For thirty years, “health data privacy” in the United States has meant one thing: HIPAA. If you were a covered entity or a business associate, you knew the rules. If you weren’t, you largely operated in open space. A period-tracking app, a mental-wellness chatbot, a pharmacy-discount website, a connected scale, an advertising network that infers someone is pregnant from their browsing — none of these are HIPAA-covered, and for most of their existence they have collected, inferred, and monetized health information with almost no federal constraint.

That space just closed in the largest media market in the country.

On June 3, 2026, the New York State Senate passed S-9269, the New York Health Information Privacy Act (NYHIPA). The Assembly passed it the following day, June 4. The bill now sits on Governor Hochul’s desk. If she signs it — and after two consecutive years of the legislature sending health-privacy bills forward, the political momentum is real — New York will have the most expansive non-HIPAA health data statute in the United States, and it will take effect six months after enactment.

This is not a comprehensive privacy law like the ones in California or Connecticut. It is narrower and, in its domain, sharper. It targets one category of data — health information collected outside the healthcare system — and it regulates that category more aggressively than any state has attempted.

What “Regulated Health Information” actually means

The reach of NYHIPA comes entirely from its definition of regulated health information (RHI), and the definition is built on a two-part test.

First, the information must be reasonably linkable, directly or indirectly, to an identified or identifiable individual. Critically, “indirectly” is doing heavy lifting here: data tied to persistent identifiers — cookies, device IDs, IP addresses — counts. You do not need a name attached to the record for it to be RHI.

Second, the information must be collected or processed in connection with an individual’s past, present, or future physical or mental health status. The bill enumerates categories that make the legislative intent unmistakable:

  • Reproductive and sexual health information
  • Gender-affirming care information
  • Biometric and genetic data
  • Health-related inferences derived through algorithms or machine learning

That last category is the one that should stop every marketing and data-science team in their tracks. NYHIPA does not only regulate health data you collect. It regulates health status you infer. If your model concludes a user is likely diabetic, likely pregnant, likely seeking addiction treatment, or likely transgender — and that conclusion is linkable to a persistent identifier — you are now processing regulated health information under New York law, regardless of whether the user ever told you anything about their health.

This is the provision that pulls ad-tech, data brokers, retail loyalty programs, and consumer apps squarely into scope. The entire business model of behavioral inference is now a regulated activity when the inference touches health.

Where processing of RHI is not strictly necessary to provide a product or service the consumer requested, an entity must obtain valid authorization before processing. And the bill defines “valid authorization” with enough specificity to defeat the usual dark-pattern playbook.

An authorization request must be:

  • Separate from any other transaction or consent
  • Written in plain language
  • Displayed in at least 12-point font
  • Accompanied by a clear statement that processing is not strictly necessary, and that declining will not prevent continued use of the product or service

That final element is the teeth. You cannot condition the service on the authorization. You cannot bury it in a terms-of-service click-wrap. You cannot make “no” the harder path. The consumer who declines must be able to keep using your product exactly as before.

The 2026 version made two notable adjustments to the mechanics. It eliminated the prior draft’s 24-hour waiting period between account creation and an authorization request — a simplification businesses had asked for. But it kept the friction that matters for consumers: an entity may not re-solicit authorization within nine months of a prior denial or revocation, and must obtain fresh authorization whenever the processing materially changes. You get one ask, then you wait the better part of a year.

What is carved out

NYHIPA is deliberately scoped to the gap HIPAA leaves, so the exclusions are broad and important:

  • HIPAA-covered entities and business associates acting in that capacity
  • 42 CFR Part 2 substance-use-disorder programs
  • FDA-regulated clinical activities
  • Employment information and several other enumerated categories

The point is not to double-regulate the clinical system. It is to govern everyone else — the consumer-facing businesses that “collect or infer RHI outside traditional healthcare settings.” If your organization is already a HIPAA covered entity for its core operations, note carefully that your non-clinical consumer products and marketing surfaces may still fall under NYHIPA even though your clinical operations do not.

Enforcement: the Attorney General, $15,000 per violation, six-year lookback

NYHIPA is enforced exclusively by the New York Attorney General. There is no private right of action — a deliberate choice that distinguishes it from the path Massachusetts is taking (more on that in our companion analysis of the Massachusetts Consumer Data Privacy Act).

But the AG’s toolkit is substantial:

  • Injunctive relief
  • Restitution and disgorgement of profits
  • Civil penalties of up to $15,000 per violation
  • A six-year statute of limitations

“Per violation” is the phrase that converts this from a manageable risk into an existential one. In a data context, violations are counted per consumer, per record, or per processing event. An entity that processes the inferred health data of a million New Yorkers without valid authorization is not looking at a $15,000 problem. The six-year lookback compounds it, reaching back across years of accumulated processing. Courts are directed to weigh severity and good-faith compliance efforts when setting penalties — which means a documented, genuine compliance program is itself a mitigation strategy.

Why this matters beyond New York

Three reasons this is bigger than one state.

First, market size. New York is too large to treat as a carve-out. Few national consumer businesses will build a separate, weaker data regime for everyone else and a NYHIPA-compliant one only for New York residents. The path of least resistance is to raise the floor everywhere, the way California’s privacy rules became a de facto national standard.

Second, the inference trigger is a new model. Washington’s My Health My Data Act broke ground in 2023 by regulating “consumer health data” outside HIPAA with a private right of action. NYHIPA extends the logic to algorithmic health inferences in explicit statutory text. This is the direction of travel: regulators have understood that the privacy harm is not only in the data you are told, but in the conclusions you reach. Expect other states to copy the language.

Third, it lands in a year of state-law acceleration. Twenty states now have comprehensive privacy laws in effect, with New York layering a sector-specific health statute on top. The era in which non-HIPAA health data was effectively unregulated in the U.S. is ending, and it is ending state by state rather than waiting for Congress.

What to do now

If your organization collects, processes, or infers health-related information about New York residents and you are not a HIPAA-covered entity for that activity, treat the next six months as a compliance runway, not a wait-and-see period. Concretely:

  1. Run a health-inference audit. Map every place your systems derive a health-related conclusion — segments, lookalike audiences, recommendation models, risk scores. Inferences are RHI. You cannot govern what you have not inventoried.
  2. Separate health data flows from your general consent architecture. NYHIPA authorization must be standalone, plain-language, 12-point, and non-conditioned. A bundled cookie banner will not satisfy it.
  3. Kill the sale of health-linked data. Map any data-sharing arrangement that could constitute a sale of RHI and shut it down or re-paper it. This is where the largest penalties will originate.
  4. Build the nine-month suppression logic. Your consent platform must record denials and revocations and suppress re-solicitation for nine months. Few systems do this today.
  5. Document good-faith effort. Because courts must weigh it, a dated, written compliance record is a direct penalty-mitigation asset.

The companies most exposed here are precisely the ones that have never thought of themselves as “health” companies — retailers, app developers, advertising platforms, and data brokers whose models happen to touch health. For thirty years, being outside HIPAA meant being outside health-privacy law. In New York, that is no longer true.

This article is provided for informational purposes only and does not constitute legal advice.