Bill > A02141

This bill provides comprehensive protections for health information privacy in New York by establishing strict rules for how regulated entities can collect, process, and use an individual's health data. The legislation defines "regulated health information" as any information reasonably linkable to an individual and related to their physical or mental health, and creates detailed requirements for how such information can be handled. Specifically, the bill mandates that entities can only process an individual's health information with either explicit written consent or for strictly necessary purposes like providing a requested service, protecting against fraud, or complying with legal obligations. The bill requires clear, accessible communications about data processing, provides individuals with rights to access and delete their health information, and mandates robust security measures. Entities are prohibited from selling health information and must obtain separate, clear authorizations for different types of data processing. The New York Attorney General is empowered to enforce these provisions, with potential penalties of up to $15,000 per violation or 20% of revenue from New York consumers. The law would apply to most entities processing health information of New York residents, with some specific exemptions for government entities, healthcare providers already covered by HIPAA, and certain clinical research contexts. The bill aims to give individuals more control over their sensitive health data and prevent unauthorized or exploitative use of personal health information.

Business and Industry, Housing and Urban Affairs

https://www.nysenate.gov/legislation/bills/2025/A2141