A new privacy law in New York is set to significantly complicate the processing and sharing of health information across various organizations, pending the governor’s approval. Regulatory attorney Angie Matney has highlighted the implications of the New York Health Information Privacy Act (HIPA), which was passed by the state’s legislature in January but has yet to receive Governor Kathy Hochul’s signature. Changes to the bill could still occur before it becomes law, according to Matney’s insights.
This newly proposed law presents serious operational challenges for organizations required to comply. Matney emphasized that the law’s reach extends to any entity that processes information even tangentially associated with health conditions within or related to New York. This includes not only local organizations but also those with contractors or any operational nexus to the state. Notably, there are no size exemptions; thus, many companies may not realize their obligations under this statute.
Regulated information under HIPA is broadly defined, encompassing any data that can be linked to an individual or device concerning physical or mental health. This includes seemingly innocuous information, such as purchasing history or dining notifications, especially if they mention health-related conditions like allergies. Matney also pointed out that the law contains fewer exemptions compared to similar legislation, most notably lacking any explicit exemption for employment-related information, which means that job applications and accommodations for disabilities will also be subject to these stringent regulations.
During an in-depth interview with Information Security Media Group, Matney elaborated on the potential implications of the new law for individuals and organizations alike. The law does not merely cover monetary exchanges involving regulated health information; it also includes transactions where information is exchanged for other valuable considerations.
When comparing HIPA to other health information privacy laws, such as Washington State’s My Health My Data Act and federal regulations like HIPAA and the Federal Trade Commission’s Health Breach Notification Rule, significant differences and similarities arise that could impact compliance strategies across states.
Given the potential disruptions posed by HIPA, businesses must prepare for the complexities of adhering to these new standards. A lack of awareness among companies regarding their compliance responsibilities may expose them to penalties for violations. Hochul’s office has yet to comment on the timeline for signing the bill or any potential adjustments.
As a legal expert at Reed Smith, Matney’s insights are rooted in her extensive experience guiding clients across diverse industries, particularly healthcare and pharmaceuticals, in navigating both state and federal health privacy regulations. Her qualifications as a certified information privacy professional underscore the importance of staying informed and proactive as businesses adapt to these evolving legal landscapes.
