By Mike Hintze and Felicity Slater
With just six days left in the state’s 2024 legislative session, the New York Legislature is considering a health data privacy bill that would dramatically impact companies that handle data related to health or wellness. Companies and other organizations should watch this bill carefully and understand its highly disruptive and costly implications should it pass the legislature and be signed by the governor.
Assembly Bill A4983-D, which was referred to the Assembly Rules Committee on May 28th, has several similarities to Washington’s My Health My Data Act (MHMDA), an extremely challenging law about which we have extensively written (see our blog series on MHMDA). Other states, including Nevada and Connecticut have adopted MHMDA-like provisions, but with modifications that help to address some of the more problematic ambiguities and compliance challenges. By contrast, this New York bill, in certain respects, moves in the opposite direction, creating even bigger compliance difficulties and uncertainties.
Scope
The scope of the New York bill is extremely broad. First, it applies to the processing of “regulated health information” which means:
any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual.
While much simpler than the MHMDA definition of consumer health data, this definition is potentially equally broad. Considering the wider context of how the FTC and other U.S. regulators have been broadly interpreting the concept of health data, this definition could capture an extremely wide range of data. It could include information about the purchase of over-the-counter medications, exercise equipment, or low-fat foods. It could include visits to webpages related to virtually any health or wellness topic. It could include information about gym memberships. And the list goes on. This open-ended definition regarding information “processed in connection with” the health of a person could be interpreted to include nearly any data related to fitness, nutrition, or wellness.
The definition of “regulated health information” goes on to specify that:
Location or payment information that relates to an individual's physical or mental health or any inference drawn or derived about an individual's physical or mental health that is reasonably linkable to an individual, or a device, shall be considered, without limitation, regulated health information.”
The call-out of payment information is noteworthy because the bill does not have a carve out for entities or data regulated by the federal Gramm-Leach-Bliley Act. So, every bank, credit card company, payment processor, or other institution involved in handling payment information would inevitably be impacted by this bill. Likewise, unlike many other consumer privacy laws, the bill would not exempt data covered by the Fair Credit Reporting Act.
Further, the bill would apply to any “regulated entity,” which is defined as any entity that:
(a) controls the processing of regulated health information of an individual who is a New York resident,
(b) controls the processing of regulated health information of an individual who is physically present in New York while that individual is in New York, or
(c) is located in New York and controls the processing of regulated health information of an individual.
Under this broad definition, any company or nonprofit organization that collects health-related data of somebody who happens to be a New York resident, even if that person is not physically in New York, is covered. This may require companies outside of New York to collect residency information of every consumer to know whether or not they are subject to the requirements of the bill, thereby requiring the collection of more personal information than may otherwise be necessary. For companies outside of New York that wish to avoid being subject to those requirements, the only option may be to deny service to New York residents.
Likewise, part (b) of this definition would seem to bring even entities that do not offer their services to New York residents into scope if one of their consumers so much as visits New York and they process that individual’s regulated health information while that trip takes place. In response, covered entities may be forced to disrupt, cease, or pause the provision of health-related services of even non-New York residents while those individuals are within New York’s state bounds.
Such extreme measures would likely be considered only where the obligations are particularly onerous and unaligned with the requirements of any other jurisdiction. Unfortunately, it appears that may be the case here.
Authorization for Processing
Likely the most challenging requirement of the New York bill is the obligation to obtain an “authorization” for certain collection or other processing of regulated health information. Like under MHMDA, authorization under this bill is an extremely onerous requirement. So onerous in fact, that in many cases it simply cannot scale and will, in effect, serve as a ban on common and beneficial data practices.
This authorization requirement would apply to any data collection or other processing that is not “strictly necessary” to provide the product or service requested by the individual or for one of a handful narrowly defined permitted uses (anti-fraud/security purposes, protecting public health or the vital interest of the individual, defending against legal claims or complying with law, or other narrowly-scoped internal business operations).
Notably, the exception for internal business operations explicitly excludes “any activities related to marketing, advertising, research and development, or providing products or services to third parties.” The implication is that all these uses would require “authorization.” Such an extreme requirement would likely dramatically constrain or eliminate a great deal of highly beneficial health research and product development activity, including efforts to improve health and wellness products based on individual’s experiences with and reactions to those products.
Likewise, the alternative to authorization for processing that is “strictly necessary [for] providing a product or service requested by [the] individual” is likely to be highly disruptive and problematic. For instance, if a consumer signs up for a service in January, and updates and feature improvements roll out in February, is that no longer the service the consumer requested? Most modern services tend to evolve and improve over time. At what point is the service provided no longer the service “requested”? Does continuous usage by the individual provide evidence that it is still the requested service? Or at some point does the consumer need to re-request the service? And does that request need to look like a simple opt-in or does it need to be a full “authorization.”
And if a service evolves, and the individual does not re-request the service or provide an authorization, must the regulated entity kick the individual off the service? Can the regulated entity kick the individual off the service, or must it maintain a version of the service locked in time at the point where the individual initially requested it? Obviously, some possible interpretations seem more ridiculous than others here, but they are all possible given the bill’s language.
So, if the authorization requirement potentially applies to a wide range of common, benign, or expected data processing, what does it require? Authorization is much more than just explicit opt-in consent. Rather, it is a lengthy written authorization, which would expire after one year, and is revocable at any time. It must be obtained separately from any other transaction, and it cannot be obtained within the first 24 hours after an individual creates an account or first uses the product or service. Authorization forms would have to contain:
The categories of health information to be processed;
The “nature” of this processing;
The “specific purpose” of this processing;
The names (if available) or categories of service providers and third parties—including any law enforcement entities—with which the regulated entity will share regulated health information;
Any financial or other benefit that the entity may receive from processing the health information;
A statement that the individual’s experience with the product or service will not change if the individual does not provide any authorization;
The authorization’s expiration date, which must be within one year;
A description of how individuals can access and delete their health information;
Any other information that might materially impact an individual’s decision to authorize processing of their health information; and
The individual’s signature (electronic is okay).
If an individual provides this authorization for a particular form of processing but then subsequently revokes it, the bill would require regulated entities to “immediately cease” all processing of the individual's data for the revoked purpose. Relatedly, entities would be required to obtain new authorization for any “new or altered” processing activity—and could not process an individual’s health information for this new or altered purpose without that authorization, requiring entities to essentially freeze their products and service offerings in time for consumers who do not consent to a new authorization.
Finally, the authorization form must allow individuals to authorize—or to withhold authorization—from each type of processing activity described in the authorization form separately. An authorization form cannot request an individual’s authorization for a type of processing that they have declined to authorize or revoked authorization for in the past year—seemingly preventing individuals from changing their mind about whether to authorize a particular type of processing within a one-year span of time, even if they realize that they do in fact wish to authorize it.
As noted above, these authorization requirements are so onerous that they cannot realistically be implemented at scale by companies. As a result, they will effectively operate as a ban on many kinds of data processing. There will undoubtedly be unintended consequences here that will add costs, inconvenience consumers, and in many cases prevent beneficial uses of data.
Other Requirements
The bill also includes specific and unique notice obligations that could result in yet another state-specific privacy notice that will add to the confusion of consumers facing multiple, largely redundant, privacy notices whenever they visit a website or online service. Interestingly, the bill borrows language regarding clarity and accessibility of notices from the California regulations under the CCPA.
It includes onerous data access and data deletion requirements that go beyond those found in most other privacy laws. Notably, these individual rights include allowing for third party agents making requests on behalf of individuals, but without guidance on what verification can be required, potentially creating security problems with requests coming from individuals or entities other than the individual to whom the data relates.
The security section contains the standard “reasonable administrative, technical, and physical safeguards” language. But it also diverges from what is in other privacy laws require by including an obligation to securely delete data according to a “publicly available retention schedule.”
Finally, the bill includes contract requirements for service providers that may require organizations to, once again, review and update vendor contracts. However, these are reasonably aligned with what is in other laws, including the CCPA, such that existing contract terms may suffice.
Conclusion
As the New York Legislature sprints toward the conclusion of the session, the fate of this bill should be closely watched. While protecting the privacy of sensitive health data is important, and legitimate concerns about the potential for harmful uses of such data should be addressed, this bill’s overbroad scope and problematic substantive obligations are likely to create unintended costs, confusion, and disruption for many entities providing any products or services that are at all related to health or wellness.
Mike Hintze is a Member Partner at Hintze Law PLLC and a recognized leader in privacy and data protection law, policy, and strategy.
Felicity Slater is an Associate at Hintze Law PLLC. Felicity has experience with global data protection issues, including data breach notification laws, privacy impact assessments, GDPR, and privacy statements.
Hintze Law PLLC is a Chambers-ranked, boutique privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.