KEY TAKEAWAYS:

• A comprehensive health data privacy law—the New York Health Information Privacy Act—has been passed by the State Legislature and awaits Gov. Kathy Hochul’s signature

• If enacted, the law will impose strict regulations on the collection, processing, and sharing of regulated health information

• NYHIPA could affect Workers’ Compensation claims administration by complicating data sharing, slowing down processes, disrupting timely benefits delivery, and even adding litigation to the already dispute-prone system

The New York Health Information Privacy Act (NYHIPA), passed by the New York State Legislature on January 22 as Senate Bill S929, is a comprehensive health data privacy law awaiting Gov. Kathy Hochul’s signature.

If enacted, it would take effect one year after signing, imposing strict regulations on the collection, processing, and sharing of “regulated health information” (RHI). RHI is broadly defined as any information reasonably linkable to an individual or device and connected to their physical or mental health, including location data, payment details, and health inferences, unless properly deidentified. The law applies to “regulated entities”—any entity controlling RHI processing that is either located in New York, processes data of New York residents, or processes data of individuals physically present in New York—without revenue or volume thresholds, unlike many other state privacy laws.

Key Provisions of NYHIPA

• Processing Restrictions: Regulated entities can only process RHI with an individual’s “valid authorization” or when “strictly necessary” for specific purposes, such as providing requested services, internal operations (excluding marketing or third-party sharing), fraud prevention, security, legal compliance, or protecting vital interests. Authorization requires detailed disclosures, a 24-hour delay after account creation, and cannot be tied to service access.
• Prohibition on Sales: Selling RHI to third parties for monetary or valuable consideration is banned unless explicitly authorized.
• Safeguards and Retention: Entities must implement reasonable administrative, technical, and physical safeguards and dispose of RHI within 60 days of it no longer being necessary for its intended purpose.
• Exemptions: The law exempts HIPAA-covered entities (to the extent they handle data as protected health information), government entities, and clinical trial data, but lacks exemptions for employee data or other common carve-outs.
• Enforcement: The New York Attorney General can enforce the law, with penalties up to $25,000 per violation, and a private right of action allows individuals to seek damages and injunctive relief.

Potential Impact on Workers’ Compensation Claims Administration

Workers’ compensation (WC) claims administration in New York involves employers, insurers, third-party administrators (TPAs), and healthcare providers sharing and processing health-related data to adjudicate claims, coordinate care, and ensure compliance with the Workers’ Compensation Law (WCL). NYHIPA’s broad scope and strict requirements could significantly affect this process, despite its exemptions, because not all WC entities are HIPAA-covered, and not all data fits neatly into exempt categories.

1. Applicability to Non-HIPAA Entities
   • WC insurers, TPAs, and employers are not typically HIPAA-covered entities unless they also function as healthcare providers or plans in other contexts. NYHIPA would apply to these entities when they process RHI outside HIPAA’s scope, such as data from wearable devices, wellness apps, or non-HIPAA-regulated medical reports.
   • For example, if an employer uses a fitness tracker to monitor an injured worker’s recovery or a TPA processes payment data linked to a claimant’s health, NYHIPA could govern that data unless it’s treated as HIPAA-protected health information (PHI).

2. Consent and Authorization Challenges
   • NYHIPA’s requirement for valid authorization (with a 24-hour delay and specific disclosures) could complicate WC data sharing. WC systems rely on rapid exchange of health data between providers, insurers, and the Workers’ Compensation Board (WCB) to process claims—delays or refusals of authorization by claimants could disrupt timely benefits delivery.
   • The “strictly necessary” exception might allow processing for claim adjudication or payment without authorization, but the law’s exclusion of third-party sharing from this category could limit data transfers to TPAs or reinsurers unless explicitly consented to, potentially stalling administration.

3. Data Retention and Disposal
   • The 60-day disposal requirement conflicts with WC recordkeeping needs. The WCB requires records to be retained for years (e.g., 18 years for some claims under WCL § 123), far exceeding NYHIPA’s timeline. Entities might need to rely on the “legal obligation” exception, but ambiguity around what’s “strictly necessary” could lead to compliance disputes.

4. Third-Party Interactions
   • WC administration often involves service providers (e.g., IT vendors, legal counsel, or independent medical examiners). NYHIPA mandates contracts with these providers restricting RHI use, and service providers must notify regulated entities before further disclosures. This could add administrative burdens and costs, slowing down processes like independent medical exams or fraud investigations.

5. Exemption Gaps
   • While HIPAA-covered providers (e.g., doctors submitting C-4 forms) are exempt when handling PHI, data shared with non-HIPAA WC entities might lose that protection. For instance, a claimant’s health data from a non-HIPAA source (like a fitness app) used in a claim could trigger NYHIPA obligations for the insurer or employer.
   • The WCB itself is exempt as a government entity, but private entities interacting with it (e.g., insurers filing reports) must comply with NYHIPA for non-exempt data.

6. Operational and Cost Implications
   • Compliance would require WC entities to overhaul data systems, train staff, update contracts, and possibly halt certain data uses (e.g., analytics for cost control) unless authorized. Smaller employers or insurers might struggle with these costs, potentially increasing premiums or reducing efficiency.
   • The private right of action heightens risk, as claimants could sue over perceived violations, adding litigation to an already dispute-prone system.

Practical Effects and Uncertainties

• Streamlined Exemptions Needed: WC relies on fluid data exchange authorized by state law (WCL § 110-a), which aligns with HIPAA’s flexibility for WC disclosures. NYHIPA’s rigid framework might unintentionally hinder this, unless clarified to fully exempt WC-related processing under the “legal obligation” clause.
• Conflict with Existing Systems: The WCB encourages quick provider-insurer communication (e.g., for disability verification), but NYHIPA’s rules could impose barriers, especially for non-HIPAA data sources increasingly used in claims (e.g., telehealth records).
• Potential Benefits: Enhanced privacy could build trust among workers, encouraging reporting of injuries, but only if administration isn’t overly bogged down.

Conclusion

If signed into law, NYHIPA could reshape WC claims administration by imposing new privacy hurdles on non-HIPAA entities and data, potentially slowing claims processing and raising costs unless exemptions or guidance align it with WC’s unique needs. Stakeholders—insurers, TPAs, employers—might push for amendments or WCB regulations to harmonize NYHIPA with existing practices, leveraging the “legal obligation” exception to preserve efficiency. Until clarified, the law’s broad reach risks creating compliance chaos in a system already balancing speed, fairness, and regulatory demands.

Please trust that we will continue to monitor the NYHIPA Senate Bill and that we will update and advise accordingly when and if it is signed into law.

For more information or immediate guidance, contact:

• Robert W. Clark
• Damon M. Gruber
• Sean J. McKinley
• Esther F. Omoloyin
• Or another member of our Workers’ Compensation practice group