In a significant move to safeguard digital health data in New York, the state's lawmakers have given the green light to a bill aimed at preventing unauthorized collection and use of personal health information online. The newly passed legislation, known as the New York Health Information Privacy Act (NYHIPA), lays down stringent rules that apps and websites will need to follow before they can retain or peddle patient data. According to Crain's New York Business, the law primarily targets trackers and data merchants by banning the collection, use, or selling of patient data without obtaining written consent first.
The bill, a brainchild of Manhattan Democrats Sen. Liz Krueger and Assemblywoman Linda Rosenthal, is on its way to Gov. Kathy Hochul's desk where it awaits either a signature or veto. The sponsors have highlighted the urgency of the act, particularly stressing the need to protect women seeking abortions and others whose geolocation data, among other details, could be exploited.
Residents are generally unaware that their technology is constantly tracking their movements, and geolocation data is being sold to companies for the purposes of targeted advertisements or tracking," the memo accompanying the bill stated. Meanwhile, digital health companies are bracing for the impact of NYHIPA, which, if enacted, would place heavy burdens on their operation and potentially disrupt patient engagement. According to a report by Foley, the legislation lays down a set of demands ranging from consent timing to data processing restrictions that could spell trouble for the digital health sector.
Key info regulated by NYHIPA includes any data reasonably linked to an individual's physical or mental health, including payment and location data. Processing such information would be narrow and explicit consent is required for most activities that are not core to a product or service. This could mean a major revamp of digital health companies' user experience and services just to align with NYHIPA's standards.
With hefty fines looming for breaches—up to $50,000 per violation or 20% of the annual revenue from New York consumers—the state attorney general's office has been given the teeth to enforce the law seriously. NYHIPA would come into effect a year after being signed into law. Digital health companies are now advised to begin planning for compliance if they haven’t already. There is little doubt that healthcare data privacy is evolving rapidly, and New York is positioning itself as a stringent governor of the digital health space.
