After an unexpected, late-session veto, the effort to strengthen protections for consumer health information is back on the table in New York.
Background and Legislative Context
The New York Health Information Privacy Act (NYHIPA) (S929) was passed by the New York State Assembly and Senate in January 2025 but vetoed by Governor Hochul in December 2025 (see our prior client alert). In the months leading up to the veto, a coalition of New York businesses across healthcare, technology, financial services, and other sectors urged the Governor to reject the bill, arguing that its definitions of “regulated health information” and “regulated entities” were overly broad and that its core restriction on processing absent strict necessity or consumer authorization would impose significant operational and compliance burdens.
Lawmakers have now introduced a revised version in the 2026 legislative session (S9269). The bill would again establish a stand-alone statute governing “regulated health information” (RHI) not covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and apply broadly to consumer-facing businesses that collect or infer RHI outside traditional healthcare settings. If enacted, NYHIPA would place New York among the growing number of states (i.e., Washington, Nevada, and Virginia) that have adopted consumer health information laws regulating health-related information outside HIPAA.
Although the revised bill expands certain exemptions and eliminates the prior revenue-based penalty, it retains the overall framework that drew criticism in 2025, including the authorization-first processing model and narrow “strictly necessary” standard. Given the limited scope of changes, the updated bill may face renewed opposition from affected businesses and heightened scrutiny from the Governor.
Key Changes
While many provisions remain substantively consistent with the 2025 bill, the 2026 bill includes several notable revisions:
- Expands and itemizes the definition of RHI. The 2026 bill clarifies the definition of RHI using a two-part test: (1) the information must be reasonably linkable, directly or indirectly, to an identified or identifiable individual, including data associated with persistent unique identifiers (such as cookie IDs or IP addresses); and (2) the information must be collected or processed in connection with an individual’s past, present, or future physical or mental health status. The 2026 bill also enumerates specific categories of health-related data satisfying the second prong, including reproductive and sexual health information, gender-affirming care information, biometric and genetic data, and health-related inferences derived through algorithms or machine learning.
- Broadens the “strictly necessary” exception to processing. As under the 2025 proposal, processing of RHI remains unlawful unless it is supported by valid authorization or “strictly necessary” for limited purposes, such as security and fraud prevention, legal compliance, and internal business operations, among other specifically listed functions. The 2026 version expands what is considered “strictly necessary” processing by including developing, improving, or repairing a requested product, feature, or service.
This addition may provide some operational flexibility, although the standard remains narrower than the “business purposes” frameworks used in many other state privacy laws.
- Expands the statute’s exemptions. In addition to exempting HIPAA-covered entities and protected health information like in the 2025 proposal, the revised bill exempts Part 2 programs and related substance use disorder records, clinical trial and human subjects research data, activities regulated by the Food and Drug Administration, specified public health functions, employment-related information, and information subject to other privacy laws that provide comparable or greater protections. Under the 2026 bill, the New York Attorney General is further authorized to promulgate rules specifying additional exceptions for RHI that is subject to and processed in compliance with federal laws that are as protective or more protective of individual privacy than the statute. These expanded exemptions appear responsive to concerns raised during the 2025 legislative cycle, particularly from healthcare and life sciences stakeholders.
- Modifies requirements related to authorizations. As under the 2025 bill, where processing is not strictly necessary, regulated entities must obtain valid authorization from consumers. However, while the 2025 bill required entities to wait at least 24 hours after account creation or first use before requesting authorization to process RHI, the 2026 version eliminates that waiting period and instead imposes more detailed content and formatting requirements. In addition to being separate from other transactions and written in plain language, authorization requests under the 2026 bill must also be in at least 12-point font and must state that the processing is not strictly necessary and that declining authorization will not prevent continued use of the requested service. The revised bill also prohibits re-soliciting authorization within nine months of a prior denial or revocation and requires new authorization if processing materially changes.
- Eliminates the prior revenue-based penalty. The 2026 bill eliminates the 2025 bill’s revenue-based penalty, which would have permitted civil penalties of up to 20 percent of revenue obtained from New York consumers in the past fiscal year. By removing that revenue metric, the revised bill materially narrows potential financial exposure for regulated entities. Enforcement authority remains vested exclusively in the New York Attorney General, who may seek injunctive relief, restitution, disgorgement, and civil penalties of up to $15,000 per violation, subject to a six-year statute of limitations. In determining penalties, courts must consider the severity of the violation and the regulated entity’s good faith efforts to comply.
If enacted, the bill would take effect six months after becoming law, rather than one year as previously contemplated.
Looking Ahead
While NYHIPA’s prospects remain uncertain, companies should consider using this legislative cycle to assess whether they collect or generate data that could qualify as RHI and to evaluate whether existing processing activities could be justified as “strictly necessary” under the bill’s enumerated purposes. Taking these steps now can help organizations respond quickly and efficiently if the bill advances during the 2026 legislative session.