New York’s new Health Information Privacy Act (HIPA) is poised to become one of the strictest state laws governing how health information is processed and shared.
- Broad Scope and Applicability:
The law covers any organization that processes data even tangentially related to an individual’s physical or mental health. This means companies of all sizes—and not just traditional healthcare providers—could be subject to the law if they have any connection to New York or process data via a New York-based contractor. - Wide Definition of Regulated Information:
Regulated data isn’t limited to typical medical records. It extends to any information reasonably linkable to a person or device, which can include seemingly ordinary data such as purchase histories or notifications like a restaurant noting an allergy. This expansive definition aims to protect even less obvious pieces of health-related data. - Few Exemptions:
Unlike other privacy laws, this act leaves little room for exceptions. Notably, it does not carve out employment-related information. Thus, data from job applications or disability accommodations are also covered under the law. - Beyond Monetary Transactions:
The law isn’t just about the sale of health information for cash. It also restricts sharing data in exchange for other valuable considerations, broadening its regulatory reach compared to more narrowly defined rules in other jurisdictions. - Comparisons with Other Laws:
The act is designed to be more rigorous than existing frameworks like HIPAA or even Washington state’s “My Health My Data” law, setting a new bar for state-level health data privacy and imposing potential operational and compliance challenges. - Pending Finalization:
Although the legislature has passed the bill, it’s awaiting Governor Kathy Hochul’s signature. There remains a possibility for changes before it becomes law, but even in its current form, organizations must prepare for a significantly more complex regulatory environment.
This comprehensive approach means that many organizations, some of which might not have previously considered themselves subject to health information privacy regulations, will need to re-examine their data handling practices to ensure compliance under this new law.
