On January 22, 2025, the New York State Assembly and Senate passed Senate Bill S929, known as the New York Health Information Privacy Act (NYHIPA), marking a significant step toward regulating consumer health data. Awaiting Governor Kathy Hochul’s signature, NYHIPA aims to impose some of the strictest health privacy rules in the U.S., targeting entities handling “regulated health information” (RHI)—data linked to an individual’s physical or mental health, including location and payment details. Unlike HIPAA, which focuses on traditional healthcare entities, NYHIPA’s broad scope covers digital health companies, wellness apps, advertisers, and more, promising robust consumer protections while raising compliance challenges.
A “Strictly Necessary” Standard
NYHIPA prohibits processing RHI unless it’s “strictly necessary” to provide a requested product or service, conduct internal operations (excluding marketing or R&D), or meet legal obligations. This standard, stricter than the “reasonably necessary” threshold in laws like California’s CCPA, explicitly bans using health data for advertising, marketing, or third-party services without consumer authorization. For example, a fitness tracker can process location data to map a run but not sell it for ads. This data minimization approach aligns with Maryland’s MODPA but goes further by rejecting consent as a fallback, forcing companies to justify every data use as essential.
Who’s Affected?
NYHIPA applies to any entity controlling RHI of New York residents, individuals present in New York during data collection, or businesses located in the state. This expansive reach includes non-healthcare players—think wearables, nutrition apps, or employers with wellness programs. HIPAA-covered entities are exempt only for data treated as protected health information, leaving their non-HIPAA data (e.g., employee health records) in scope. With no revenue or size thresholds, even small startups face NYHIPA’s mandates, a departure from laws like Washington’s My Health My Data Act (MHMDA), amplifying its impact across industries.
Authorization Over Consent
Where processing isn’t “strictly necessary,” NYHIPA demands “valid authorization”—a standalone, detailed disclosure signed by the consumer, distinct from typical opt-in consent. Authorization can’t be requested within 24 hours of account creation, and consumers can revoke it anytime, triggering immediate cessation of processing. This contrasts with MHMDA’s simpler consent model, adding layers of complexity. Companies must also honor access and deletion requests within 30 days, with third-party agents able to act on consumers’ behalf, though verification processes remain undefined, risking fraudulent requests.
Enforcement and Penalties
The New York Attorney General holds enforcement power, with civil penalties up to $15,000 per violation or 20% of annual New York consumer revenue—whichever is greater. If signed, NYHIPA takes effect one year later, around January 2026, with potential rulemaking to clarify ambiguities. Unlike MHMDA, there’s no private right of action, but the financial stakes are high, especially for data-heavy firms. Businesses must also maintain “reasonable” safeguards and dispose of RHI within 60 days of its purpose ending, per a public retention schedule.
Almeida Law Group Suing For NYHIPA Violations
Almeida a law firm based out of Chicago, Illinois has made a name for themselves by suing healthcare businesses especially those based out of New York. Previously they were using ECPA a federal privacy law as the catalyst to sue unsuspecting business owners in the medical space. While this worked for the class action lawsuits Almeida has filed the passing of NYHIPA may open new doors for violations, fines, and litigation from law firms like Almeida not only in New York but anywhere in the country.
Broader Implications and Industry Impact
NYHIPA’s passage reflects a post-Dobbs urgency to protect health data, particularly reproductive information, amid rising digital tracking concerns. Its broad RHI definition—covering inferences and behavioral data—could disrupt digital advertising, where health-related targeting is lucrative. For instance, a retailer inferring pregnancy from purchase history might need authorization to use that insight, a hurdle not seen in most state laws. Critics, including digital health advocates, warn of a “chilling effect” on innovation. Companies reliant on data for R&D or patient engagement—like telehealth platforms or wearable makers—may struggle to adapt, facing higher compliance costs and operational limits.
Take the hypothetical case of a mental health app: it could log user moods for therapy but not analyze them for product improvements without authorization. Such restrictions might deter feature development, especially for startups with tight budgets. Larger firms, meanwhile, could shift resources out of New York, though the law’s extraterritorial reach—covering data of New Yorkers anywhere—complicates avoidance. The exclusion of marketing from “strictly necessary” purposes also threatens ad-driven models, potentially reshaping how health services reach consumers.
Compliance Challenges Ahead
The law’s vagueness around “strictly necessary” and verification processes poses immediate challenges. Is location data “strictly necessary” for a diet app’s meal logging if it enhances user experience but isn’t core to the service? Without guidance, businesses risk over- or under-compliance—either stifling functionality or inviting fines. The 24-hour authorization delay and instant revocation rules demand agile systems, likely requiring new consent tools and workflows. Firms must audit data practices now and we suggest doing a Data Protection Impact Assessment also known as a DPIA, mapping RHI flows and pruning non-essential uses, a task daunting for those juggling multiple state laws.
A National Trend?
NYHIPA joins Maryland, Washington, and Nevada in targeting consumer health data beyond HIPAA’s scope, suggesting a national shift toward stricter privacy. If Hochul signs it, New York could set a precedent, pressuring other states to follow. Yet, its rigidity might spark pushback from industry, mirroring debates over Maryland’s MODPA. For consumers, it’s a win for control over sensitive data; for businesses, it’s a call to rethink data strategies. As rulemaking unfolds, clarity may emerge—but until then, NYHIPA’s bold stance leaves companies bracing for a privacy-first future.
If you need help complying with NYHIPA and are looking for a software to automate the compliance requirements with New York States privacy laws you should book a demo immediately with the superhero team here at Captain Compliance.
