New York Legislature Passes Extraordinarily Restrictive Health Data Privacy Bill

January 22, 2025 in Health Privacy, State Legislation

Last year, we wrote about a proposed New York State law that would have significant impacts for entities that process health and wellness related data. That bill failed to pass before the 2024 legislative session ended. But today, in the early days of the 2025 session, the New York State legislature has passed Senate Bill S929 (SB S929), which is essentially unchanged from last year’s bill.

Prior to enactment into law, SB S929 will be subject to amendment or veto by New York Governor Kathy Hochul. Governor Hochul has confirmed that she will review SB S929.

As we detailed in our previous blog post, this bill:

has a very broad scope,
includes a novel and dramatically challenging authorization requirement for certain collection or other processing of regulated health information,
imposes specific and unique notice and data security-related obligations, and
creates onerous data access and data deletion requirements.

As we noted last year, “while protecting the privacy of sensitive health data is important, and legitimate concerns about the potential for harmful uses of such data should be addressed, this bill’s overbroad scope and problematic substantive obligations are likely to create unintended costs, confusion, and disruption for many entities providing any products or services that are at all related to health or wellness.”

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law.

Felicity Slater is an Associate at Hintze Law PLLC with experience in global data protection issues, data breach notification laws, privacy impact assessments, GDPR, and privacy statements.

Mike Hintze is a Member Partner at Hintze Law PLLC and a recognized leader with over 25 years of experience in privacy and data protection law, policy, and strategy.

In ‘Holy Redeemer’ Settlement Agreement, OCR Continues to Prioritize Privacy Protections for Reproductive Health Information

December 05, 2024 in Health + Biotech, Health Privacy, HIPAA, State Legislation

by Felicity Slater and Kate Black

On November 26, 2024, the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced a resolution agreement and corrective plan with Pennsylvania’s Holy Redeemer Hospital (Holy Redeemer). The agreement settles OCR’s claim that Holy Redeemer disclosed a patient’s protected health information (PHI)—including intimate reproductive health details—without a permissible purpose or valid authorization from the patient in violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

A Last-Minute Push for a Reproductive Health Privacy Law in Michigan

November 19, 2024 in Health + Biotech, Health and Biotech, Hintze Law, Privacy, Health Privacy

By Mike Hintze and Felicity Slater

On November 7, 2024, the Michigan legislature introduced Senate Bill 1082 / House Bill 6077, the Reproductive Data Privacy Act (the “RDPA” or the “act”). The act was introduced in the aftermath of the 2024 election cycle as Michigan Democrats brace to lose control of the House in 2025. At a hearing in the Senate Committee on Housing and Human Services, lawmakers backing the RDPA expressed a hope to pass the act before the year’s end.