INSURANEWS Logo
Top Stories
Life
Health
Medicare
Property & Casualty
Annuity
Industry

NYHIPA Faces Uncertainty as New York Considers Comprehensive Health Data Privacy Law

Share:

The New York Health Information Privacy Act (NYHIPA) passed the New York State legislature in January 2025 and is pending Governor Kathy Hochul's decision to sign or veto the bill by January 7, 2026. If enacted, NYHIPA would establish New York as the fourth state with a comprehensive consumer health data privacy law addressing health-related information beyond the federal HIPAA regulations. The legislation targets a broad range of businesses processing regulated health information (RHI), defined to include data linked to individuals' physical or mental health, such as location and payment details. Distinct from other state laws, NYHIPA offers narrow exemptions, excluding HIPAA-covered entities, government bodies, de-identified data, and certain clinical trial information, but applying broadly to nonprofits, entities subject to financial and educational privacy laws, and health-related payment processing. NYHIPA would impose significant compliance responsibilities, including consent requirements and data security mandates, with enforcement vested solely in the New York Attorney General who can impose penalties of up to $15,000 per violation or 20% of the entity's New York revenue, whichever is greater. Regulated entities include those controlling RHI of New York residents or individuals physically present in New York, regardless of the entity's location, thus extending the law's reach beyond state borders. The Act is slated to take effect one year after the Governor's signature. In December 2025, a coalition of businesses from healthcare, financial services, and other sectors formally requested a veto, arguing that NYHIPA's broad definitions and stringent consent requirements would cause compliance challenges, increase operational costs, and restrict beneficial business activities like advertising and analytics. This opposition highlights concerns about regulatory uncertainty and consent fatigue among consumers and businesses alike. The degree of industry pushback contrasts with earlier expectations that NYHIPA would be signed without significant issues. As the decision deadline nears, New York businesses and insurers should closely monitor developments regarding NYHIPA's status due to its potential implications for data privacy compliance frameworks, operational costs, and enforcement risk. The law represents a significant expansion of state-level consumer health data protection and a possible precedent for other states with growing interests in regulating health-related information beyond HIPAA's scope.