Privacy & Information Security Law Blog

On January 21, 2025, the New York legislature passed Senate Bill S929, an act to amend the general business law, in relation to providing for the protection of health information (the “Act”). The Act would provide for the protection of health information and require written consent or a designated necessary purpose for the processing of an individual’s health information. The bill is pending Governor Kathy Hochul’s signature.

The Act prohibits the sale of regulated health information and limits the circumstances in which an entity can lawfully “process” regulated health information, including but not limited to the collection, use, access and monetization of such information. It defines regulated health information to mean “any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual,” including location or payment information. Notably, regulated health information does not include deidentified information, or information that “cannot reasonably be used to infer information about, or otherwise be linked to a particular individual, household, or device,” given reasonable technical safeguards.

Entities will still be able to “process” regulated health information in certain circumstances, including when they have received “valid authorization” from an individual to do so. In order for the authorization to be valid, it must satisfy 11 different conditions set forth by the Act. These include authorization made by written or electronic signature; the individual has the ability to provide or withhold authorization for different categories of processing activities; the individual has the ability to revoke authorization; and failure “to provide authorization will not affect the individual’s experience of using the regulated entity’s products or services.” Authorizations must expire within one year of being provided.

The Act provides for other circumstances that allow entities to “process” regulated health information absent “valid authorization” from the individual, including when such information is “strictly necessary” for “providing… a specific product or service requested by [the] individual,” “conducting… internal business operations,” “protecting against… illegal activity,” and “detecting, responding to, or preventing security incidents or threats.”

The Act would take effect one year after it is signed into law. Rules or regulations necessary to implement the Act are authorized to be made immediately following its passage and may be completed before the effective date.

The Act is now awaiting the signature of Governor Kathy Hochul. Governor Hochul’s Office has not yet commented on the bill, but she has been a longtime supporter of abortion access, a position on which she campaigned.