violation, New York’s State Attorney General can pursue restitution of any money or property obtained from affected individuals and repayment (to the State) of any profits attributable to the violation.
How will regulated entities find out if changes are made to NY HIPA?
Regulated entities can find out if changes are made to NY HIPA by signing up to receive status alerts for the Act on the NY Senate website. It is also advisable for HIPAA-covered entities to subscribe to status alerts even though they may be exempted, as any future changes to the Act or rulemaking may have implications for the collection, storage, use, or disclosure of certain types of data that do not qualify as Protected Health Information under HIPAA.
