Understanding the New York bill improving patient privacy

New York State Senators Liz Krueger, Amanda Brouk, Leroy Comrie, Jessica Fernandez, Pat Ryan Hinchey, Emily Hoylman-Sigal, Cordell Cleare Jackson, John Liu, Michelle Hinchey, and Webb introduced Senate Bill S. 929 during the 2025-2026 Regular Sessions. The bill aims to amend the General Business Law by establishing the New York Health Information Privacy Act.

The Bill’s timeline

1. January 8, 2025: Senate Bill S. 929, known as the New York Health Information Privacy Act, is introduced by Senators Liz Krueger, Amanda Brouk, Leroy Comrie, Jessica Fernandez, Pat Ryan Hinchey, Emily Hoylman-Sigal, Cordell Cleare Jackson, John Liu, Michelle Hinchey, and Webb during the 2025-2026 Regular Sessions. The bill is read twice and ordered printed.
2. January 8, 2025: Following its introduction, the bill is committed to the Committee on Internet and Technology for further review and discussion.
   
   

The main takeaways 

1. The bill requires that individuals must provide explicit consent before their health information can be processed or shared.
2. Individuals have the right to access their health information and request its deletion at any time.
3. All communications regarding health data must be in plain language and accessible to individuals with disabilities.
4. Regulated entities are prohibited from selling individuals' health information without consent.
5. The bill establishes clear definitions for key terms such as "regulated health information," "service provider," and "deidentified information."
6. Organizations must implement security measures to protect regulated health information from unauthorized access.
7. The bill includes provisions for enforcement, ensuring compliance with its requirements.
8. Any contracts or waivers that contradict the provisions of this act are deemed void and unenforceable.
   
   

The impact on New York-regulated entities 

Regulated entities, which include healthcare providers, insurers, and other organizations that process health data, must now obtain explicit consent from individuals before processing their regulated health information. It includes clear communication about what data is collected, how it will be used, and with whom it may be shared. 

Entities are required to provide individuals with easy access to their health information and the ability to request its deletion. Failure to comply with these regulations can result in legal repercussions, making it necessary for organizations to review and possibly overhaul their data management practices.

How it interacts with HIPAA

HIPAA establishes baseline standards for the protection of health information, S. 929 on the other hand introduces stricter requirements specific to New York State. For example, the New York bill requires explicit consent from individuals before their health data can be processed or shared, whereas HIPAA allows for certain disclosures without consent under specific circumstances.  

S. 929 discusses individual rights, like the ability to access and delete personal health information, which goes beyond HIPAA's provisions. This creates a dual-layered regulatory environment where healthcare organizations operating in New York must navigate both federal and state laws. 

Related: HIPAA Compliant Email: The Definitive Guide

FAQs

Are there exceptions to the consent requirement?

Yes, there are specific circumstances under which regulated entities may process health information without consent.

What happens if an organization fails to obtain proper consent?

If an organization processes health information without valid consent, it may face legal consequences under the New York Health Information Privacy Act, including potential fines and enforcement actions.

How can individuals request access to or deletion of their health information?

Individuals should be able to make requests through an easy-to-use interface provided by the regulated entity. Organizations are required to respond to these requests within a specified timeframe.