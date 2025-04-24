In January of this year, a sweeping new consumer health information privacy bill sped through the New York State legislature and took its place in the pile of new legislation awaiting Governor Kathy Hochul’s signature.

Much of the New York Health Information Privacy Act (NYHIPA) reads like a privacy advocate’s wish list, but it is sure to face a barrage of lobbying efforts by business interests looking to have changes made before it’s signed into law.

It also shouldn’t be mistaken for an all-purpose health information protection measure, since it does little to limit government use of individuals’ information, while putting new power in the hands of state authorities.

Privacy and rights advocates may have to wait until the end of the year—or even beyond—to see how much power will actually end up in individuals’ hands under the new law.

NYHIPA protects information that is “collected or processed in connection with the physical or mental health of an individual” and doesn’t fall under federal HIPAA privacy protections, such as data collected by consumer apps, services, websites, and devices. HIPAA applies only to personal health information that is used by health care providers, health care plans and clearinghouses, and their business associates.

The act requires authorization from individuals before their health information can be sold or shared in a form that is linked to their identity, gives them the right to revoke that authorization at any time, and lets them request that their information be deleted.

It also requires companies to give individuals access to all of the health information it has about them upon request, and automatically delete that information in 60 days if it’s no longer needed for its intended purpose.

This is a broad set of protections that gives individuals granular control over how their information is used.

Its critics in the state legislature contend it’s too broad, and overly vague. Complying with the act’s detailed and stringent consent requirements, they say, will require