WeVote

Bill

Bill

S 9269

Provides for the protection of health information

2025 Regular Session Introduced by Pete Harckham and 3 co-sponsors

The bill creates a New York Health Information Privacy Act that limits processing and sharing of regulated health data, empowers individuals with rights, and imposes strict obligat

REFERRED TO CODES
0
WeVote Research Nonpartisan
Bill Summary · S 9269

Overview

S. 9269 (2025-2026) from New York would create the New York Health Information Privacy Act, adding a new Article 42-A to the General Business Law. The bill establishes a comprehensive framework to regulate the collection, processing, use, sharing, and deletion of regulated health information by entities in New York, with strong rights for individuals and clear duties for entities and service providers.

Purpose and intent

  • Provide robust protection for health-related data that can be linked to identifiable individuals.
  • Give individuals clear rights to access, delete, and control the processing of their regulated health information.
  • Impose strict duties on entities and service providers to safeguard information and limit processing to clearly defined, permissible purposes.
  • Create enforcement mechanisms through the New York Attorney General and detailed contract and accountability requirements for processors.

Key provisions and changes

  • Definitions:

    • Deidentified information: requires safeguards, public commitment not to reidentify (with limited reidentification for validation), contractually binds recipients, and reidentification exceptions.
    • Regulated health information: broad category including health status, biometric data, genetic data, location data, reproductive/sexual health data, etc., and excludes deidentified information.
    • Processing scope includes collection, use, sharing, sale, monetization, retention, and more.
    • Regulated entity, service provider, third party, and related concepts are defined with emphasis on NY connection or activity.
  • Individual rights and notices (Sections 1121-1123):

    • Communications must be in plain language, accessible, and available in languages used by the entity; notices must be publicly posted on the entity’s website when processing is permissible or authorized.
    • Verifiable requests mechanism; explicit rights to access and deletion; deletion requests trigger removal within 30 days (with service provider cooperation) and a requirement to notify impacted service providers/third parties.
  • Lawfulness of processing (Section 1122):

    • Prohibits selling regulated health information.
    • Allows processing only with valid authorization or for strictly necessary purposes (e.g., product maintenance, internal operations excluding marketing/research and development, security, compliance, etc.).
    • For authorizations: detailed criteria for format, language, revocation, expiration (up to 1 year), disclosures, and a non-discrimination clause.
    • If processing without authorization, a regulated entity must provide clear notices and notify individuals of material changes separately from privacy policies.
  • Rights administration (Section 1123):

    • Mechanisms for verifiable access and deletion, with time limits (30 days to respond; extensions possible with notice).
    • Deletion requires erasing information from the entity and, where feasible, coordinating deletion with service providers/third parties.
  • Security (Section 1124):

    • Requires reasonable administrative, technical, and physical safeguards.
    • Public retention schedules; disposal within 60 days after no longer necessary.
  • Service providers (Section 1125):

    • Binding written agreements outlining processing instructions, confidentiality, limited processing, and duties on behalf of the regulated entity.
    • Obligations to assist with rights requests, return/delete data, permit audits, and manage disclosures to further providers.
  • Exemptions (Section 1126):

    • Broad set of carve-outs for federal privacy regimes, HIPAA, clinical trials, health care quality programs, TEFCA, public health, and other protected data scenarios, with several nuanced conditions.
  • Enforcement (Section 1127) and penalties:

    • AG enforcement with civil penalties up to $15,000 per violation, restitution, disgorgement, and other relief; six-year look-back for awareness of violations.
  • Contracts and waivers void (Section 1128) and construction (Section 1129):

    • Contractual provisions that conflict with the act are void; explicit statements about health reporting and public health activities.

Who is affected

  • Regulated entities collecting or processing regulated health information of New York residents (or individuals in NY context) and their service providers/third parties.
  • Individuals who are the subjects of regulated health information, including those seeking or receiving health services in NY.
  • Potentially, companies handling data for health-related products, apps, websites, health services, and any entity with a NY presence or users.

Procedural and timeline notes

  • Effective date: six months after the act becomes law.
  • Immediate rulemaking authority for implementing regulations, with some provisions allowed to be implemented by their effective date.
  • Enforcement timelines align with standard civil enforcement by the attorney general, with a six-year awareness window for actions.

This act would significantly expand privacy protections for health-related data in New York, introducing broad rights for individuals and detailed obligations for entities and processors.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.