Skip to content

New York Senate Passes Landmark Health Privacy Bill S-929

January 22, 2025

On Jan. 21, the New York Senate approved a groundbreaking health privacy bill, S-929. The legislation, modeled on Washington state’s My Health My Data Act, aims to extend protections over personal health information beyond the scope of federal HIPAA regulations. The bill is now under review in the New York Assembly’s Science and Technology Committee.

Why S-929 Is Needed

During Senate deliberations, Sen. Krueger emphasized the limitations of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA applies only to data within traditional healthcare settings, such as hospitals or doctor’s offices. In contrast, private companies often collect, process, and sell health-related data through apps, wearable devices, and other platforms without clear consumer consent or protections for personal health data. S-929 seeks to close this gap, offering New Yorkers greater control over their sensitive health information and addressing the growing commercialization of personal health data.

Key Provisions of S-929

The legislation would make it illegal to sell an individual’s regulated health information without their explicit consent. It also restricts the processing of health data unless it is:

  • Necessary for providing or maintaining a requested service or product
  • Conducting internal business operations
  • Ensuring security and preventing fraud or illegal activity.

Additionally, the law introduces strict penalties for noncompliance. The New York Attorney General would oversee enforcement and rulemaking, ensuring adherence to these enhanced privacy measures.

Comparison with Washington State’s Law

While S-929 is inspired by Washington’s My Health My Data Act, it diverges in significant ways. The New York legislation does not include carve-outs for public data, research data, or information regulated under the Gramm-Leach-Bliley Act. But it does mirror the Washington law in how it applies broadly and does not exempt small businesses, meaning all companies handling health data of individuals present in New York must comply. This raises concerns about potential disruptions, as individuals traveling into the state could inadvertently subject companies to new legal obligations. Additionally, both laws employ a very broad definition of “regulated health information.” The laws will essentially apply to any information that can be linked to an individual and their physical or mental health connection or allow inferences of such a connection to be drawn. This includes location, payment details, or potentially internet browsing data when an individual is looking to engage health services, potentially implicating advertising and marketing activities of companies providing health-related products or services.

The Broader Context

The American Civil Liberties Union (ACLU) of New York has endorsed S-929 and its Assembly counterpart. The stakes have grown since the Supreme Court overturned Roe v. Wade, prompting fears that digital footprints could be used to prosecute individuals seeking abortions. The ACLU pointed to the pervasive collection of data through period-tracking apps, search histories, and even changes in purchasing behavior as areas of concern.

What’s Next?

The bill is set to move through the Assembly’s Codes and Science & Technology Committees, with discussions beginning as early as this week. If enacted, S-929 would place New York along with Washington at the forefront of health data privacy, offering comprehensive protections to its residents and setting a new benchmark for state-level privacy legislation.

With mounting public and legal scrutiny over data misuse, New York’s proactive approach could signal a broader shift toward stricter privacy regulations across the United States.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.

Subscribe For The Latest

Subscribe

Related

Event

Webinar- Digital Operational Resilience Act (DORA): A Cross-Border Discussion on Incident Response

Join us for an in-depth discussion on how the Digital Operational Resilience Act (DORA), effective January 17, 2025, will transform digital and operational resilience requirements in the financial sector. This session will focus on the specific obligations related to incident response and explore the adjustments businesses should make to their existing programs to achieve compliance.

Explore more
Event

Webinar: AI Year in Review: From State AI Laws and Automated Decision-Making Regulations to the Rise of AI Liability

2024 has been a pivotal year for artificial intelligence, marked by the passage of state AI legislation, the introduction of privacy regulations targeting automated decision-making and profiling, and an uptick in lawsuits challenging businesses’ use of AI tools. This webinar will provide a comprehensive review of the evolving AI landscape, summarizing key enacted laws, exploring emerging legal challenges, and offering actionable strategies for businesses deploying AI technologies.

Explore more
Legal Updates

Supreme Court Clarifies Burden of Proof in FLSA Exemption Cases, Leaves Key Questions Unanswered

Explore more

The Clark Hill approach is equally pragmatic and growth-minded, which is why we understand our clients’ toughest business challenges. Our multidisciplinary, global team of advisors focuses on smart legal solutions, delivered simply.

© 2025 Clark Hill PLC.