On January 22, the New York state legislature passed the New York Health Information Privacy Act (S929 / A2141) (“NYHIP”). If signed into law, NYHIP would join Washington and Nevada in a growing trend of states regulating consumer health information. Though NYHIP contains many similarities with laws in Washington and Nevada, there are a few unique provisions, as discussed below. Among them, NYHIP applies to “Regulated Health Information” or “RHI” that is defined as “any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual.” Unlike the health privacy laws in Washington and Nevada, NYHIP does not provide an inclusive list of health data.
NYHIP would require regulated entities to obtain a “valid authorization” prior to processing RHI unless such processing is “strictly necessary” for certain enumerated purposes, including providing a product or service requested by the individual or certain limited internal business operations. NYHIP does not clarify what it means for a processing activity to be considered “strictly necessary.”
Where such an authorization is required, a valid authorization must, among other requirements:
- Be made at least twenty-four (24) hours after an individual creates an account or first uses the requested product or service; and
- If multiple categories of processing are involved, provide an ability to “provide/withhold” authorization for each category separately.
Continue Reading New York Legislature Passes Health Privacy Act