New York’s governor vetoes popular health data privacy bill

States have been increasingly creating more stringent consumer data protections as it becomes easier to access sensitive patient health data digitally (ChatGPT’s new health tool, anyone?).

That is, except New York. Because on Dec. 19, Gov. Kathy Hochul vetoed the New York Health Information Privacy Act (NYHIPA), which had passed through the state’s Legislature in January 2025.

The law would have given patients more control over their health data that isn’t protected under the federal Health Insurance Portability and Accountability Act (HIPAA), which largely covers privacy in a pre-digital healthcare landscape, and it would have impacted any organizations or individuals processing a New York resident’s health information.

In her veto memo, Hochul wrote that “while well intentioned, the bill’s definitions and scope are broad, creating potentially significant uncertainty about the information subject to regulation and compliance challenges for consumers, businesses, and nonprofits.”

“Entities acting in good faith or those who are subject to other privacy/confidentiality frameworks will face additional risks, which may discourage innovation or limit access to otherwise useful information,” the governor added.

The bill had strong support in the state’s Legislature, however, and the veto hasn’t exactly been well received by lawmakers.

“At a time when Americans’ privacy rights are under fierce attack, Governor Hochul has put the interests of Big Tech over protecting regular New Yorkers,” State Senator Liz Kreuger and Assemblymember Linda Rosenthal said in a joint statement.

Against the grain. States are no longer waiting on federal regulations to come into effect in tech and are instead creating state-specific recommendations.

NYHIPA would have followed in the footsteps of states like California, which has been regulating the collection and sale of consumer data since 2018 through its Consumer Privacy Act, and Washington, which signed a law in 2023 that applies specifically to any business that uses health data, regardless of size.

A 2024 survey from venture fund and advisory firm Rock Health found that 53% of people in the US have wearables that track their health data. The US wearables market was worth $15+ billion in 2022, and Fortune Business Insights projected it will grow 17.6% annually through 2030.

Tools like wellness and meditation apps and sleep trackers “frequently operate outside the regulatory strictures of licensed therapy or clinical platforms,” Pat McGloin, managing director of health and life sciences at digital marketing and technology agency Merge, told us via email.

“Furthermore, standard analytics platforms are often not designed to handle protected health information in a compliant manner, creating a risk where sensitive member details or insurance information can be inappropriately collected and exposed,” he added.

But this veto isn’t necessarily final. The New York House and Senate can override it with a two-thirds majority.

“Instead of empowering New Yorkers by giving them control over how their health data is used, the governor has chosen to allow these companies to keep monetizing our most intimate information to boost their profits,” Krueger and Rosenthal said in their statement.