New Yorkers are facing a critical juncture in health data privacy legislation, as a proposed law, the New York Health Information Privacy Act, threatens to impose heavy burdens on the state's small businesses while aiming to protect sensitive health information. The bill, known as S.929, passed through both chambers of the New York legislature in a matter of days, raising concerns among business leaders and health professionals about its sweeping implications.
The act, while designed to secure personal health data, is criticized for its broad definitions and vague language, which could inadvertently ensnare a wide range of businesses unrelated to health care. As it stands, the bill defines "regulated health information" so broadly that even a simple transaction at a pharmacy or a telehealth session could trigger strict compliance requirements. This expansive scope means that businesses that merely process payments or store data could find themselves subject to the same complex regulations as major hospitals.
According to the U.S. Small Business Administration, small businesses constitute 99.8% of all businesses in New York, numbering around 2.2 million entities. For these small businesses, compliance with S.929 would not simply involve a few administrative adjustments. Instead, it could necessitate extensive legal reviews, the implementation of costly technical safeguards, and rigid consent protocols that many cannot afford.
One particularly alarming provision of the bill is a mandated 24-hour waiting period after a consumer creates an account before they can authorize the use of their data. Critics argue that this requirement could hinder timely access to necessary health care services, especially for telehealth providers. In urgent situations, a full day’s delay in accessing care could be detrimental, contradicting the very purpose of protecting privacy.
Megan Stokes, the State Policy Director for the Computer & Communications Industry Association, asserts that the bill must undergo significant revisions. "Gov. Kathy Hochul must demand clear changes to the bill to ensure that New York’s important small businesses can comply without facing crushing financial and legal burdens," she stated. Stokes emphasizes the need for clarifications in definitions to prevent businesses outside of health care from being unintentionally impacted by the requirements.
Meanwhile, the U.S. Chamber of Commerce is echoing similar sentiments in Connecticut, where proposed changes to the state’s data privacy law, SB 1356, are also drawing opposition. In a letter to Governor Ned Lamont, chamber officials urged him to veto the bill, which significantly alters the Connecticut Data Privacy Act by lowering compliance thresholds and imposing stricter rules on data usage.
The Connecticut Data Privacy Act (CTDPA), established in 2022, was initially a compromise with the business community, aimed at providing residents with rights over their personal data while establishing clear responsibilities for data controllers. However, SB 1356 threatens to unravel this balance by drastically reducing the thresholds for compliance, which could place small and medium-sized businesses at a significant disadvantage.
Under the current law, exemptions apply to businesses processing the personal data of 100,000 consumers or less or those processing the data of 25,000 consumers or less, provided they derive 25% or less of their revenue from data sales. The new bill, however, would only exempt businesses processing the data of 35,000 consumers or fewer or those with 10,000 consumers or less, deriving 20% or less of their revenue from data sales. This change could force small establishments like food trucks and coffee shops, which conduct only a handful of transactions daily, to comply with complex data minimization standards.
Chris Davis from the Connecticut Business and Industry Association (CBIA) has warned that the proposed changes could impose the same regulatory demands on a family-owned retailer with fewer than 20 employees as those faced by multinational corporations. Davis highlighted that such disparities could cripple local businesses, making it increasingly challenging for them to compete with larger firms in states with less stringent data requirements.
As the debate over data privacy legislation intensifies, privacy advocates are also voicing concerns about the potential implications of the REAL ID Act, which has recently enforced a deadline requiring adults to possess compliant identification to board domestic flights and access certain facilities. Critics of the REAL ID program, including the American Civil Liberties Union (ACLU), argue that it could lead to the creation of a de facto national identification system, raising alarms about data breaches and government surveillance.
Alexis Hancock, Director of Engineering at the Electronic Frontier Foundation, articulated the risks associated with REAL ID, stating, "The program pushes for regimes that strip privacy from everyone and further marginalize undocumented people." Hancock noted that the unified standards established by REAL ID could facilitate the transfer of sensitive information across state lines, exacerbating privacy concerns.
Jay Stanley from the ACLU echoed these sentiments, emphasizing long-standing worries about standardized identity systems and their potential to track individuals. He pointed out that while the law has been implemented slowly, the risks associated with digital IDs remain a pressing issue.
In response to these concerns, a spokesperson from the Transportation Security Administration (TSA) clarified that REAL ID serves as a national set of minimum standards rather than a national identification card, maintaining that states retain control over their databases. The TSA aims to ensure that state-issued identity documents are more consistent and secure for official purposes.
As the landscape of data privacy legislation evolves, small businesses and privacy advocates alike are calling for more balanced approaches that protect consumer rights without imposing undue burdens on local enterprises. The ongoing discussions around these laws underscore the delicate balance between safeguarding personal information and fostering an environment where businesses can thrive.
The future of health data privacy in New York and data laws in Connecticut remains uncertain as stakeholders push for amendments that prioritize both consumer protection and the viability of small businesses. The outcomes of these legislative efforts will significantly shape the operational landscape for countless enterprises across the region.
