FPF Submits Letter to New York Governor Hochul on S929, the “New York Health Information Privacy Act”

The New York legislature passed S929, the New York Health Information Privacy Act (NYHIPA), on January 22. This bill has similar scope and scale as Washington State’s landmark My Health My Data Act (MHMD), with some key differences. The Future of Privacy Forum (FPF) submitted a letter to Governor Hochul’s office, highlighting certain ambiguities in the bill that could render elements of the measure more privacy-invasive than privacy-protective.

In particular, FPF highlighted: (1) Individual rights established under the Act do not have privacy-protective safeguards comparable to other state privacy laws to prevent misuse by bad actors to exfiltrate sensitive data or block access to services; (2) By extending to individuals who physically enter New York, the Act may encourage the additional collection of sensitive geolocation data; and (3) The lawful purposes for which data is able to be processed under the Act are narrower than comparable state privacy laws and may impede socially beneficial activities. Additionally, FPF included a comparison chart that highlighted similarities and differences between NYHIPA, MHMD, and Connecticut’s consumer health data protections in its comprehensive consumer privacy law.