New York Passes "Mini HIPAA" That Covers Data Collected by Apps, Wearable Devices, and More

New York's legislature has passed a sweeping health data privacy law meant to proscribe use of “regulated health information” (RHI) unless it is (1) collected for a purpose expressly allowed by the law or (2) the relevant consumer has consented, in writing, after a 24-hour waiting period.  The definition of RHI is broad enough to encompass many common digital devices and tools in use in everyday consumer life, outside a healthcare setting.  Violations can result in regulatory investigations and fines of up to $15,000 or 20% of revenue obtained from New York consumers (whichever is greater).  The bill will now pass to the governor for her signature.  

WHY IT MATTERS

The law specifically applies to companies outside New York, including those not actively doing business in New York.  This is a broader approach than most privacy laws.  In addition, the law only permits use of RHI for seven express purposes, and only allows use of RHI as “strictly necessary” to carry out those purposes, which may have the effect of limiting how much data can be collected, what kinds of data can be collected, and how long it may be stored, among other things.  The opt-in requirements are complex and much more burdensome than any privacy law we have seen anywhere to date.  All of this will make the law (NYHIPA) a challenge for companies that collect and use RHI.

The definition of RHI, finally, will cover companies and activities far beyond the sphere of actual healthcare.  It includes all information that is “reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual.” (The statute does not define “physical or mental health.”)  The definition expressly includes health-related location and payment information and inferences linkable to an individual or device.  This is a sweeping definition by any measure.  App, platform, and website providers should understand that this definition could encompass all kinds of actual health data, as well as wellness information and potentially more.  

We do not know whether the governor will sign this bill, but if it is a sign of things to come, the future of “health” data is going to get very complicated, very quickly.