Modeled after Washington state’s My Health My Data Act, S-929 would introduce key distinctions that would transform how personal health information is collected, used, stored, and shared.

The bill would target companies that collect and sell health care information, offering consumers additional rights and protections regarding the sale of their PHI. According to bill sponsor state Sen. Liz Krueger (D-Dist. 28), the bill would require New York residents to affirmatively opt into any sharing of their personal health information with covered entities. Sen. Krueger noted that a major limitation of the federal Health Insurance Portability and Accountability Act is the fact that it applies only to health data accessible through doctors and hospitals, leaving all other information “fair game.”

Key provisions

The bill would provide a broad definition of “regulated health information,” which includes any information that is reasonably linkable to an individual or a device, and is collected or processed in connection with the physical or mental health of an individual. “Regulated health information” would also include location or payment information that relates to an individual's physical or mental health, or to any inference drawn or derived about an individual's physical or mental health that is reasonably linkable to an individual or a device. However, it would not include de-identified information.

Notably, the bill’s coverage is not limited to New York organizations. It would apply to any entity that connects with or processes the PHI of a New York resident.

S-929 would make it unlawful for an entity to process regulated health information unless doing so is strictly necessary. Additionally, any entity that processes such information would be required to seek valid authorization from the data subject. To seek valid authorization, the following terms would apply:

• The request would have to be separate from any other transaction.
• The request would have to be made 24 hours after an individual creates an account or first uses the requested product or service.
• The request would have to be made in the absence of any mechanism that has the purpose or substantial effect of obscuring, subverting, or impairing an individual's decision-making regarding authorization for processing.
• If requesting authorization for multiple categories of processing activities, the entity would be required to allow the individual to provide or withhold authorization separately for each category of processing activity.
• The entity would not be permitted to include any request for authorization for a processing activity for which the individual has withheld or revoked authorization within the past calendar year.

S-929 would also provide an opportunity for individuals to revoke consent. When consent is revoked, the covered entity would be required to “immediately cease all processing activities for which authorization was revoked, except to the extent necessary to comply with the [covered entity’s] legal obligations.”

If it becomes law, S-929 will be enforced by the Office of the New York Attorney General. The AG would be authorized to bring an action or special proceeding to obtain restitution, disgorgement of profits up $15,000 or 20 percent of revenue obtained, whichever is greater.

Next steps

As noted above, the bill will now move to the Assembly Codes and Science & Technology Committees for further consideration. Should it pass the Assembly, it will be presented to Gov. Kathy Hochul (D) for her signature. It is not known whether Gov. Hochul supports the bill, but in the event that she signs it into law, S-929 would take effect 180 days afterward.

The Constangy Cybersecurity & Data Privacy team assists businesses of all sizes and industries with implementing necessary updates to their privacy and compliance programs to address these complex and evolving regulatory requirements. If you would like additional information on how to prepare your organization, contact us directly at cyber@constangy.com.