New York Assembly Passes Restrictive Health Information Privacy Act

KEY FEATURES AND REQUIREMENTS

New York HIPA contains several key features that, if signed into law, will make it one of, if not the, broadest state consumer health privacy laws:

I. A Uniquely Broad Definition of Regulated Health Information

New York HIPA’s definition of regulated health information encompasses an extremely broad range of non-HIPAA-regulated data, from an individual’s personal wellness habits to their purchase histories. It also includes location and payment information that “relates to an individual’s physical or mental health” as well as “any inference drawn or derived about an individual’s physical or mental health that is reasonably linkable to an individual.” While the Washington MHMDA uses a similarly broad definition for “consumer health information,” the MHMDA specifically carves out public data, research data, and information regulated under the Gramm-Leach-Bliley Act. Significantly, New York does not exempt these types of data, nor does it exempt HIPAA-covered entities or business associates in their entirety, or financial entities, such as banks, credit card companies, credit unions, and other institutions involved in handling payment information.

II. An Equally Broad Definition of Regulated Entities

New York HIPA’s scope is quite broad, in that it will regulate any for-profit or not-for-profit entity, regardless of size, that (a) controls the processing of regulated health information of an individual who is a New York resident, (b) controls the processing of regulated health information of an individual who is physically present in New York while that individual is in New York  , or (c) is located in New York and controls the processing of regulated health information. Under this definition, any company that collects non-HIPAA-regulated health, wellness, or nutritional information pertaining to a New York resident, or even such information pertaining to a visitor while they are in the state, is considered a regulated entity. New York HIPA can be interpreted so broadly as to cover non-New York entities processing non-New York-related data of non-New York residents, simply because those individuals happen to be located in New York at the time of processing.

III. Narrow Restrictions on What Constitutes “Strict Necessity” for Purposes of Collection and/or Processing

New York HIPA requires regulated entities to obtain “valid authorization” to collect or process regulated health information, with a limited set of exemptions for processing activities that are “strictly necessary.” Under New York HIPA, processing is only strictly necessary when used to:

1. Provide products or services requested by a customer
2. Conduct certain limited internal business operations
3. Protect against or detect security incidents or threats
4. Protect the vital interests of the individual
5. Investigate or defend against legal claims
6. Comply with legal obligations

Notably, strict necessity expressly excludes “any activities related to marketing, advertising, research and development, or providing products or services to third parties.” New York HIPA intends to limit marketing and advertising without consumer authorization. However, the law is so broad that it is also likely to hamper the efforts of regulated entities to conduct general outreach that is helpful and, in many cases, necessary for consumers to become aware of new medications, research, and clinical trials.

IV. Onerous Authorization Requirements for Purposes of Collection and/or Processing

Because several routine collection and processing activities fall outside of what is “strictly necessary” under New York HIPA, many entities will need to obtain “valid authorization” from consumers. This authorization differs significantly from typical opt-in requirements in other state consumer privacy laws. A regulated entity’s request for a consumer to fill out this form must be obtained independently from any other transaction and cannot be made within the first 24 hours of a customer’s initial use of a requested product or service. This requirement effectively precludes regulated entities from offering products or services to customers during the initial account registration process, to the extent those products or services process any regulated health information.

Furthermore, if the authorization form pertains to multiple categories of processing activities, it must allow individuals to provide or withhold authorization for each activity and the form must not include any request for authorization for a processing activity for which an individual has previously withheld or revoked authorization within the past calendar year. This level of complexity significantly exceeds the scope of a typical opt-in function. In particular, the requirement to provide tailored forms that track when authorization was given and revoke such authorization after one year is likely to create numerous costly compliance issues for regulated entities and present significant challenges for their information technology teams.

According to New York HIPA, authorization may not be obtained by deceptive pattern or design  (authorization may not be obtained via any mechanism “with the purpose or substantial effect of obscuring, subverting, or impairing an individual’s decision-making”), and the form itself must include a host of information, such as:

1. The types of regulated health information to be processed
2. The nature of the processing activity
3. The purpose of processing
4. The names or categories of service providers or third parties with which customer information may be shared
5. A general disclaimer stating that failure to provide authorization will not interfere with a consumer’s experience of using the regulated entity’s products or services
6. Any monetary or other valuable consideration a regulated entity may receive in connection with such processing
7. An expiration date of the authorization
8. The mechanism by which a consumer may revoke authorization
9. The mechanism by which the individual may request access to and deletion of their regulated health information
10. Any other information material to an individual’s decision-making regarding authorization for processing
11. The signature (including an electronic signature) of the individual, or their parent or guardian if authorized by law

While this authorization form is meant to “clearly” disclose processing to individuals, it will likely be both onerous for regulated entities to create and manage and burdensome for customers to read and use.

V. Onerous Revocation and Notice Requirements

If a regulated entity is still able to collect or process regulated health information after navigating these various restrictions, it must also provide consumers with an effective, efficient, and easy-to-use mechanism to revoke authorization. Entities that provide consumers with online accounts must give them the ability to easily access, within their account settings, a list of all processing activities for which the consumer has provided authorization and allow the consumer to revoke authorization in the same place with one motion or action. While granting authorization is a weighty and complex process, revoking authorization must be as simple as a swipe of the finger. Upon receipt of such revocation, the regulated entity must “immediately” cease processing activities, subject to limited exemptions.

Significantly, regulated entities intending to offer new or materially altered processing activities must obtain new authorization for each activity. In essence, this requires regulated entities to assess whether updated products or services include “material changes” and, if so, to roll out new and updated authorization forms for each consumer of those updates. Moreover, because valid authorization cannot be granted within 24 hours of a consumer requesting a product or service, regulated entities will not, for example, be able to launch material app updates alongside a new authorization form. Instead, apps may be forced to request that consumers install the update, and then (at least a day later), provide notice of material processing changes alongside a request for authorization.

VI. Broad and Largely Unworkable Security Requirements

While New York HIPA would require regulated entities to develop, implement, and maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of regulated health information, it lacks specific guidance on how regulated entities should verify consumer requests to access or delete their data. Without a defined verification process, regulated entities may be compelled to comply with all such requests (within 30 days) without sufficient grounds to decline a faulty or fraudulent request.

Furthermore, New York HIPA would permit third-party agents to act on a consumer’s behalf in making such requests, but it fails to provide a mechanism for a regulated entity to verify that third-party agent’s identity or that they are authorized to act on behalf of a specific consumer. This vulnerability could enable malicious actors to easily access an individual consumer’s health, wellness, and nutritional information for unauthorized and potentially harmful purposes.

VII. Wide-Ranging Investigatory Powers and Harsh Penalties 

New York HIPA would grant the New York attorney general the authority to investigate suspected violations and bring enforcement actions. Such actions can result in civil penalties of up to $15,000 per violation or 20% of revenue obtained from New York consumers within the past fiscal year, whichever is greater, as well as other forms of relief. Although the New York HIPA does not offer a private right of action like the Washington MHMDA, this penalty structure is notably strong in comparison because the MHMDA authorizes the Washington attorney general to levy penalties of up to $7,500 per violation. This severe penalty structure, in conjunction with the confusing and occasionally conflicting requirements outlined above, could deter entities from offering services in New York and increase their compliance costs.

WHAT’S NEXT?

New York HIPA will take effect one year after it is signed by the governor. Assuming it is signed into law, prior to its effective date, the New York attorney general may promulgate rules and regulations necessary to effectuate and enforce its provisions. McDermott will continue to keep you apprised of future developments, so stay tuned.

If you have questions or need assistance preparing for the new state consumer laws, please contact your regular McDermott lawyer or one of the authors.