Understanding S929: Digital Data Regulation

S929, known as the Health Information Privacy Act (NY HIPA), is proposed legislation in New York State that seeks to significantly expand protections for health information. While it intends to align more closely with evolving privacy risks in a digital landscape, the bill currently includes sweeping coverage that may inadvertently burden a wide array of organizations.

Take Action Learn More

With no action yet from the Governor and no implementation guidelines issued by the Attorney General, now is the moment for stakeholders to speak up.

Raise your concerns and advocate for commonsense fixes that preserve the bill’s intent while protecting small businesses, nonprofits, family associations, and faith communities. Make your voice heard, and contact the Governor’s office today.

Overview

Key Provisions of S929 Legislation

Here is a high-level overview of the legislation, key concerns, and potential implications.

Visit the page for your stakeholder group to explore tailored insights and take action.

Urge Governor Kathy Hochul to adopt balanced, common-sense amendments that protect privacy without placing undue burdens on organizations like yours.

Take Action

Learn More

Covers a Wide Array of Data and Information

The bill as drafted extends burdensome requirements to everyday information routinely collected by community organizations, such as attendance logs, volunteer sign-in sheets, or basic program participation records.

Increases Data Handling and Compliance Costs

Extends privacy obligations to any entity that collects, stores, processes, or transmits health data, regardless of whether they are healthcare providers.

Limited Exemptions

Does not provide exemptions for:

Nonprofit organizations
Small businesses
Civic and community groups
Religious or faith-based institutions
Educational institutions
Employers or HR departments

Grants Enforcement Authority

Grants the Attorney General enforcement authority, though specific rules, penalties, or compliance timelines have not yet been issued. These include up to $15k per violation in civil penalties.

Concerns & Gaps

No implementation guidance issued by the Attorney General, leaving a compliance vacuum.

Administrative burden without accompanying funding or technical assistance, particularly for smaller entities.

Lacks clarity on what counts as information connected to an individual’s physical or mental health under the expanded definitions.

Disproportionate impact on organizations that are not traditionally health-focused but may collect incidental health data.

Take Action

Learn More

The Solution

While S929 aims to close important privacy loopholes in an era of big data and reproductive health surveillance, its current structure risks overreaching and harming the very communities it seeks to protect. Lawmakers and regulators should consider:

01 Clear exemptions or safe harbors for community-based and non-health-focused entities.

02 Phased implementation with technical support and education

03 Narrowing definitions to avoid capturing incidental or non-sensitive uses of health-related data.

Take Action

Learn more

Protect Our Communities

Click below to learn about the impact on your community group.

Parent Associations

Learn More

Faith Groups

Learn More

Small Businesses

Learn More

Nonprofit and
Civic Organizations

Learn More

Take Action

Email Governor Hochul to Advocate for You

Select your group below to use the appropriate email form.
Use the fields on the left to personalize your email to Governor Hochul.

Thank you! Your message has been sent!

Oops! There was an error with your submission.

Preview

To: Governor Kathy Hochul
Subject: Protect Parent Groups and Family Networks in S929 Implementation

Hi, my name is [First Name] [Last Name], a member of a parent and family support organization based in New York.

[personal message]

We support the intention behind S929 to strengthen protections for personal health information. However, we are very concerned that the bill’s current language may unintentionally include parent groups, peer networks, and family support organizations under its scope—despite the fact that we are not healthcare providers.

Our group helps families navigate challenges like pregnancy, childcare, postpartum health, and mental wellness. In doing so, we may share or collect incidental health-related information—not as part of a clinical process, but as part of mutual support. Under the current definitions in S929, these basic peer interactions could be subject to complex compliance rules—and expose us to high penalties, even for good-faith efforts to help families.

We respectfully urge you to consider the following changes:

Include clear exemptions or safe harbors for parent groups and family support networks,

Clarify what types of informal support or incidental health info are not intended to be regulated,

Ensure penalties are proportionate, and that enforcement focuses on education and intent.

Thank you for your leadership on protecting personal data, and for taking the time to consider the impact this legislation could have on the communities that families trust and rely on every day.

Sincerely,
[First Name] [Last Name]
[Email]

Thank you! Your message has been sent!

Oops! There was an error with your submission.

Preview

To: Governor Kathy Hochul
Subject: Concerns from Faith-Based Institutions About S929

Hi, my name is [First Name] [Last Name], a member of a faith group, based in New York.

[personal message]

We strongly support the purpose of S929—to enhance protections for health information in our digital world. However, as a faith-based institution, we are deeply concerned about how this bill could impact our ability to offer counseling, support groups, and spiritual guidance that sometimes touches on health-related topics.

Because the definitions in S929 are so broad and there are no exemptions for religious institutions, we may be exposed to harsh penalties without understanding how or why we’re in violation.

We ask that you:

Include explicit protections for religious and spiritual care services,

Clarify the scope of what constitutes “health information” in the context of ministry,

Ensure enforcement is flexible, educational, and respectful of First Amendment rights.

Thank you for your leadership and dedication to both privacy and the values of compassion and community. We appreciate your consideration of faith institutions in these important conversations.

Sincerely,
[First Name] [Last Name]
[Email]

Thank you! Your message has been sent!

Oops! There was an error with your submission.

Preview

To: Governor Kathy Hochul
Subject: Concerns from NY Small Businesses About S929 – Health Information Privacy Act

Hi, my name is [First Name] [Last Name], and I am a part of a small business, based in New York.

[personal message]

I support the intention of S929 to strengthen protections for personal health information. However, I’m writing to share my deep concerns about the impact this bill will have on small businesses like mine.

S929 applies broad privacy requirements to routine employer functions—such as handling sick leave, insurance paperwork, and wellness benefits—without providing clarity, support, or a grace period. Even more concerning, the bill authorizes high penalties for violations, even if they result from misunderstandings or unintentional non-compliance.

For small employers, this creates an unmanageable risk. We don’t have in-house legal or compliance teams, and without explicit exemptions or state-issued guidance, we are left vulnerable.

I respectfully urge you to:

Include carve-outs or exemptions for small businesses,

Clarify the scope of “covered” HR data,

Provide implementation support and scale penalties to intent and organizational size.

Thank you for your leadership and attention to this issue. We appreciate your commitment to protecting New Yorkers’ privacy and ask that you ensure this bill doesn’t unintentionally penalize the very employers working to support our communities.

Sincerely,
[First Name] [Last Name]
[Email]

Thank you! Your message has been sent!

Oops! There was an error with your submission.

Preview

To: Governor Kathy Hochul
Subject: Community Concerns About S929’s Reach and Enforcement

Hi, my name is [First Name] [Last Name], a member of a civic/community-based organization based in New York.

[personal message]

We support the intention of S929 to safeguard New Yorkers’ personal health information. However, we are extremely concerned about how this bill may unintentionally impact grassroots and volunteer-led groups like ours.

Because of how broadly “health information” is defined, our health fairs, surveys, or resource drives may fall under the law—even when health services are only a small part of our programming. Most alarming, the bill introduces significant penalties for violations, despite the absence of clear compliance guidance.

We respectfully ask that you consider:

Carving out exemptions for small, community-based organizations,

Clarifying what kinds of data or activity fall under the law,

Scaling penalties and focusing enforcement on bad actors, not good-faith service providers.

Thank you for your leadership and commitment to protecting both health data and the communities working hard to improve access and equity on the ground.

Sincerely,
[First Name] [Last Name]
[Email]

With no action yet from the Governor and no implementation guidelines issued by the Attorney General, now is the moment for stakeholders to speak up.

Parent Associations

Faith Groups

Small Businesses

Nonprofit and Civic Organizations

Key Provisions of S929 Legislation

Covers a Wide Array of Data and Information

Increases Data Handling and Compliance Costs

Limited Exemptions

Grants Enforcement Authority

Concerns & Gaps

No implementation guidance issued by the Attorney General, leaving a compliance vacuum.

Administrative burden without accompanying funding or technical assistance, particularly for smaller entities.

Lacks clarity on what counts as information connected to an individual’s physical or mental health under the expanded definitions.

Disproportionate impact on organizations that are not traditionally health-focused but may collect incidental health data.

The Solution

01

Clear exemptions or safe harbors for community-based and non-health-focused entities.

02

Phased implementation with technical support and education

03

Narrowing definitions to avoid capturing incidental or non-sensitive uses of health-related data.

Protect Our Communities

Parent Associations

Faith Groups

Small Businesses

Nonprofit and Civic Organizations

Email Governor Hochul to Advocate for You

Nonprofit and
Civic Organizations

Nonprofit and
Civic Organizations