Navigating Compliance with the New York Health Information Privacy Act (NYHIPA)

At a glance: New York Health Information Privacy Act (NYHIPA)

• Passed on January 22, 2025, the New York Health Information Privacy Act (NYHIPA) will bring major changes to how New York businesses collect, process, and store regulated health information (RHI).
• Still awaiting the Governor's signature, this bill will go into full effect one year after it's signed.
• This law will impose strict compliance requirements on businesses handling New York residents’ RHI, including prohibitions on selling RHI to third parties, providing health privacy notices and notice updates separately, and obtaining valid consent for RHI processing.
• Keep reading to learn more about key requirements under NYHIPA, plus steps businesses should take to prepare for compliance.

Key compliance requirements under NYHIPA

1. Broad scope of regulated health information

One of the most notable aspects of New York’s new health data privacy law is its broad definition of regulated health information (RHI). The law covers not only traditional health data such as medical records, but also extends to non-HIPAA regulated information, including:

• Wellness habits
• Purchase histories
• Location data
• Payment information related to physical or mental health
• Inferences made about an individual’s health

This wide-reaching definition ensures that businesses processing any health-related data must comply with NYHIPA, regardless of whether it’s tied to a clinical context.

2. Valid authorization for data processing

The New York Health Information Privacy Act (NYHIPA) requires that businesses obtain valid authorization before handling regulated health information (RHI). There are limited exceptions where this authorization isn't required, such as when it's "strictly necessary" for providing a service or product, or for essential activities like fraud prevention and ensuring security.

It’s important to note that processing RHI for marketing, advertising, or research does not fall under the NYHIPA's definition of “strictly necessary,” meaning businesses must obtain valid consent before collecting and processing for these purposes.

The NYHIPA also takes a strict stance on the sale of RHI, banning it outright. This includes the sales of RHI through third-party tracking and ad targeting technologies, like pixels.

To meet NYHIPA’s standards, businesses must:

1. Separate the user’s authorization from other transactions
2. Wait at least 24 hours after account creation or service use before requesting consent
3. Provide clear disclosures on how the data will be used, shared, and stored
4. Give individuals the ability to revoke consent at any time

New York’s health data privacy law is stricter than many other state laws. While other laws may allow data processing for marketing or research with consent, NYHIPA’s total ban on the sale of health data sets it apart.

3. Granular consent and privacy notices

NYHIPA requires a high level of transparency, with provisions that compel businesses to:

• Provide clear, detailed privacy notices outlining data collection practices, third-party sharing, and the rights of individuals regarding their personal health data
• Give individuals a simple way to access, delete, and revoke consent for RHI processing at any time
• Explain when RHI may be disclosed to law enforcement

These notices must be clear and accessible, especially for individuals with disabilities—ensuring consumers fully understand their rights before providing consent.

4. Service provider contracts

Under NYHIPA, businesses that engage third-party service providers to process regulated health information (RHI) must ensure these providers fully comply with the law’s requirements.

This mirrors the Business Associate Agreement under HIPAA and requires regulated entities to enter into binding contracts with service providers that include key provisions around confidentiality, consumer rights, and data handling.

The agreements must stipulate that service providers:

• Limit data processing to what’s strictly necessary for the services being provided
• Follow the same security and privacy protocols as the regulated entity
• Respect consumer rights, including access to, deletion of, and the ability to revoke consent for their RHI
• Ensure deletion or return of RHI upon the termination of the agreement

One unique provision of NYHIPA is the requirement that service providers not combine RHI with any other personal information, whether received from third parties or from their own separate relationships with individuals. This may require service providers to update their technical infrastructure to ensure data segregation, preventing the mingling of health data with other types of personal data.

These provisions ensure that businesses maintain strong control over how RHI is handled by third parties, safeguarding consumer privacy and ensuring compliance with NYHIPA’s strict standards.

5. Security measures

Businesses must implement robust security measures to safeguard RHI. These include administrative, technical, and physical safeguards to protect data from unauthorized access, disclosure, or loss. Additionally, data must be securely disposed of within 60 days after the end of its processing purpose.

NYHIPA compliance checklist

With the potential for significant penalties, it’s essential for businesses to take proactive steps to ensure compliance with NYHIPA. Here’s a checklist for preparation:

1. Complete a data inventory: Step one for any business under the NYHIPA is conducting a thorough audit and data inventory, in order to determine when and how they are collecting or processing RHI. This includes mapping out what data is being gathered, how it’s being used, and ensuring that each data point is necessary and authorized under NYHIPA guidelines.

2. Update privacy policies and notices: Privacy notices need to be updated to clearly communicate data collection practices, usage, sharing, and individuals’ rights. Make sure these notices are easy to access and written in clear, understandable language.

3. Implement consent mechanisms: Businesses under the NYHIPA need to implement comprehensive and granular consent mechanisms that allow individuals to provide or revoke authorization for each use of their RHI. Be sure this mechanism meets NYHIPA’s timing and disclosure requirements.

4. Strengthen security protocols: Invest in security measures to safeguard RHI. This includes enhancing data encryption, access controls, and secure storage practices. Implement retention schedules that ensure RHI is only kept as long as necessary and securely disposed of after processing.

5. Review service provider agreements: If your business works with service providers, ensure their contracts are updated to include provisions that ensure third parties comply with NYHIPA, particularly regarding limitations on how RHI can be processed and shared.

6. Train employees and monitor compliance: Regular training should be conducted to ensure that all employees are aware of NYHIPA requirements and understand how to handle RHI. Businesses should also implement regular audits and compliance checks.

The future of NYHIPA: Potential challenges and criticisms

NYHIPA has already been the subject of significant debate.

Critics argue its broad scope and stringent requirements could impose high compliance costs on businesses, particularly digital health companies. The law’s inflexibility around customer authentication has also raised concerns, as it doesn't provide much flexibility for businesses managing consumer requests.

Another criticism is the exclusion of certain types of health-related data, such as data used in clinical trials, which are exempt from the law. Some argue this leaves gaps in protecting certain types of sensitive health information.

About Transcend

Transcend is an all-in-one platform for modern privacy and data governance. Encoding privacy at the code layer, we provide solutions for any privacy challenge your teams may be facing—including getting you ready for state privacy laws coming online in 2025.

From Consent Management, to automated DSR Automation, to a full suite of data mapping solutions (Data Inventory, Silo Discovery, Structured Discovery, and more), Transcend has you covered as your company grows and evolves in a swiftly changing regulatory environment.