Fast-Moving N.Y. Health Privacy Bill Raises Compliance Concerns
Donald Trump becoming president again probably fueled momentum for a New York state health privacy bill, a business privacy lawyer and an American Civil Liberties Union official said in recent interviews. New York Gov. Kathy Hochul (D) so far has kept her cards close to the vest concerning whether she will sign a health data privacy bill that sailed through the state's legislature last week (see 2501220073 and 2501210068). Meanwhile, privacy attorneys are sounding the alarm about possible business compliance problems.
Sign up for a free preview to unlock the rest of this article
The Assembly quickly approved S-929/A-2141 on Wednesday, with Speaker Carl Heastie (D) tying the effort to reproductive freedom on the anniversary of Roe v. Wade. ACLU-New York senior policy counsel Allie Bohm said the bill's page “feels both long overdue and like a really important reaction in the moment that we are in right now [with] the change in federal administration.” Bohm added, “It passed now in part … because of the Trump administration ... [since] ... the threats are not just coming from other states. The threats are also potentially coming from the federal surveillance apparatus.”
Similar bills passed the New York Senate but stalled in the Assembly in two previous sessions, noted Bohm. The proposal has its origins in the U.S. Supreme Court’s Dobbs decision that overturned Roe, when people started asking if period-tracking apps and other digital services could put them in legal danger, she said. However, S-929 is broader than reproductive health data, covering Fitbit data, HIV status provided to Grindr and other information that many people falsely think is already protected by the federal Health Insurance Portability and Accountability Act (HIPAA), said Bohm.
Hintze Law’s Michael Hintze agreed that “the inauguration of the new president … probably had something to do with … the timing and the momentum” of New York’s health privacy bill. As in Washington state, which last year enacted the similar My Health My Data Act, “a lot of the momentum is driven by … fear of restrictions on reproductive rights and other rights related to healthcare.”
Hochul “has fought to protect reproductive freedom -- championing a constitutional amendment that protects abortion rights and signing new legislation to support patients and providers -- and she will review every bill that passes both houses of the Legislature,” the governor’s spokesperson emailed last Thursday.
New York Sen. Liz Krueger (D), sponsor of S-929, hasn’t “had any conversations yet with the governor on this,” her spokesperson emailed last week. “The general practice is to wait until the governor requests a bill before delivering it [to her desk], which frequently doesn't happen until the fall at the earliest, unless the governor has a special reason for signing a bill earlier.”
Bohm predicted “it's absolutely going to be a fight” to get it to the finish line, and she expects a veto campaign from the opposition. Hochul’s position is unclear, Bohm added. Legislators worked on the measure with AG Letitia James (D), for whom the bill is a priority, but not the governor’s office, said the ACLU official. Bohm sees “very good reasons” that Hochul will support the bill, since the governor is a “reproductive health champion” and has supported kids privacy measures. On the other hand, said Bohm, Hochul vetoed an abortion access bill last year. “If that did not happen, [I] would be a lot more confident.”
Hintze thinks a veto is unlikely. However, he noted that Hochul has some power to amend bills before signing. “I know that there are companies and groups engaged with the governor’s office to try to raise some of these concerns to see if there’s something that can be done before [she] signs the bill.” Future of Privacy Forum Senior Director Keir Lamont blogged last Friday that Hochul could further revise the bill through the state’s chapter amendment process.
In New York state, the Senate decides when to send the bill to the governor. When the legislature is in session, Hochul will have 10 days to sign, or it becomes law without her signature. If lawmakers are out of session, Hochul has 30 days from when she receives the bill, and it’s a pocket veto if she doesn’t sign.
“If we see it transmitted soon … she’s probably signing,” said Bohm. If it’s not sent until December, “that’s when I’m going to start getting worried.”
Compliance Challenges
The New York bill's similarities -- and differences -- to Washington state’s My Health My Data law could pose compliance challenges for businesses, said Hintze, who closely followed the Washington legislation. Businesses should be most concerned about the New York bill’s broad scope and high authorization threshold, he said.
Like the Washington law, the New York bill “can be read incredibly broadly to cover a wide range of personal information that might not even be thought of as health information -- and certainly not … sensitive health information,” Hintze said. The definition could, for example, cover purchases of exercise equipment, wellness books or over-the-counter vitamins, he said. In addition, New York's measure is “extraterritorial,” possibly covering New Yorkers traveling to other states for healthcare services or non-residents who happen to be in New York when their data is processed. Under the latter situation, a company might not know the person’s location and therefore be unaware that the proposed state law covers them, said Hintze.
On consent and authorization requirements, the New York bill is more onerous than Washington’s, said Hintze. Whereas the Washington bill includes an explicit-consent requirement for any processing of personal data beyond what’s necessary to provide service, the New York legislation jumps to an authorization process requiring extensive documentation “for anything beyond what’s strictly necessary” to provide the service, said Hintze. “It's either strictly necessary to provide the thing that the consumer is requesting, or you're fully into this onerous authorization requirement.” That could inhibit medical research, among other positive things, which uses health data, he said.
A company already working to comply with the Washington health law could “make roughly the same conclusions about what data is covered,” since they’re “equally broad,” the privacy attorney said. “The difference in the consent and authorization requirements … is what would require a lot of additional work.”
Several other lawyers issued warnings about possible compliance challenges in the days since S-929 passed the Assembly, including attorneys from Husch Blackwell, McDermott Will and Fisher Phillips.
The American Telemedicine Association wants Hochul to amend the health privacy law, ATA Action said in a news release Thursday. ATA sent a Jan. 24 letter to the governor. “While we strongly support protections for sensitive health information, this legislation imposes unworkable obligations and compliance requirements that exceed HIPAA and other existing state and federal regulatory frameworks,” said ATA Action Executive Director Kyle Zebley. The bill could “inadvertently create confusion and undue burden for both patients and healthcare entities, especially telehealth services, if allowed to pass as written.”
ACLU’s Bohm dismissed the compliance concerns. Most “folks who are Chicken Little-ing are also … living in Washington [state], which has a very similar definition under their law,” she said. “And it turns out that healthcare still works there.” Besides, the AG would have authority to make rules clarifying the possible law’s text and Bohm expects an open process based on how the AG office has handled kids privacy.