On December 19, 2025, New York Governor Kathy Hochul vetoed the New York Health Information Privacy Act (“NYHIPA”).  While NYHIPA bore similarities to Washington’s My Health My Data Act (“MHMD”) and Nevada’s Health Privacy Law (“SB 370”), it had several provisions that would have raised novel compliance and legal questions.

  • Regulated Entities. NYHIPA’s scope would have applied more broadly than other similar laws, including to entities processing regulated health information of an individual who is physically present in New York during the period the individual is located in the state.  It is not clear how such a provision would have applied where companies do not collect precise geolocation in the regular course or do not link such geolocation data with account-level data.
  • Regulated Health Information. NYHIPA would have governed “regulated health information” (“RHI”), defined as “any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual.”  In comparison, MHMD and SB 370 are focused on personal information linked or reasonably linkable to a consumer and that identifies the consumer’s health status.  Especially since NYHIPA’s definition lacked any examples of RHI, it was unclear whether and how the scope of the definition was intended to differ than other state laws.
  • “Valid Authorization” Requirements. NYHIPA required regulated entities to obtain “valid authorization” prior to processing RHI, unless the processing is “strictly necessary” for one of seven enumerated purposes.  Where required, NYHIPA included a novel standard for valid authorization, including that authorization must be executed “at least twenty-four hours after an individual creates an account or first uses the requested product or service.”
  • Retention Schedule. NYHIPA would have required regulated entities to maintain a publicly available retention schedule and dispose of an individual’s RHI pursuant to such schedule within a reasonable time, and “in no event later than sixty days, after it is no longer necessary to maintain for the permissible purpose or purposes identified.”
  • Exemptions. NYHIPA raised questions about the interplay with federal sectoral privacy laws.  While it included exemptions for protected health information (“PHI”) collected by covered entities or business associates subject to the Health Insurance Portability and Accountability Act, as amended, and its implementing regulations (“HIPAA”), it did not include other standard exemptions.  For example, it lacked exemptions found in MHMD and SB 370 for financial data regulated by the Gramm-Leach Bliley Act (“GLBA”) and Fair Credit Reporting Act (“FCRA”), employee data, data used for public health purposes as described in HIPAA (e.g., adverse event reporting), and data that has been de-identified in accordance with HIPAA.
Tags: Health data, Health Privacy, New York, State Privacy
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws.

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state laws, including the California Consumer Privacy Act, the Colorado AI Act, and other state laws. As part of her practice, she also regularly represents clients in strategic transactions involving personal data, cybersecurity, and artificial intelligence risk and represents clients in enforcement and litigation postures.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Chambers USA 2025 ranks Libbie in Band 3 Nationwide for both Privacy & Data Security: Privacy and Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Read more about Libbie CanterEmail
Show more Show less
Photo of Elizabeth Brim Elizabeth Brim

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and…

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and health care.

Elizabeth’s practice includes counseling clients on compliance with the complex web of health information privacy laws and regulations, such as HIPAA, the FTC’s Health Breach Notification Rule, and state medical and consumer health privacy laws as well as state consumer privacy and genetic privacy laws. She also advises clients on health care compliance issues, such as fraud and abuse, market access, and pricing and reimbursement activities.

Elizabeth routinely advises on regulatory compliance as part of transactions, clinical trial programs, collaborations and other activities that involve genetic data, and the development and operation of digital health products. As part of her practice, Elizabeth routinely counsels clients on drafting and negotiating privacy and health care terms with vendors and third parties and developing privacy notices and consent forms. In addition, Elizabeth maintains an active pro bono practice.

Elizabeth is an author of the American Health Law Association treatise, Pricing, Market Access, and Reimbursement Principles: Drugs, Biologicals and Medical Devices and the U.S. chapter of the Global Legal Insights treatise, Pricing & Reimbursement Laws and Regulations.

Read more about Elizabeth BrimEmail
Show more Show less
Photo of Ariel Dukes Ariel Dukes

Ariel Dukes is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group.

Ariel counsels clients on data privacy, cybersecurity, and artificial intelligence. Her practice includes partnering with clients on compliance with comprehensive privacy…

Ariel Dukes is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group.

Ariel counsels clients on data privacy, cybersecurity, and artificial intelligence. Her practice includes partnering with clients on compliance with comprehensive privacy laws, FTC and consumer protection laws and guidance, and laws governing the handling of health-related data. Additionally, Ariel routinely counsels clients on drafting and negotiating privacy terms with vendors and third parties, developing privacy notices and consent forms, and responding to regulatory inquiries regarding privacy and cybersecurity topics. Ariel also advises clients on trends in artificial intelligence regulations and helps design governance programs for the development and deployment of artificial intelligence technologies across a number of industries.

Read more about Ariel DukesEmail
Show more Show less
Photo of Olivia Vega Olivia Vega

Olivia Vega advises global companies on a broad spectrum of privacy, healthcare, and technology matters, helping them navigate both established and emerging laws and regulations. Her practice includes helping clients comply with state privacy laws, such as the California Consumer Privacy Act and…

Olivia Vega advises global companies on a broad spectrum of privacy, healthcare, and technology matters, helping them navigate both established and emerging laws and regulations. Her practice includes helping clients comply with state privacy laws, such as the California Consumer Privacy Act and the Washington My Health My Data Act, as well as federal frameworks like HIPAA and the privacy standards established by the Federal Trade Commission.

As part of her practice, Olivia helps clients develop privacy notices and policies, negotiate privacy terms with third-party vendors, and design governance programs for new products and services. Olivia also represents clients in enforcement actions brought by the Federal Trade Commission, particularly in areas like data privacy, artificial intelligence, and marketing practices. In addition, she plays a key role in advancing clients’ advocacy efforts during regulatory rulemaking processes on issues related to data privacy, cybersecurity, and artificial intelligence.

Olivia maintains an active pro bono practice, including assisting small and nonprofit entities with data privacy topics.

Read more about Olivia VegaEmail
Show more Show less
Photo of Natalie Maas Natalie Maas

Natalie is an associate in the firm’s San Francisco office, where she is a member of the Food, Drug, and Device, and Data Privacy and Cybersecurity Practice Groups. She advises pharmaceutical, biotechnology, medical device, and food companies on a broad range of regulatory…

Natalie is an associate in the firm’s San Francisco office, where she is a member of the Food, Drug, and Device, and Data Privacy and Cybersecurity Practice Groups. She advises pharmaceutical, biotechnology, medical device, and food companies on a broad range of regulatory and compliance issues.

Natalie also maintains an active pro bono practice, with a particular focus on health care and reproductive rights.

Read more about Natalie MaasEmail
Show more Show less
Photo of Kyle Falkner Kyle Falkner

Kyle Falkner is an associate in the firm’s Washington, DC office. He is a member of the Data Privacy and Cybersecurity Practice Group and the Health Care Practice Group.

Kyle advises clients on a wide range of data privacy, technology, and health care…

Kyle Falkner is an associate in the firm’s Washington, DC office. He is a member of the Data Privacy and Cybersecurity Practice Group and the Health Care Practice Group.

Kyle advises clients on a wide range of data privacy, technology, and health care issues. He assists clients in complying with U.S. state and federal privacy laws as well as federal health care laws and regulations.

Kyle also maintains an active pro bono practice focused on supporting international human rights initiatives and assisting small businesses and non-profits with data privacy compliance.

Read more about Kyle FalknerEmail
Show more Show less