On Jan. 21, the New York Senate approved a groundbreaking health privacy bill, S-929. The legislation, modeled on Washington state’s My Health My Data Act, aims to extend protections over personal health information beyond the scope of federal HIPAA regulations. The bill is now under review in the New York Assembly’s Science and Technology Committee.
Why S-929 Is Needed
During Senate deliberations, Sen. Krueger emphasized the limitations of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA applies only to data within traditional healthcare settings, such as hospitals or doctor’s offices. In contrast, private companies often collect, process, and sell health-related data through apps, wearable devices, and other platforms without clear consumer consent or protections for personal health data. S-929 seeks to close this gap, offering New Yorkers greater control over their sensitive health information and addressing the growing commercialization of personal health data.
Key Provisions of S-929
The legislation would make it illegal to sell an individual’s regulated health information without their explicit consent. It also restricts the processing of health data unless it is:
- Necessary for providing or maintaining a requested service or product
- Conducting internal business operations
- Ensuring security and preventing fraud or illegal activity.
Additionally, the law introduces strict penalties for noncompliance. The New York Attorney General would oversee enforcement and rulemaking, ensuring adherence to these enhanced privacy measures.
Comparison with Washington State’s Law
While S-929 is inspired by Washington’s My Health My Data Act, it diverges in significant ways. The New York legislation does not include carve-outs for public data, research data, or information regulated under the Gramm-Leach-Bliley Act. But it does mirror the Washington law in how it applies broadly and does not exempt small businesses, meaning all companies handling health data of individuals present in New York must comply. This raises concerns about potential disruptions, as individuals traveling into the state could inadvertently subject companies to new legal obligations. Additionally, both laws employ a very broad definition of “regulated health information.” The laws will essentially apply to any information that can be linked to an individual and their physical or mental health connection or allow inferences of such a connection to be drawn. This includes location, payment details, or potentially internet browsing data when an individual is looking to engage health services, potentially implicating advertising and marketing activities of companies providing health-related products or services.
The Broader Context
The American Civil Liberties Union (ACLU) of New York has endorsed S-929 and its Assembly counterpart. The stakes have grown since the Supreme Court overturned Roe v. Wade, prompting fears that digital footprints could be used to prosecute individuals seeking abortions. The ACLU pointed to the pervasive collection of data through period-tracking apps, search histories, and even changes in purchasing behavior as areas of concern.
What’s Next?
The bill is set to move through the Assembly’s Codes and Science & Technology Committees, with discussions beginning as early as this week. If enacted, S-929 would place New York along with Washington at the forefront of health data privacy, offering comprehensive protections to its residents and setting a new benchmark for state-level privacy legislation.
With mounting public and legal scrutiny over data misuse, New York’s proactive approach could signal a broader shift toward stricter privacy regulations across the United States.
