N.Y. Senate Quickly Passes Health Data Privacy Bill

The healthcare data bill moved quickly through the Senate. Sen. Liz Krueger introduced the measure Jan. 8 with nine other Democrats (see 2501080038). The Senate initially referred it to the Internet and Technology Committee, but on Tuesday the Senate decided to bypass the committee process through a discharge. The bill will go next to the Assembly, which has similar legislation (A-2141) pending in the Science and Technology Committee. The health privacy bill "will be moving through the Assembly Codes and Science & Technology committees" on Wednesday, a Krueger spokesperson emailed after the vote.

S-929 “expands a right we think we have” under the federal Health Insurance Portability and Accountability Act, said Krueger on the Senate floor. “We think we know about this thing called HIPAA, where our information about our confidential health information can’t be sold or distributed, but that’s not true because HIPAA only covers information used in a hospital … or a doctor’s office setting. And there are endless examples of where private companies get our health data, sell our health data, and we find that we have no confidentiality.”

The state AG would enforce the proposed law and implement rules. Among other things, the legislation would make it unlawful to sell a person’s regulated health information to a third party or otherwise process it unless the “individual has provided valid authorization for such processing” or processing “is strictly necessary” for various reasons, including “providing or maintaining a specific product or service requested by such individual,” conducting internal business operations, security and protecting against fraud or illegal activity.

Unlike the Washington state law, S-929 doesn’t have carve-outs for public data, research data or Gramm-Leach-Bliley Act data, noted Future of Privacy Forum Senior Director Keir Lamont on LinkedIn. But similar to the Washington legislation, New York also doesn’t carve out small businesses, he said. “Critically, companies would come into the scope of [S-929] if they have a customer who is physically present in New York, raising the possibility that individuals would lose access to health services if they enter the state.”

The American Civil Liberties Union of New York in a Friday memo supported S-929 and A-2141. The stakes are even higher since the U.S. Supreme Court overturned Roe v. Wade, the group wrote. “It is impossible to have an abortion without leaving a digital trail. There will be search histories; possibly phone records, travel itineraries, or Fitbit or period-tracker app data; changes in purchasing history that suggest a pregnancy; and the list goes on.”