The New York Assembly and Senate have passed the New York Health Information Privacy Act to improve privacy protections for consumer health data not protected by the federal Health Insurance Portability and Accountability Act (HIPAA) Rules. The act now heads to the desk of New York Governor Kathy Hochul to be signed into law. It is unclear if Governor Hochul will sign the bill.There is a common misconception that HIPAA applies to all health information when that is not the case. HIPAA only applies to HIPAA-covered entities and their business associates. A HIPAA-covered entity is a healthcare provider, health plan, or healthcare clearinghouse, and a business associate is a vendor that provides products or services to a HIPAA-covered entity that involves access to protected health information (PHI). Under HIPAA, [PHI is defined](https://www.hipaajournal.com/what-is-considered-protected-health-information-under-hipaa/) as personally identifiable information that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.That means that uses and disclosures of personally identifiable health information are not restricted under federal law when the information is collected by an entity not bound by the HIPAA Rules, such as health apps and wearable devices including period tracking apps, fitness apps, and wearable fitness trackers. These apps and wearable devices can collect a considerable amount of health-related information — Information that would be subject to the HIPAA Rules if collected by a HIPAA-regulated entity. There have been calls to address this privacy gap at the federal level by expanding HIPAA to cover all health data regardless of the entity that collects the information but all efforts to date have failed, leaving it to individual states to introduce their own laws to protect consumers’ health data privacy.The New York Health Information Privacy Act——————————————-The Health Information Privacy Act (HIPA) places restrictions on uses and disclosures of personally identifiable consumer data related to health and wellness, excluding the PHI collected by HIPAA-regulated entities. It is important to note that HIPA exempts PHI, ++not++ HIPAA-regulated entities. That means that a HIPAA-regulated entity would be required to comply with HIPA if they process health data that falls outside of the HIPAA definition of PHI.Under HIPA, regulated entities are prohibited from selling or sharing consumers’ health data without first obtaining consent through a transparent opt-in process. Before any processing can occur, prior authorization must be obtained from consumers, with consent obtained by clearly explaining the nature of that consent. Requirements include informing consumers about the types of information collected, the nature of any processing activity, the purpose of processing, the categories of third parties with whom the information will be shared, how consent can be revoked, and that use of the product or service will be unaffected by the failure to provide authorization.Consent must be obtained from consumers in a separate process from any other transaction and can only be obtained after 24 hours of the first request or use of a product or service. Should consent be revoked and a request made to have personal data deleted, that information must be deleted within 30 days. Restrictions are also placed on the processing of health data, with any processing, with limited exceptions, only permitted if it is strictly necessary to the provision or maintenance of a service or product.There are severe penalties for HIPA violations — a civil monetary penalty of up to $15,000 per violation or 20% of revenue obtained from New York consumers within the past fiscal year, whichever is greater. Penalties are payable to the state. There is no private cause of action, which means consumers cannot take legal action against regulated entities for HIPA violations. HIPA will take effect 12 months after Governor Hochul signs the act into law.Definitions———–### Regulated Entities Under HIPAAny entity that either:* a) Controls the processing of regulated health information of an individual who is a New York resident* b) Controls the processing of regulated health information of an individual who is physically present in New York while that individual is in New York, or* c) Is located in New York and controls the processing of regulated health information of an individual.* A regulated entity may also be a service provider depending upon the context in which regulated health information is processed.### Data covered by HIPA* Any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual.* Location or payment information that relates to an individual’s physical or mental health or any inference drawn or derived about an individual’s physical or mental health that is reasonably linkable to an individual, or a device.* HIPA does not apply to deidentified information — health data stripped of all personal identifiers.The post [New York Legislature Passes Health Information Privacy Act](https://www.hipaajournal.com/new-york-health-information-privacy-act/) appeared first on [The HIPAA Journal](https://www.hipaajournal.com).
Related Tags:
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 62 – Health Care And Social Assistance
NAICS: 623 – Nursing And Residential Care Facilities
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 92 – Public Administration
NAICS: 51 – Information
Blog: Hipaa Journal
Associated Indicators: