N.Y. Assembly Passes Health Data Privacy Bill Despite GOP Concerns
New York state health data privacy legislation could soon hit the governor’s desk after the Assembly and Senate quickly passed bills this week. Despite Republican opposition on the Assembly floor Wednesday, members voted 95-41 to pass S-929, the Senate version that was substituted forA-2141. The effectively same bills have been compared to Washington state’s My Health My Data law. The Senate passed S-929 on Tuesday after bypassing its committee process (see 2501210068). Republicans and the Computer & Communications Industry Association (CCIA) raised concerns with the legislation, which is supported by the American Civil Liberties Union (ACLU).
Sign up for a free preview to unlock the rest of this article
"New Yorkers will finally be in control of their most private and sensitive health data," said A-2141 sponsor Linda Rosenthal (D). The proposed law would make it unlawful to sell a person’s regulated health information to a third party or otherwise process it unless the “individual has provided valid authorization for such processing” or processing “is strictly necessary” for various reasons, including “providing or maintaining a specific product or service requested by such individual,” conducting internal business operations, security and protecting against fraud or illegal activity. The state AG would enforce the proposed law and implement rules.
The Assembly moved quickly to pass A-2141 on Wednesday. In the morning, the Science and Technology Committee sent the health bill to the Codes Committee. Then, that afternoon, the Codes Committee cleared A-2141 with Democrats voting yes and Republicans voting no. The bill appeared on the floor less than an hour later.
Republicans grilled Rosenthal about the bill. The measure looks "overly expansive," possibly touching many industries, said Assemblymember Jarrett Gandolfo (R) during floor debate. He criticized what he sees as "vague definitions of regulated health information and regulated entities." The likely increased compliance costs will ultimately be paid by consumers, he warned.
The bill is "undoubtedly well intended,” said Assemblymember Jake Blumencranz (R). But it could mean companies like Fitbit or Peloton cancel service for millions of New Yorkers if they can’t comply with the law, he warned. "The vague language of this bill could lead to situations in which ... contracts and services will be voided without the acceptance of the terms and services.” While the measure covers companies like Fitbit that have health data not covered by the federal Health Insurance Portability and Accountability Act, Rosenthal said she doubts companies will want to lose New York customers’ business. She added that companies follow similar rules elsewhere.
New York could get into a situation like Illinois has with its Biometric Information Privacy Act (BIPA), argued Blumencranz. He said similarly vague language in BIPA resulted in far too many consumer complaints. However, Rosenthal stressed that her bill doesn’t include a private right of action like BIPA does.
Additionally, Blumencranz asked if consumers will experience delays getting services because the bill says that requests “for authorization to process an individual's regulated health information shall … be made at least twenty-four hours after an individual creates an account or first uses the requested product or service.” However, Rosenthal said services could be immediately accessed because the 24-hour wait doesn’t pertain to processing information “strictly necessary” to use the service requested by the individual.
CCIA would like to see the health privacy measure better align with other states, said State Policy Director Megan Stokes. “We have concerns with the valid authorization standard that would apply to most data unless strictly necessary as well as the quick 24-hour timeline involved.”
Hinshaw privacy attorney Cathy Mulrow-Peattie supports the legislation’s goal but is “concerned about the broad definitions in the bill of regulated health information, in particular around inferences and regulated entity,” she emailed Wednesday. That could be overly burdensome for New York businesses, especially “advertising and small health-related businesses,” she said.