New York Law

New York Legislature Passes Extraordinarily Restrictive Health Data Privacy Bill

in ,

Last year, we wrote about a proposed New York State law that would have significant impacts for entities that process health and wellness related data. That bill failed to pass before the 2024 legislative session ended. But today, in the early days of the 2025 session, the New York State legislature has passed Senate Bill S929 (SB S929), which is essentially unchanged from last year’s bill.  

Prior to enactment into law, SB S929 will be subject to amendment or veto by New York Governor Kathy Hochul. Governor Hochul has confirmed that she will review SB S929. 

As we detailed in our previous blog post, this bill:  

  1. has a very broad scope,  

  2. includes a novel and dramatically challenging authorization requirement for certain collection or other processing of regulated health information,  

  3. imposes specific and unique notice and data security-related obligations, and 

  4. creates onerous data access and data deletion requirements. 

As we noted last year, “while protecting the privacy of sensitive health data is important, and legitimate concerns about the potential for harmful uses of such data should be addressed, this bill’s overbroad scope and problematic substantive obligations are likely to create unintended costs, confusion, and disruption for many entities providing any products or services that are at all related to health or wellness.” 

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law. 

Felicity Slater is an Associate at Hintze Law PLLC with experience in global data protection issues, data breach notification laws, privacy impact assessments, GDPR, and privacy statements.

Mike Hintze is a Member Partner at Hintze Law PLLC and a recognized leader with over 25 years of experience in privacy and data protection law, policy, and strategy.