A new state privacy law, recently passed by New York's legislature, is awaiting Governor Kathy Hocul’s signature and is expected to significantly complicate and restrict the processing and sharing of various health information by a wide range of organizations.
The New York Health Information Privacy Act (HIPA or the Act) was approved by the state legislature in January, but the governor has yet to sign it into law, meaning the bill could still undergo changes before that happens. As it currently stands, the law could create considerable operational and compliance challenges for affected organizations.
Regulated information that falls under HIPA is broadly defined as any “information that's reasonably linkable to an individual or a device that's collected or processed in connection with the physical or mental health of an individual.”
The proposed law does not have restrictions based on company size or data thresholds, for example, so many small to medium-sized businesses may not initially recognize they are subject to the requirements.
While there are many requirements that fall under the Act that may require new or adjusted controls and procedures for organizations to implement, a few stood out that we wanted to highlight here. If the Act becomes law – without any edits – the following obligations would need to be adhered to:
- Data disposal – “A regulated entity must securely dispose of an individual's regulated health information pursuant to a publicly available retention schedule within a reasonable time, and in no event later than sixty days, after it is no longer necessary to maintain for the permissible purpose…”
- Requests for deleting data – “Within thirty days of receiving a deletion request, the regulated entity shall: (i) Delete all regulated health information associated with the individual in the regulated entity's possession or control, except to the extent necessary to comply with the regulated entity's legal obligations…”
- Working with service providers – “In general, any processing of regulated health information by a service provider on behalf of a regulated entity shall be governed by a written, binding agreement… An agreement shall require that the service provider allows, and cooperates with, reasonable assessments by the regulated entity or the regulated entity’s designated assessor for purposes of evaluating compliance with the obligations of this article…”
- Violations – Whenever it appears to the attorney general…that any person or persons has engaged in or is about to engage in any of the acts or practices stated to be unlawful under this article, the attorney general may bring an action or special proceeding…to charge any violation of this article…”
- Penalties – The attorney general may obtain “…civil penalties of not more than fifteen thousand dollars per violation or twenty percent of revenue obtained from New York consumers within the past fiscal year, whichever is greater…”
While we don’t know if or when the current administration will sign this legislation into law, it is something that entities should review and consider preparing for the wide-ranging changes that will necessitate much more complex procedures and restraining requirements.
To speak further on data security and compliance related to the health sector, contact an Avalon expert today.
