A MoFo Privacy Minute Q&A: New York’s NYHIPA Goes to the Governor's Desk Amidst Veto Calls - What Businesses Should Know as 2026 Approaches

This is A MoFo Privacy Minute, where we answer the questions that our clients are asking us in sixty seconds or less.

Question: The New York Health Information Privacy Act (NYHIPA) was passed by the New York State Assembly and Senate in January 2025 but appears to have stalled. What is its status? And what should we expect as we move into 2026?

Answer: NYHIPA currently awaits Governor Kathy Hochul’s signature. If enacted, New York will join Washington, Nevada, and Connecticut in a small but growing group of states with comprehensive consumer health data laws that regulate a broad range of businesses handling health-related information outside of the Health Insurance Portability and Accountability Act (HIPAA). With the sign/veto deadline approaching, the bill’s future remains uncertain amid recent industry pushback.

Key Provisions of NYHIPA

NYHIPA would be the first law of its kind in the Empire State protecting personal health information falling outside the scope of HIPAA.

NYHIPA defines regulated health information (RHI) as “any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual,” including location information, payment information, or inferences that are tied to an individual’s physical or mental health. 

NYHIPA regulates entities that: (1) control the processing of RHI of New York residents or individuals physically present in New York, regardless of the entity’s location, or (2) are located in New York and control the processing of RHI. Service providers may also be governed under NYHIPA depending on their context for processing RHI.

NYHIPA takes a relatively narrow approach to carve-outs compared to other state consumer health data laws. It generally exempts only government entities, HIPAA protected health information (PHI) (and patient information maintained by HIPAA covered entities in the same way as PHI), properly de-identified data, and certain clinical trial data subject to the Federal Policy for the Protection of Human Subjects (the “Common Rule”), International Council for Harmonisation (ICH) good clinical practice, or Food and Drug Administration human subject protections. It does not exclude nonprofits or data and entities subject to the Gramm-Leach-Bliley Act, Fair Credit Reporting Act, or Family Educational Rights and Privacy Act, and it sweeps in health-related payment information that other consumer health data laws often leave out, making NYHIPA applicable to a wider range of organizations and activities.

NYHIPA imposes the following obligations on regulated entities:

• Notice: Regulated entities must make publicly available on their website a notice describing the types of RHI processed, the nature of the processing activity, the specific purposes of processing, and the names or categories of service providers and third parties to which RHI is disclosed. The notice must be clear and accessible to all individuals in connection with a product or service.
• Valid Authorization: NYHIPA prohibits the sale of RHI to third parties and only allows other processing of RHI where the individual has given valid authorization or the processing is strictly necessary for limited purposes (such as providing a requested product or service, certain internal operations, security, or legal compliance). If a valid authorization is obtained, the regulated entity must provide the individual with a copy of the authorization.
• There is some tension between the definition of “processing” (which includes “sales”) and the separate prohibition on selling RHI to third parties. At a minimum, entities should expect heightened scrutiny of any monetization of RHI, and regulators may take the position that sales are effectively prohibited outside of narrow transactional exceptions.
• Consumer Rights: Users must have an effective and easy-to-use mechanism to exercise their rights in connection with a product or service. If an individual exercises the right to delete their online account, the regulated entity must act within 30 days of receiving the request to delete all associated RHI. The regulated entity must also communicate the request to service providers and third parties that have processed the individual’s RHI in a transaction.
• Service Provider Terms: Service providers must generally enter a written, binding agreement to process RHI on behalf of a regulated entity. The agreement must include terms, such as: (1) ensuring all personnel protect and maintain the confidentiality of RHI; (2) only processing RHI to the extent necessary to comply with obligations to the regulated entity; and (3) notifying the regulated entity within a reasonable time prior to disclosing or transferring RHI to additional service providers.
• Security: Regulated entities must develop reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of RHI. RHI must be disposed of securely under a publicly available retention schedule. Disposal must occur within a “reasonable time,” and no later than 60 days after the information is no longer necessary for the purpose(s) identified in the notice or for which valid authorization was obtained.

If enacted, NYHIPA will take effect one year after it is signed by Governor Hochul.

Enforcement

The New York Attorney General has sole authority to enforce NYHIPA, which provides for up to $15,000 per violation, or up to 20% of a regulated entity’s revenue obtained from New York consumers within the past fiscal year, whichever is greater. Actions brought under NYHIPA must commence within six years of the date on which the Attorney General becomes aware of a violation.

Recent Criticism and Looking Ahead

In early December 2025, a cross-sector group of New York businesses, ranging from healthcare to financial services companies, sent a letter to Governor Hochul urging her to veto NYHIPA. The coalition argues that NYHIPA’s definitions of “regulated health information” and “regulated entities” are overly broad, going beyond the scope of other states with consumer health privacy protections. It warns that the bill’s strict authorization requirements would generate significant consent fatigue and hinder beneficial services, including advertising, analytics, and product improvement. The letter also cautions that the Act’s extensive compliance obligations could drive up operational costs and create regulatory uncertainty for a wide range of businesses.

This level of pushback contrasts with the initial expectation earlier in 2025 that NYHIPA would be signed into law without major controversy, and we are closely monitoring for updates from the Governor’s desk.