A bill on New York Governor Kathy Hochul’s desk poses significant compliance challenges for businesses in the insurance sector.

On January 22, 2025, the New York legislature passed the New York Health Information Privacy Act, a sweeping bill aiming to protect health information not covered by the Health Information Portability and Accountability Act. Resembling the Washington My Health My Data Act, the bill is expansive in scope, applying to “regulated health information,” or “any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual.” The definition specifies that “any inference drawn or derived about an individual’s physical or mental health that is reasonably linkable to an individual, or a device, shall be considered, without limitation, restricted health information.”

The bill has other idiosyncrasies, but the most glaring and aberrant is its lack of exemptions for financial entities or information. Most privacy laws provide either an entity-level exemption for financial institutions or data-level exemption for financial data subject to the Gramm-Leach-Bliley Act. They often also exempt relevant state insurance regulations. For comparison, MHMDA exempts personal information governed by and collected, used, or disclosed pursuant to GLBA or subject to the privacy rules adopted by the Washington insurance commissioner. NYHIPA limits its exemptions to certain government information, clinical trial information, and protected health information or entities subject to HIPAA.

NYHIPA’s lack of exemptions for financial data or entities could have far-reaching consequences. Carriers and brokers in life, property casualty, or worker’s compensation insurance rely heavily on the collection and processing of health information for purposes of premium determination, policy eligibility, claims management, explanations of benefits, risk assessment, and reporting.

NYHIPA does not contemplate the uses of health data by the insurance industry. If signed as is, NYHIPA would require these businesses to obtain signed, fully informed, separate, unbundled authorization for any processing of restricted health information at least twenty-four hours after an individual creates an account or first uses the product or service. Individuals would have the right to access, immediately revoke authorization, and delete their restricted health information. Processors would be prohibited from combining the restricted health information with other personal information and are subject to a duty of confidentiality.

A simple illustrative example of potential issues that may arise with the application of NYHIPA to insurance is a two car crash. If the party not responsible for the crash is injured, they will seek payment from their insurer. The insurer for the injured party will have to provide a separate privacy notice and obtain required authorization. The insured then provides medical records to demonstrate the injuries, and costs of treatment. After reviewing and confirming the claim, insurer pays their insured. The insurer in turn will seek payment from the insurer of the party who injured them. What happens if the injured party revokes valid authorization for the use of the data before the original insurer receives payment from the insurer of the party who caused the crash? And, none of this contemplates the role of brokers, the concepts of insurance towers, more complex subrogation, complex accidents and events, life and benefits company operations, and many more issues.

State privacy laws typically exempt insurance companies because they are subject to more mature and complex laws and regulations tailored to their particular business models. California, for example, required a separate review of insurance privacy regulations before application of CCPA to insurers, and even then exempted data subject to the Gramm-Leach-Bliley Act from CCPA altogether. By failing to include an exemption, New York is trying to layer ill-fitting consumer health privacy obligations on top of these existing frameworks, which may disrupt these businesses within these industries and others that rely on them.

The bill has not been delivered to the governor yet, who will then have ten days to sign, veto, or sign with Chapter Amendments — a tool she frequently uses. Insurance carriers, brokers, and related entities should closely monitor this situation for developments.