S T A T E O F N E W Y O R K
________________________________________________________________________
10704
I N A S S E M B L Y
July 1, 2020
___________
Introduced by COMMITTEE ON RULES -- (at request of M. of A. L. Rosen-
thal) -- read once and referred to the Committee on Consumer Affairs
and Protection
AN ACT to amend the general business law, in relation to electronic
health products and services
THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:
Section 1. The general business law is amended by adding a new article
42 to read as follows:
ARTICLE 42
ELECTRONIC HEALTH PRODUCTS AND SERVICES
SECTION 1100. DEFINITIONS.
1101. ELECTRONIC HEALTH PRODUCTS AND SERVICES; PRIVACY.
§ 1100. DEFINITIONS. FOR THE PURPOSES OF THIS ARTICLE, THE FOLLOWING
TERMS SHALL HAVE THE FOLLOWING MEANINGS:
1. "DEACTIVATION" MEANS A USER'S DELETION, REMOVAL, OR OTHER ACTION
MADE TO TERMINATE HIS OR HER USE OF AN ELECTRONIC HEALTH PRODUCT OR
SERVICE.
2. "ELECTRONIC HEALTH PRODUCT OR SERVICE" MEANS ANY SOFTWARE OR HARD-
WARE, INCLUDING A MOBILE APPLICATION, WEBSITE, OR OTHER RELATED PRODUCT
OR SERVICE, THAT IS DESIGNED TO MAINTAIN PERSONAL HEALTH INFORMATION, IN
ORDER TO MAKE SUCH PERSONAL HEALTH INFORMATION AVAILABLE TO A USER OR TO
A HEALTH CARE PROVIDER AT THE REQUEST OF SUCH USER OR HEALTH CARE
PROVIDER, FOR THE PURPOSES OF ALLOWING SUCH USER TO MANAGE HIS OR HER
INFORMATION, OR FOR THE DIAGNOSIS, TREATMENT, OR MANAGEMENT OF A MEDICAL
CONDITION.
3. "HEALTH CARE PROVIDER" MEANS:
(A) A HOSPITAL AS DEFINED IN ARTICLE TWENTY-EIGHT OF THE PUBLIC HEALTH
LAW, A HOME CARE SERVICES AGENCY AS DEFINED IN ARTICLE THIRTY-SIX OF THE
PUBLIC HEALTH LAW, A HOSPICE AS DEFINED IN ARTICLE FORTY OF THE PUBLIC
HEALTH LAW, A HEALTH MAINTENANCE ORGANIZATION AS DEFINED IN ARTICLE
FORTY-FOUR OF THE PUBLIC HEALTH LAW, OR A SHARED HEALTH FACILITY AS
DEFINED IN ARTICLE FORTY-SEVEN OF THE PUBLIC HEALTH LAW; OR
EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD16757-01-0
A. 10704 2
(B) A PERSON LICENSED UNDER ARTICLE ONE HUNDRED THIRTY-ONE, ONE
HUNDRED THIRTY-ONE-B, ONE HUNDRED THIRTY-TWO, ONE HUNDRED THIRTY-THREE,
ONE HUNDRED THIRTY-SIX, ONE HUNDRED THIRTY-NINE, ONE HUNDRED FORTY-ONE,
ONE HUNDRED FORTY-THREE, ONE HUNDRED FORTY-FOUR, ONE HUNDRED FIFTY-
THREE, ONE HUNDRED FIFTY-FOUR, ONE HUNDRED FIFTY-SIX OR ONE HUNDRED
FIFTY-NINE OF THE EDUCATION LAW.
4. "PERSONAL HEALTH INFORMATION" MEANS ANY INDIVIDUALLY IDENTIFIABLE
INFORMATION ABOUT AN INDIVIDUAL'S MENTAL OR PHYSICAL CONDITION PROVIDED
BY SUCH INDIVIDUAL, OR OTHERWISE GAINED FROM MONITORING SUCH INDIVID-
UAL'S MENTAL OR PHYSICAL CONDITION.
5. "OTHER PERSONAL DATA" MEANS ANY INDIVIDUALLY IDENTIFIABLE INFORMA-
TION ABOUT AN INDIVIDUAL PROVIDED BY SUCH INDIVIDUAL, OR OTHERWISE
GAINED FROM MONITORING SUCH INDIVIDUAL, OTHER THAN PERSONAL HEALTH
INFORMATION.
6. "USER" MEANS AN INDIVIDUAL WHO HAS DOWNLOADED OR USES AN ELECTRONIC
HEALTH PRODUCT OR SERVICE.
§ 1101. ELECTRONIC HEALTH PRODUCTS AND SERVICES; PRIVACY. 1. ANY
ENTITY THAT OFFERS AN ELECTRONIC HEALTH PRODUCT OR SERVICE, SHALL OBTAIN
CONSENT FROM A USER BEFORE COLLECTING ANY PERSONAL HEALTH INFORMATION OR
ANY OTHER PERSONAL DATA FROM SUCH USER.
2. IN ORDER TO OBTAIN CONSENT IN COMPLIANCE WITH SUBDIVISION ONE OF
THIS SECTION, AN ENTITY OFFERING AN ELECTRONIC HEALTH PRODUCT OR SERVICE
SHALL:
(A) DISCLOSE TO THE USER ALL PERSONAL HEALTH INFORMATION OR OTHER
PERSONAL DATA SUCH ELECTRONIC HEALTH PRODUCT OR SERVICE WILL COLLECT
FROM THE USER UPON OBTAINING CONSENT;
(B) DISCLOSE TO THE USER ANY THIRD PARTY WITH WHOM SUCH USER'S
PERSONAL HEALTH INFORMATION OR OTHER PERSONAL DATA MAY BE SHARED BY THE
ELECTRONIC HEALTH PRODUCT OR SERVICE UPON OBTAINING CONSENT;
(C) DISCLOSE TO THE USER THE PURPOSE FOR COLLECTING ANY PERSONAL
HEALTH INFORMATION OR OTHER PERSONAL DATA; AND
(D) ALLOW THE USER TO WITHDRAW CONSENT AT ANY TIME.
3. NO ELECTRONIC HEALTH PRODUCT OR SERVICE SHALL COLLECT ANY PERSONAL
HEALTH INFORMATION OR OTHER PERSONAL DATA BEYOND WHICH A USER HAS
SPECIFICALLY CONSENTED TO SHARE WITH SUCH ELECTRONIC HEALTH PRODUCT OR
SERVICE UNDER SUBDIVISION ONE OF THIS SECTION.
4. AN ELECTRONIC HEALTH PRODUCT OR SERVICE SHALL DELETE OR OTHERWISE
DESTROY ANY PERSONAL HEALTH INFORMATION OR OTHER PERSONAL DATA COLLECTED
FROM A USER IMMEDIATELY UPON SUCH USER'S REQUEST, WITHDRAWAL OF CONSENT;
OR UPON SUCH USER'S DEACTIVATION OF HIS OR HER ACCOUNT.
§ 2. This act shall take effect on the sixtieth day after it shall
have become a law.