Bill > S09269

This bill establishes the New York Health Information Privacy Act, which aims to protect an individual's health information by requiring that any processing of "regulated health information" (defined as information linkable to an individual and related to their physical or mental health status) must either have explicit written authorization from the individual or be strictly necessary for specific permissible purposes, such as providing requested services, internal business operations (excluding marketing), protecting against harm, or complying with legal obligations. The bill mandates that communications about health information be in plain language, accessible, and available in multiple languages, and it grants individuals rights to access and request deletion of their health information. It also requires regulated entities to implement reasonable security measures and outlines specific contractual obligations for "service providers" (entities processing health information on behalf of regulated entities). The bill includes exemptions for certain types of information, such as that covered by federal laws like HIPAA, and grants the Attorney General enforcement powers, including civil penalties of up to $15,000 per violation.

Business and Industry

https://www.nysenate.gov/legislation/bills/2025/S9269