Reject N.Y. Health Information Privacy Act
The New York Health Information Privacy Act (NY HIPA) was passed by the State Legislature in January. The goal of this legislation is to protect consumers’ sensitive health data, but this bill goes far beyond consumer data protection laws of other states and will limit consumer access, jeopardize growth, and increase costs for all. That is why The Business Council joined more than 50 organizations in calling for a veto of NY HIPA.
Recently, the legislative sponsors, Senator Krueger and Assemblymember Rosenthal, issued a joint statement reiterating their shared intention of the bill, “to protect New Yorkers’ most sensitive health data from being used and sold without their knowledge and authorization.” Businesses support this goal of protecting consumers’ health data. In their statement, the sponsors also endorsed a law that was recently enacted in Colorado. The Colorado Privacy Act has been used as a template for other states and enacts reasonable business obligations, consumer obligations, and enforcement standards. Colorado is an example of an operable consumer data privacy law.
But NY HIPA goes far beyond the scope of the Colorado Privacy Act and diverts from its sensible business obligations, consumer protections and enforcement. While they share the same goals of giving consumers control of their data, the actual application of NYHIPA would enact the most restrictive and costly data privacy law in the nation.
The Colorado Privacy Act is a comprehensive privacy bill that is concerned with the processing of all consumer data but has stronger protections for “sensitive data” like race or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, and citizenship, as well as genetic, biometric, or biological data or personal data from a child. This greatly differs from NY HIPA which ambiguously defines “regulated health information” as any information reasonably linkable to an individual/device collected or processed in connection with physical or mental health, including location and payment data and inferences about health. There are substantial differences in how NY HIPA dictates the handling of data and data minimization, consent, individual, sale of personal information, and consumer rights.
NY HIPA, a law dramatically different from other states, puts New York businesses of every size and consumers at significant disadvantages that will harm the state’s economic competitiveness. It would introduce onerous compliance and operational roadblocks that will make it even more difficult to do business in New York, thus raising the cost of doing business, while making it difficult for consumers to access services they need when they want them. When the cost of doing business is high, the cost of goods and services increases, further impacting affordability for everyone.
A recent report paints a grim picture of New York’s competitiveness and business climate. New York was 50th in business friendliness, taxation, and outmigration, 49th in projected working age population growth, and job growth over the past 10 years is 1/3 of growth in Florida and Texas. New York is also the 2nd most highly regulated state, with more than 300,000 regulations amounting to over 17 million words.
Governor Hochul rightly directed state agencies to review and identify outdated, redundant or inconsistent regulations ahead of her state budget. This is a welcome step, but to truly address the state’s competitiveness, we must be cautious of implementing additional laws, like NY HIPA, that are inoperable and inconsistent with other states. NY HIPA is fundamentally flawed; it will make New York an outlier and an even harder place to do business.
We support the passage of reasonable consumer data privacy laws that protect consumers in meaningful ways. Colorado is an example of that; NY HIPA is not.
Governor Hochul should veto NY HIPA. Creating an unnecessary patchwork of laws across the nation will only increase operational and compliance costs for businesses, make things more expensive for consumers, and ultimately, threaten the state’s economic competitiveness.
Heather Mulligan is President & CEO of The Business Council of New York State, Inc.
The Honorable Kathy Hochul
Governor of New York State
New York State Capitol
Albany, NY 12224
Re: Request for Veto of S.929/A.2141 (NY Health Information Privacy Act)
Dear Governor Hochul:
We write on behalf of a broad cross-sector coalition of organizations across New York’s technology, healthcare, retail, automobile, telecom, insurance, financial services, media, nonprofit, philanthropic, and consumer-facing sectors. Our members share the Legislature’s goal of safeguarding sensitive health information, especially in light of increasing threats to reproductive and LGBTQ+ rights. However, we respectfully urge you to veto S.929/A.2141, the New York Health Information Privacy Act (“NY HIPA”). The bill has expanded far beyond its original purpose and would impose sweeping and economy-wide consequences that will increase costs for New Yorkers and disrupt essential services relied upon every day. Unfortunately, regardless of what language has been proposed as Chapter Amendments, the significant concerns that we have expressed throughout the process have not been addressed.
Although the legislation was originally conceived to prevent the misuse of reproductive and gender-affirming care data, it has evolved into a comprehensive and unprecedented data privacy regime unlike any in the nation. As drafted, NY HIPA would reclassify routine transactions, standard consumer interactions, and basic product development practices as regulated health information. As a result, the bill would subject a vast range of New York businesses and nonprofits to complex new obligations that go beyond the frameworks adopted in Connecticut, Washington, and every other state with consumer health privacy protections . The operational impact could raise compliance costs across industries, create new affordability challenges for New Yorkers, and undermine service continuity at a time when many sectors are already operating under tight margins.
Many of our organizations have submitted detailed analyses and redlines throughout the legislative process, yet our core concerns remain unresolved. We highlight below several issues, all of which demonstrate why NY HIPA, in its current form, is not workable. While attempts to address some issues have been proposed, they do not address the fundamental flaws in the legislation. Without making substantial amendments, the enactment of NY HIPA will put New York businesses, nonprofits, and consumers at a significant disadvantage and further harm our state’s competitiveness and affordability crisis.
- Overbroad Definition of “Regulated Health Information”: The bill defines regulated health information to include any data that may bear only a theoretical connection with someone’s health a health-related inference, even when the data is not actually used to identify, analyze, or evaluate a person’s health status. As drafted, the definition covers IP addresses, biometric data, location indicators, and could include everyday purchases such as deodorant, shampoo, toilet paper, or conditioner. NY HIPA, therefore, extends far beyond traditional health data concepts and reaches routine consumer behavior (such as one-time purchase histories or website interactions) with no meaningful connection to health care. The scope also exceeds the approach used in Connecticut and Nevada[1], where protections apply to data that is used to actually identify an individual’s health status. By defining “regulated health information” so broadly, the bill creates ongoing, substantial compliance uncertainty and would force organizations to evaluate vast amounts of ordinary data as sensitive health information (ironically increasing privacy exposure). For many businesses that process high volumes of transactions, this would require building sophisticated real-time systems just to separate such routine activity from spending or behavior that might relate to a physical or mental health condition.
- Overexpansive and Privacy-Degrading “Regulated Entity” Scope: The bill classifies all service providers and backend vendors as regulated entities, requiring them to obtain consent from consumers they never interact with and to take on obligations that no comprehensive privacy or consumer health data statute in the country places on processors. Imposing regulated entity-level duties on service providers contradicts how these relationships function in practice and cannot be implemented at scale. The expansion also places a heavier burden on New York-based organizations, which would have to apply NY HIPA requirements to every user interaction, including those involving individuals outside the state, creating a competitive disadvantage not faced by companies headquartered elsewhere.
This definition also places obligations on organizations in all states that also have anti-privacy consequences, in addition to creating significant – if not impossible – compliance challenges. By defining “regulated entity” to include entitites who process the regulated information of individuals physically present in New York while they are in New York, the bill could force organizations to collect individuals’ location data information they would not otherwise collect; some organizations will need this information to whether, and when, they are in scope of the definition.
- Definition of “Sell” Fails to Exempt Service-Provider Transfers: The bill does not exempt transfers to service providers from the definition of “sell”. That omission conflicts with every comprehensive privacy and health data statute in the country and places New York out of alignment with neighboring jurisdictions. Both Connecticut and New Jersey, for example, expressly exclude disclosures to processors from their definitions of “sell.”[2] Providers that operate in multiple states would need to treat the same service-provider relationship as routine and permitted in Connecticut and New Jersey but as a regulated “sale” in New York. That inconsistency would force organizations to manage conflicting obligations, renegotiate contracts, and shoulder a disproportionate compliance burden in New York, which increases the cost of doing business and will negatively impact consumer affordability. Further, a broad definition of “sell” that sweeps in routine business practices and goes beyond what consumers understand as a sale will only confuse consumers, flooding ordinary user-directed transactions with unnecessary and alarming authorizations and notices.
- Definition of “Individual” Creates Cross-Border Compliance Problems: The bill defines “individual” without any residency limitation, which means the law applies to anyone physically present in New York at any moment, including daily commuters from New Jersey and Connecticut. Providers serving users across state lines would need to determine when a person is in New York and when they are in a state with its own and different privacy law. That structure – coupled with the overbroad definition of “regulated entity,” discussed above – encourages increased location tracking simply to identify which legal obligations apply, creating an intrusive and burdensome compliance model that does not align with common-sense privacy protections.
- “Strictly Necessary” Data Minimization Standard: The vast majority of state privacy and consumer health data laws do not use a strict necessity standard because it could prevent organizations from performing routine functions that modern services depend on.[3] Requiring individual authorization for nearly every internal purpose would limit low risk and widely expected processing such as developing new services, improving existing products, conducting first-party advertising, performing security monitoring and fraud prevention, and carrying out the research/development and quality assurance work needed to maintain safe and reliable products. NY HIPA heightens these problems by prohibiting internal development and imposing a 24-hour delay before certain processing can occur. These restrictions would slow service delivery, disrupt core operations, and block practices allowed under every other state privacy and consumer health data framework.
- Overly Burdensome Consent Authorization Requirements: The bill’s authorization requirements go far beyond any existing privacy or consumer health data statute and would impose obligations that are not operationally realistic. The mandate that refusing authorization “will not affect the individual’s experience of using the regulated entity’s products or services” conflicts with how consent systems work and would be impossible to implement in practice. Because NY HIPA defines “regulated health information” so broadly, organizations would need to present detailed, multi-element authorization notices constantly, covering disclosures, purposes, categories of recipients, monetary consideration, expiration dates, revocation procedures, and access and deletion mechanisms. That frequency would desensitize consumers to genuinely sensitive data uses, undermine the value of meaningful consent, and create significant friction across routine interactions that do not involve health-related data in any conventional sense.
This problem is exacerbated by the bill’s requirement that each request for authorization must be made separate from any other “transaction”—a term that is not defined or understood—regardless of whether the two “transactions” may be related. This could have the effect of forcing organizations to show consumers multiple related, yet slightly different, authorization requests for related kinds of data processing, increasing consent fatigue and confusing consumers.
- Insufficient Exemptions for Federally Regulated Sectors: The bill does not provide clear exemptions for organizations already heavily governed by federal privacy and security laws such as GLBA, SEC regulations, and other sector-specific frameworks. Without those exemptions , which are found in nearly all other states’ comprehensive and consumer health data privacy laws, entities subject to federal oversight would face overlapping and potentially conflicting obligations, creating parallel compliance regimes that cannot be reconciled in practice. The lack of clarity will force institutions to choose between violating federal requirements or violating NY HIPA, an outcome that makes legal compliance nearly impossible and exposes regulated sectors to significant operational and enforcement risks.
- Lacks carve-out for employer benefits and programs. The bill has broader, unintended consequences for all New York employers who provide benefits and programs. Employers are involved with matters related to short-term disability, long-term disability, ADA accommodations, leave practices and wellness programs (smoking cessation, fitness, etc). Businesses are already heavily regulated by state and federal laws regarding the handling of employees’ sensitive health information; however, the language of this bill is so broad that we believe the definitions of the bill capture the day-to-day Human Resources operations.
We fully support protecting New Yorkers, including those seeking reproductive and gender-affirming care, from misuse of sensitive health information. As stated above, our concerns are about workability, not the underlying goal. NY HIPA’s scope reaches far beyond the risks it intends to address and would impose broad, costly, and unworkable obligations that ultimately fall on consumers, nonprofits, and businesses across the state. Targeted protections are needed, but the framework established in S.929/A.2141 is unlike any practice adopted in other states and is not the right mechanism.
We welcome the opportunity to work with your office and the Legislature to craft a focused, effective, and enforceable approach that protects consumer health data in purposeful ways without disrupting essential services, significantly impacting affordability, or creating statewide operational burdens for businesses. More time would allow for that collaborative work and ensure New Yorkers receive meaningful and durable protections without the unintended consequences that the current text would create.
For these reasons, we respectfully urge a veto of S.929/A.2141.
Thank you for your consideration.
Respectfully Submitted,
Tech:NYC
The Business Council of New York State, Inc.
Partnership for NYC
New York Bankers Association (NYBA)
New York Insurance Association
Food Industry Alliance of NY
Retail Council of NY
NYS Industries for the Disabled (NYSID)
YMCA of Greater New York
United Way of New York State
211 – New York State
Queens Chamber of Commerce
Manhattan Chamber of Commerce
Bronx Chamber of Commerce
Brooklyn Chamber of Commerce
Greater Rochester Chamber
Buffalo Niagara Partnership
Long Island Association
North Country Chamber of Commerce
Business Council of Westchester
Rockland Business Association
Life Insurance Council of NY
NY Credit Union Association
NY Health Plan Association
Independent Bankers Association of New York State (IBANYS)
Centerstate CEO
Warby Parker
Doordash
Securities Industry and Financial Markets Association (SIFMA)
National Federation of Independent Business (NFIB)
American Property Casualty Insurance Association
TechNet
State Privacy and Security Coalition
Computer & Communications Industry Association (CCIA)
Chamber of Progress
Network Advertising Initiative (NAI)
NetChoice
Association of National Advertisers (ANA)
Interactive Advertising Bureau (IAB)
Internet Coalition
American Telemedicine Association Action (ATA Action)
Connected Commerce Council
Receivables Management Association International (RMAI)
Community Pharmacy Association of NYS
NewYorkBIO
Lifesciences NY
Alliance for Automotive Innovation
Software Information Industry Association (SIIA)
ACT | The App Association
Connected Health Initiative
[1] See, e.g., Conn. Gen. Stat. § 42-515(9) (defining “consumer health data” as “personal data that a controller uses to identify a consumer’s physical or mental health condition or diagnosis or to obtain information about a consumer’s health status”); Nev. Rev. Stat. § 603A.430 (defining “consumer health data” as personally identifiable information linked or reasonably capable of being linked to a consumer that a regulated entity uses to identify the consumer’s past, present, or future health status).
[2] See, e.g., Conn. Gen. Stat. § 42-515(37) (excluding “the disclosure of personal data to a processor that processes the personal data on behalf of the controller” from the definition of “sale”); N.J.S.A. 56:8-166.4(1) (same).
[3] See, e.g., Conn. Gen. Stat. § 42-520(a)(1) (requiring collection to be reasonably necessary and proportionate); Colo. Rev. Stat. § 6-1-1308(3) (requiring collection to be adequate, relevant, and reasonably necessary); Va. Code Ann. § 59.1-578(A)(1) (same); N.J.S.A. 56:8-166.12(a)(1) (same); Tex. Bus. & Com. Code § 541.204(a)(1)–(2) (allowing processing only when reasonably necessary, proportionate, adequate, and relevant); Nev. Rev. Stat. § 603A.500(1)(a)–(b) (“A regulated entity shall not collect consumer health data except: with the affirmative, voluntary consent of the consumer; or to the extent necessary to provide a product or service that the consumer to whom the consumer health data relates has requested from the regulated entity.”).
*sponsored content*
