NY State Senate Bill 2023-S158

Archive: Last Bill Status - On Floor Calendar

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

Date of Action	Assembly Actions - Lowercase Senate Actions - UPPERCASE
Jun 03, 2024	ordered to third reading rules cal.310 substituted for a4983d referred to codes returned to assembly repassed senate
May 29, 2024	amended on third reading 158e
May 29, 2024	vote reconsidered - restored to third reading returned to senate recalled from assembly
Jan 22, 2024	referred to science and technology delivered to assembly passed senate
Jan 17, 2024	amended on third reading 158d
Jan 16, 2024	advanced to third reading amended 158c
Jan 09, 2024	2nd report cal.
Jan 08, 2024	1st report cal.76
Jan 03, 2024	referred to health returned to senate died in assembly
Jun 08, 2023	referred to science and technology delivered to assembly passed senate
Jun 05, 2023	amended on third reading 158b
May 16, 2023	amended on third reading (t) 158a
Mar 08, 2023	advanced to third reading
Mar 01, 2023	2nd report cal.
Feb 28, 2023	1st report cal.429
Jan 04, 2023	referred to internet and technology

Votes

- Jun 3, 2024 - Floor Vote
  S158
  
  Aye
  
  49
  
  Nay
  
  11
  
  Absent
  
  0
  
  Excused
  
  2
  
  Abstained
  
  0
  - - Floor Vote: Jun 3, 2024
      
      aye (49)
      
      Addabbo Jr.
      
      Ashby
      
      Bailey
      
      Borrello
      
      Breslin
      
      Brisport
      
      Chu
      
      Cleare
      
      Comrie
      
      Cooney
      
      Felder
      
      Fernandez
      
      Gallivan
      
      Gianaris
      
      Gonzalez
      
      Gounardes
      
      Harckham
      
      Hinchey
      
      Hoylman-Sigal
      
      Jackson
      
      Kavanagh
      
      Krueger
      
      Lanza
      
      Liu
      
      Mannion
      
      Martinez
      
      Martins
      
      May
      
      Mayer
      
      Myrie
      
      Parker
      
      Persaud
      
      Ramos
      
      Rhoads
      
      Rivera
      
      Rolison
      
      Ryan
      
      Salazar
      
      Sanders Jr.
      
      Scarcella-Spanton
      
      Sepúlveda
      
      Serrano
      
      Skoufis
      
      Stavisky
      
      Stec
      
      Stewart-Cousins
      
      Tedisco
      
      Thomas
      
      Webb
      
      nay (11)
      
      Canzoneri-Fitzpatrick
      
      Griffo
      
      Helming
      
      Mattera
      
      Murray
      
      O'Mara
      
      Oberacker
      
      Ortt
      
      Palumbo
      
      Weber
      
      Weik
      
      excused (2)
      
      Brouk
      
      Walczyk
  Jan 22, 2024 - Floor Vote
  S158
  
  Aye
  
  61
  
  Nay
  
  0
  
  Absent
  
  0
  
  Excused
  
  2
  
  Abstained
  
  0
  - - Floor Vote: Jan 22, 2024
      
      aye (61)
      
      Addabbo Jr.
      
      Ashby
      
      Bailey
      
      Borrello
      
      Breslin
      
      Brisport
      
      Brouk
      
      Canzoneri-Fitzpatrick
      
      Chu
      
      Cleare
      
      Comrie
      
      Cooney
      
      Felder
      
      Fernandez
      
      Gallivan
      
      Gianaris
      
      Gonzalez
      
      Gounardes
      
      Griffo
      
      Harckham
      
      Helming
      
      Hinchey
      
      Hoylman-Sigal
      
      Jackson
      
      Kavanagh
      
      Kennedy
      
      Krueger
      
      Lanza
      
      Liu
      
      Mannion
      
      Martinez
      
      Martins
      
      Mattera
      
      May
      
      Mayer
      
      Murray
      
      Myrie
      
      O'Mara
      
      Ortt
      
      Palumbo
      
      Parker
      
      Persaud
      
      Ramos
      
      Rhoads
      
      Rivera
      
      Rolison
      
      Ryan
      
      Salazar
      
      Sanders Jr.
      
      Scarcella-Spanton
      
      Sepúlveda
      
      Serrano
      
      Skoufis
      
      Stavisky
      
      Stec
      
      Stewart-Cousins
      
      Tedisco
      
      Thomas
      
      Webb
      
      Weber
      
      Weik
      
      excused (2)
      
      Oberacker
      
      Walczyk
  Jun 8, 2023 - Floor Vote
  S158
  
  Aye
  
  61
  
  Nay
  
  1
  
  Absent
  
  0
  
  Excused
  
  1
  
  Abstained
  
  0
  - - Floor Vote: Jun 8, 2023
      
      aye (61)
      
      Addabbo Jr.
      
      Ashby
      
      Bailey
      
      Borrello
      
      Breslin
      
      Brisport
      
      Brouk
      
      Canzoneri-Fitzpatrick
      
      Chu
      
      Cleare
      
      Comrie
      
      Felder
      
      Fernandez
      
      Gallivan
      
      Gianaris
      
      Gonzalez
      
      Gounardes
      
      Griffo
      
      Harckham
      
      Helming
      
      Hinchey
      
      Hoylman-Sigal
      
      Jackson
      
      Kavanagh
      
      Kennedy
      
      Krueger
      
      Lanza
      
      Liu
      
      Mannion
      
      Martinez
      
      Martins
      
      Mattera
      
      May
      
      Mayer
      
      Murray
      
      Myrie
      
      O'Mara
      
      Oberacker
      
      Ortt
      
      Palumbo
      
      Parker
      
      Persaud
      
      Ramos
      
      Rhoads
      
      Rivera
      
      Rolison
      
      Ryan
      
      Salazar
      
      Sanders Jr.
      
      Scarcella-Spanton
      
      Sepúlveda
      
      Serrano
      
      Skoufis
      
      Stavisky
      
      Stec
      
      Stewart-Cousins
      
      Tedisco
      
      Thomas
      
      Webb
      
      Weber
      
      Weik
      
      nay (1)
      
      Walczyk
      
      excused (1)
      
      Cooney
  Feb 28, 2023 - Internet And Technology Committee Vote
  S158
  
  Aye
  
  5
  
  Nay
  
  1
  
  Aye with Reservations
  
  1
  
  Absent
  
  0
  
  Excused
  
  0
  
  Abstained
  
  0
  - - Internet And Technology Committee Vote: Feb 28, 2023
      
      aye (5)
      
      Brouk
      
      Comrie
      
      Gonzalez
      
      Parker
      
      Ryan
      
      nay (1)
      
      Walczyk
      
      aye wr (1)
      
      Stec
  Jan 8, 2024 - Health Committee Vote
  S158
  
  Aye
  
  15
  
  Nay
  
  0
  
  Aye with Reservations
  
  0
  
  Absent
  
  0
  
  Excused
  
  0
  
  Abstained
  
  0
  - - Health Committee Vote: Jan 8, 2024
      
      aye (15)
      
      Ashby
      
      Brouk
      
      Felder
      
      Gallivan
      
      Hoylman-Sigal
      
      Mannion
      
      Martins
      
      May
      
      Myrie
      
      Rhoads
      
      Rivera
      
      Salazar
      
      Stec
      
      Thomas
      
      Webb

Bill Amendments

Original

E (Active)

co-Sponsors

2023-S158 - Details

Law Section:: General Business Law
Laws Affected:: Add Art 42 §§1100 - 1103, Gen Bus L
Versions Introduced in 2025-2026 Legislative Session:: S929

2023-S158 - Summary

Provides for the protection of health information; establishes requirements for communications to individuals about their health information; requires either written consent or a designated necessary purpose for the processing of an individual's health information.

2023-S158 - Sponsor Memo

                                 
BILL NUMBER: S158

SPONSOR: KRUEGER
 
TITLE OF BILL:

An act to amend the general business law, in relation to privacy stand-
ards for electronic health products and services and permissible data
brokering

 
PURPOSE OR GENERAL IDEA OF BILL:

This bill would govern companies that collect and sell healthcare infor-
mation, and provides additional rights and protections to users related
to the sale and of their private health information.

 
SUMMARY OF SPECIFIC PROVISIONS:

Section one creates a new article to the General Business Law to govern
the collection of data for electronic health products and services.

Section 1100 creates various definitions that will be used in the rest
of the bill.

Section 1101 makes it unlawful for a covered organization to engage in
data processing, geofencing or data brokering without meeting specific
thresholds related to a need for the data and consent from the user.

Section 1102 creates a private right of action for users that have been
injured a result of a violation of this article.

Section 1103 excludes any actions that are HIPAA compliant from being
governed by this article.

Section 2. Severability

Section 3. Effective Date

 
JUSTIFICATION:

Most residents of the State are under the impression that HIPAA protects
them and their health data from being accessed by third-parties and sold
by and to other organizations. Residents are generally unaware that
their technology is constantly tracking their movements, and geolocation
data is being sold to companies for the purposes of targeted advertise-
ments or tracking. Most users also do not have an understanding of how
much information is being collected, stored, and sold for the benefit of
third-parties. For example, a mobile app to track menstruation cycles
was recently caught selling users' data to antiabortion advocacy organ-
izations.

This bill creates a legal framework for residents to reclaim and retain
control of their healthcare information. Electronic apps or websites
that are designed to provide a diagnosis or retain health information
will be required to receive affirmative consent by the user to retain
such information and would need separate consent to sell such informa-
tion to third-parties.

The legislation also bans the practice of using geolocation at health-
care facilities to target advertisements to individuals. Many companies
offering healthcare products, treatments, or alternatives currently use
geofencing at healthcare facilities to identify potential customers for
their products, and send targeted advertisements to users while they are
at the health facility or shortly their departure.

 
PRIOR LEGISLATIVE HISTORY:

2022: S.9599 - Referred to Rules

 
FISCAL IMPLICATIONS:

None to the State.

 
EFFECTIVE DATE:
This act shall take effect on the sixtieth day after it shall have
become law.

2023-S158 - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                    158
 
                        2023-2024 Regular Sessions
 
                             I N  S E N A T E
 
                                (PREFILED)
 
                              January 4, 2023
                                ___________
 
 Introduced  by  Sen. KRUEGER -- read twice and ordered printed, and when
   printed to be committed to the Committee on Internet and Technology
 
 AN ACT to amend the general business law, in relation to privacy  stand-
   ards  for electronic health products and services and permissible data
   brokering

   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. The general business law is amended by adding a new article
 42 to read as follows:
                                ARTICLE 42
                  ELECTRONIC HEALTH PRODUCTS AND SERVICES
 
 SECTION 1100. DEFINITIONS.
         1101. ELECTRONIC HEALTH PRODUCTS AND SERVICES; PRIVACY.
         1102. PRIVATE RIGHT OF ACTION.
         1103. ACTIONS THAT ARE HIPAA COMPLIANT.
   §  1100.  DEFINITIONS. FOR THE PURPOSES OF THIS ARTICLE, THE FOLLOWING
 TERMS SHALL HAVE THE FOLLOWING MEANINGS:
   1. "CONSENT" MEANS AN  ACTION  WHICH  (A)  CLEARLY  AND  CONSPICUOUSLY
 COMMUNICATES THE INDIVIDUAL'S VOLUNTARY AUTHORIZATION OF AN ACT OR PRAC-
 TICE;  (B) IS MADE IN THE ABSENCE OF ANY MECHANISM IN THE USER INTERFACE
 THAT HAS THE PURPOSE OR SUBSTANTIAL EFFECT OF OBSCURING, SUBVERTING,  OR
 IMPAIRING DECISION MAKING OR CHOICE TO OBTAIN CONSENT; AND (C) CANNOT BE
 INFERRED  FROM  INACTION. A REQUEST FOR CONSENT SHALL BE PROVIDED TO THE
 INDIVIDUAL IN A CLEAR AND CONSPICUOUS DISCLOSURE, APART FROM ANY PRIVACY
 POLICY, TERMS OF SERVICE, TERMS OF USE, GENERAL RELEASE, USER AGREEMENT,
 OR OTHER SIMILAR DOCUMENT, OF ALL INFORMATION MATERIAL TO THE  PROVISION
 OF CONSENT.
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD01105-01-3
 S. 158                              2

 
   2.  "DEACTIVATION"  MEANS  A USER'S DELETION, REMOVAL, OR OTHER ACTION
 MADE TO TERMINATE HIS OR HER USE OF  AN  ELECTRONIC  HEALTH  PRODUCT  OR
 SERVICE.
   3.  "ELECTRONIC HEALTH PRODUCT OR SERVICE" MEANS ANY SOFTWARE OR HARD-
 WARE, INCLUDING A MOBILE APPLICATION, WEBSITE, OR OTHER RELATED  PRODUCT
 OR  SERVICE,  THAT  IS DESIGNED TO MAINTAIN PERSONAL HEALTH INFORMATION,
 DESIGNED TO DIAGNOSE OR DESIGNED TO INFER A MEDICAL DIAGNOSIS, IN  ORDER
 TO  MAKE  SUCH  PERSONAL  HEALTH INFORMATION AVAILABLE TO A USER OR TO A
 HEALTH CARE PROVIDER AT THE REQUEST OF SUCH USER OR HEALTH CARE  PROVID-
 ER, FOR THE PURPOSES OF ALLOWING SUCH USER TO MANAGE HIS OR HER INFORMA-
 TION, OR FOR THE DIAGNOSIS, INFERRED DIAGNOSIS, TREATMENT, OR MANAGEMENT
 OF A MEDICAL CONDITION.
   4. "HEALTH CARE PROVIDER" MEANS:
   (A) A HOSPITAL AS DEFINED IN ARTICLE TWENTY-EIGHT OF THE PUBLIC HEALTH
 LAW, A HOME CARE SERVICES AGENCY AS DEFINED IN ARTICLE THIRTY-SIX OF THE
 PUBLIC  HEALTH  LAW, A HOSPICE AS DEFINED IN ARTICLE FORTY OF THE PUBLIC
 HEALTH LAW, A HEALTH MAINTENANCE  ORGANIZATION  AS  DEFINED  IN  ARTICLE
 FORTY-FOUR  OF  THE  PUBLIC  HEALTH  LAW, OR A SHARED HEALTH FACILITY AS
 DEFINED IN ARTICLE FORTY-SEVEN OF THE PUBLIC HEALTH LAW; OR
   (B) A PERSON  LICENSED  UNDER  ARTICLE  ONE  HUNDRED  THIRTY-ONE,  ONE
 HUNDRED  THIRTY-ONE-B, ONE HUNDRED THIRTY-TWO, ONE HUNDRED THIRTY-THREE,
 ONE HUNDRED THIRTY-SIX, ONE HUNDRED THIRTY-NINE, ONE HUNDRED  FORTY-ONE,
 ONE  HUNDRED  FORTY-THREE,  ONE  HUNDRED  FORTY-FOUR, ONE HUNDRED FIFTY-
 THREE, ONE HUNDRED FIFTY-FOUR, ONE  HUNDRED  FIFTY-SIX  OR  ONE  HUNDRED
 FIFTY-NINE OF THE EDUCATION LAW.
   5.  "PERSONAL  HEALTH INFORMATION" MEANS ANY INDIVIDUALLY IDENTIFIABLE
 INFORMATION ABOUT AN INDIVIDUAL'S MENTAL OR PHYSICAL CONDITION  PROVIDED
 BY  SUCH  INDIVIDUAL,  OR OTHERWISE GAINED FROM MONITORING SUCH INDIVID-
 UAL'S MENTAL OR PHYSICAL CONDITION.
   6. "USER" MEANS AN INDIVIDUAL WHO HAS DOWNLOADED OR USES AN ELECTRONIC
 HEALTH PRODUCT OR SERVICE.
   7. "CONSUMER DATA" MEANS ANY INFORMATION THAT IDENTIFIES, RELATES  TO,
 DESCRIBES, IS CAPABLE OF BEING  ASSOCIATED  WITH, OR COULD REASONABLY BE
 LINKED,  EITHER  DIRECTLY  OR  INDIRECTLY,  WITH  A  PARTICULAR CONSUMER
 REGARDLESS IF SUCH DATA CAN BE DERIVED BY THE  CONSUMER,  HOUSEHOLD,  OR
 CONSUMER DEVICE OR DERIVED FROM OTHER SOURCES SUCH AS AN INTERNET PROTO-
 COL ADDRESS.
   8. "DATA PROCESSING" MEANS THE COLLECTION, USE, DISCLOSURE, RETENTION,
 OR PROCESSING OF PERSONAL HEALTH INFORMATION OR OTHER DATA.
   9.  "COVERED  ORGANIZATION"  MEANS AN ENTITY, INCLUDING A DATA BROKER,
 THAT OFFERS AN ELECTRONIC HEALTH PRODUCT OR SERVICE THAT IS  SUBJECT  TO
 THE PROVISIONS OF THIS ARTICLE.
   10.  "DATA  BROKER"  MEANS  A  PERSON  OR  ENTITY THAT COLLECTS, BUYS,
 LICENSES, OR INFERS DATA ABOUT INDIVIDUALS AND THEN SELLS, LICENSES,  OR
 TRADES THAT DATA.
   11. "DIGITAL ADVERTISER" MEANS ANY PERSON, CORPORATION, PARTNERSHIP OR
 ASSOCIATION THAT DELIVERS DIGITAL ADVERTISEMENTS BY ELECTRONIC MEANS.
   12.  "DIGITAL ADVERTISEMENT" SHALL INCLUDE ANY COMMUNICATION DELIVERED
 BY ELECTRONIC MEANS THAT IS INTENDED TO BE  USED  FOR  THE  PURPOSES  OF
 MARKETING,   SOLICITATION,  OR  DISSEMINATION  OF  INFORMATION  RELATED,
 DIRECTLY OR INDIRECTLY, TO GOODS OR SERVICES  PROVIDED  BY  THE  DIGITAL
 ADVERTISER OR A THIRD PARTY.
   13.  "GEOFENCING"  MEANS  A  TECHNOLOGY  THAT  USES GLOBAL POSITIONING
 SYSTEM  COORDINATES,  CELL  TOWER  CONNECTIVITY,  CELLULAR  DATA,  RADIO
 FREQUENCY  IDENTIFICATION,  WI-FI DATA AND/OR ANY OTHER FORM OF LOCATION
 DETECTION, TO ESTABLISH  A  VIRTUAL  BOUNDARY  OR  "GEOFENCE"  AROUND  A
 S. 158                              3
 
 PARTICULAR  LOCATION  THAT  ALLOWS  A  DIGITAL  ADVERTISER  TO TRACK THE
 LOCATION OF AN  INDIVIDUAL  USER  AND  ELECTRONICALLY  DELIVER  TARGETED
 DIGITAL  ADVERTISEMENTS  DIRECTLY TO SUCH USER'S MOBILE DEVICE UPON SUCH
 USER'S ENTRY INTO THE GEOFENCED AREA.
   §  1101.  ELECTRONIC HEALTH PRODUCTS AND SERVICES; PRIVACY. 1.  (A) IT
 SHALL BE UNLAWFUL FOR A COVERED ORGANIZATION TO ENGAGE IN DATA  PROCESS-
 ING, GEOFENCING, OR DATA BROKERING UNLESS:
   (I) THE USER TO WHOM THE INFORMATION OR DATA PERTAINS HAS GIVEN AFFIR-
 MATIVE  EXPRESS  CONSENT  TO  SUCH  DATA  PROCESSING AND IF SUCH COVERED
 ORGANIZATION WILL BROKER USER DATA, THE USER  MUST  ALSO  GIVE  SEPARATE
 AFFIRMATIVE CONSENT TO SUCH DATA BROKERING; AND
   (II)  SUCH  DATA PROCESSING, GEOFENCING OR DATA BROKERING, IS STRICTLY
 NECESSARY AND FOR THE PURPOSE OF:
   (A) PROTECTING AGAINST MALICIOUS, FRAUDULENT, OR ILLEGAL ACTIVITY;
   (B) DETECTING, RESPONDING TO,  OR  PREVENTING  SECURITY  INCIDENTS  OR
 THREATS; OR
   (C) COMPLYING WITH A COURT ORDER ISSUED TO THE COVERED ORGANIZATION.
   (B)  THE GENERAL NATURE OF ANY DATA PROCESSING OR DATA BROKERING SHALL
 BE CONVEYED BY THE COVERED ORGANIZATION IN CLEAR AND PROMINENT TERMS  IN
 SUCH  A  WAY  THAT AN ORDINARY CONSUMER WOULD NOTICE AND UNDERSTAND SUCH
 TERMS.
   (C) A USER MAY CONSENT TO DATA PROCESSING OR DATA BROKERING ON  BEHALF
 OF HIS OR HER DEPENDENT MINORS.
   (D)  A COVERED ORGANIZATION SHALL PROVIDE AN EFFECTIVE MECHANISM FOR A
 USER TO REVOKE THEIR CONSENT AFTER IT IS GIVEN.  AFTER  A  USER  REVOKES
 THEIR  CONSENT, THE COVERED ORGANIZATION SHALL CEASE ALL DATA PROCESSING
 AND DATA BROKERING OF SUCH USER'S PERSONAL HEALTH INFORMATION  OR  OTHER
 DATA  AS SOON AS PRACTICABLE, BUT NOT LATER THAN FIFTEEN DAYS AFTER SUCH
 USER REVOKES SUCH CONSENT.
   2. IN ORDER TO OBTAIN CONSENT IN COMPLIANCE WITH  SUBDIVISION  ONE  OF
 THIS SECTION, A COVERED ORGANIZATION OFFERING AN ELECTRONIC HEALTH PROD-
 UCT OR SERVICE SHALL:
   (A)  DISCLOSE  TO  THE  USER  ALL  DATA,  PERSONAL HEALTH INFORMATION,
 LOCATION DATA, AND OTHER PERSONAL DATA SUCH ELECTRONIC HEALTH PRODUCT OR
 SERVICE WILL COLLECT FROM THE USER UPON OBTAINING CONSENT;
   (B) DISCLOSE TO THE USER ALL  THIRD  PARTIES  WITH  WHOM  SUCH  USER'S
 PERSONAL  HEALTH INFORMATION OR OTHER PERSONAL DATA MAY BE SHARED BY THE
 ELECTRONIC HEALTH PRODUCT OR SERVICE UPON OBTAINING CONSENT;
   (C) DISCLOSE TO THE USER  THE  PURPOSE  FOR  COLLECTING  ANY  PERSONAL
 HEALTH INFORMATION OR OTHER PERSONAL DATA; AND
   (D) ALLOW THE USER TO WITHDRAW CONSENT AT ANY TIME.
   3.  NO ELECTRONIC HEALTH PRODUCT OR SERVICE SHALL COLLECT ANY PERSONAL
 HEALTH INFORMATION OR OTHER  PERSONAL  DATA  BEYOND  WHICH  A  USER  HAS
 SPECIFICALLY  CONSENTED  TO SHARE WITH SUCH ELECTRONIC HEALTH PRODUCT OR
 SERVICE UNDER SUBDIVISION ONE OF THIS SECTION.
   4. (A) AN ELECTRONIC HEALTH PRODUCT OR SERVICE SHALL DELETE OR  OTHER-
 WISE  DESTROY  ANY  PERSONAL  HEALTH  INFORMATION OR OTHER PERSONAL DATA
 COLLECTED FROM A USER IMMEDIATELY UPON SUCH USER'S  REQUEST,  WITHDRAWAL
 OF CONSENT; OR UPON SUCH USER'S DEACTIVATION OF HIS OR HER ACCOUNT.
   (B)  A  COVERED  ORGANIZATION  THAT  COLLECTS A USER'S PERSONAL HEALTH
 INFORMATION OR OTHER DATA SHALL LIMIT ITS COLLECTION AND SHARING OF THAT
 INFORMATION WITH THIRD PARTIES TO WHAT IS STRICTLY NECESSARY TO  PROVIDE
 A SERVICE OR CONDUCT AN ACTIVITY THAT A USER HAS REQUESTED OR IS STRICT-
 LY NECESSARY FOR SECURITY OR FRAUD PREVENTION.
   (C)  A  COVERED  ORGANIZATION  THAT  COLLECTS A USER'S PERSONAL HEALTH
 INFORMATION OR OTHER DATA SHALL LIMIT ITS  USE  AND  RETENTION  OF  SUCH
 S. 158                              4
 
 INFORMATION  TO  WHAT  IS  REASONABLY  NECESSARY TO PROVIDE A SERVICE OR
 CONDUCT AN ACTIVITY THAT A USER HAS REQUESTED OR A  RELATED  OPERATIONAL
 PURPOSE,  PROVIDED  THAT  INFORMATION  COLLECTED  OR RETAINED SOLELY FOR
 SECURITY OR FRAUD PREVENTION MAY NOT BE USED FOR OPERATIONAL PURPOSES.
   5.  A  COVERED  ORGANIZATION  SHALL  NOT  DISCRIMINATE  AGAINST A USER
 BECAUSE THE USER EXERCISED ANY OF THE USER'S RIGHTS UNDER THIS TITLE, OR
 DID NOT AGREE TO  INFORMATION  PROCESSING  FOR  A  SEPARATE  PRODUCT  OR
 SERVICE, INCLUDING, BUT NOT LIMITED TO, BY:
   (A) DENYING GOODS OR SERVICES TO THE USER.
   (B)  CHARGING DIFFERENT PRICES OR RATES FOR GOODS OR SERVICES, INCLUD-
 ING THROUGH THE USE OF DISCOUNTS OR OTHER BENEFITS  OR  IMPOSING  PENAL-
 TIES.
   (C) PROVIDING A DIFFERENT LEVEL OR QUALITY OF GOODS OR SERVICES TO THE
 USER.
   (D)  SUGGESTING  THAT  THE  CONSUMER WILL RECEIVE A DIFFERENT PRICE OR
 RATE FOR GOODS OR SERVICES OR A DIFFERENT LEVEL OR QUALITY OF  GOODS  OR
 SERVICES.
   6.  A  COVERED  ORGANIZATION  SHALL  IMPLEMENT AND MAINTAIN REASONABLE
 SECURITY PROCEDURES AND PRACTICES, INCLUDING  ADMINISTRATIVE,  PHYSICAL,
 AND  TECHNICAL  SAFEGUARDS, APPROPRIATE TO THE NATURE OF THE INFORMATION
 AND THE PURPOSES FOR WHICH THE PERSONAL HEALTH INFORMATION OR OTHER DATA
 WILL BE USED, TO PROTECT CONSUMERS' PERSONAL HEALTH INFORMATION OR OTHER
 DATA FROM UNAUTHORIZED USE, DISCLOSURE, ACCESS, DESTRUCTION, OR  MODIFI-
 CATION.
   7.  (A)  IT SHALL BE UNLAWFUL FOR ANY PERSON, CORPORATION, PARTNERSHIP
 OR ASSOCIATION TO DELIVER BY ELECTRONIC MEANS ANY DIGITAL  ADVERTISEMENT
 TO  A  USER THROUGH THE USE OF GEOFENCING AT ANY HEALTH CARE FACILITY AS
 DEFINED IN SUBDIVISION ONE OF THIS SECTION.
   (B) IT SHALL BE UNLAWFUL FOR ANY PERSON, CORPORATION,  PARTNERSHIP  OR
 ASSOCIATION  TO  ESTABLISH  A GEOFENCE OR SIMILAR VIRTUAL BOUNDARY IN OR
 AROUND ANY HEALTH CARE FACILITY FOR THE PURPOSE OF DELIVERING  BY  ELEC-
 TRONIC  MEANS  A DIGITAL ADVERTISEMENT TO A USER WITHIN SUCH HEALTH CARE
 FACILITY.
   § 1102. PRIVATE RIGHT OF ACTION. 1. ANY PERSON WHO HAS BEEN INJURED BY
 REASON OF A VIOLATION OF THIS ARTICLE MAY BRING AN ACTION IN HIS OR  HER
 OWN  NAME, OR IN THE NAME OF HIS OR HER MINOR CHILD, TO SEEK DECLARATORY
 RELIEF, TO ENJOIN SUCH UNLAWFUL  ACT,  TO  RECOVER  HIS  OR  HER  ACTUAL
 DAMAGES, TO SEEK STATUTORY DAMAGES AS PROVIDED PURSUANT TO THIS SECTION,
 OR  ANY  COMBINATION  OF  SUCH  ACTIONS.  ANY  VIOLATION OF THIS ARTICLE
 CONSTITUTES AN INJURY-IN-FACT AND A HARM TO ANY AFFECTED INDIVIDUAL. THE
 COURT SHALL AWARD REASONABLE ATTORNEY'S FEES TO A PREVAILING PLAINTIFF.
   2. ANY COVERED ORGANIZATION THAT VIOLATES THIS ARTICLE IS  SUBJECT  TO
 DECLARATORY  JUDGMENT,  AN INJUNCTION AND LIABLE FOR DAMAGES AND A CIVIL
 PENALTY. WHEN CALCULATING DAMAGES AND CIVIL PENALTIES, THE  COURT  SHALL
 CONSIDER  THE  NUMBER  OF  AFFECTED  INDIVIDUALS,  THE  SEVERITY  OF THE
 VIOLATION, AND THE SIZE AND REVENUES OF THE COVERED ORGANIZATION.  ADDI-
 TIONALLY,  STATUTORY  DAMAGES  SHALL  BE  AWARDED  IN THE AMOUNT OF FIVE
 HUNDRED DOLLARS PER VIOLATION. EACH INDIVIDUAL WHOSE DATA WAS UNLAWFULLY
 PROCESSED COUNTS AS A SEPARATE VIOLATION. EACH PROVISION OF THIS ARTICLE
 THAT WAS VIOLATED COUNTS AS A SEPARATE VIOLATION.
   § 1103. ACTIONS THAT ARE HIPAA  COMPLIANT.  NOTHING  IN  THIS  ARTICLE
 SHALL  PROHIBIT  ANY ACTION TAKEN WITH RESPECT TO THE HEALTH INFORMATION
 OF AN INDIVIDUAL BY A DATA  BROKER  THAT  IS  A  BUSINESS  ASSOCIATE  OR
 COVERED  ORGANIZATION  THAT IS PERMISSIBLE UNDER THE FEDERAL REGULATIONS
 CONCERNING STANDARDS FOR PRIVACY  OF  INDIVIDUALLY  IDENTIFIABLE  HEALTH
 S. 158                              5
 
 INFORMATION  PROMULGATED  UNDER  SECTION  264(C) OF THE HEALTH INSURANCE
 PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (42 U.S.C. 1320D- 20 2 NOTE).
   §  2.  Severability.  If any clause, sentence, paragraph, subdivision,
 section or part of this act shall be adjudged by any court of  competent
 jurisdiction  to  be invalid, such judgment shall not affect, impair, or
 invalidate the remainder thereof, but shall be confined in its operation
 to the clause, sentence, paragraph, subdivision, section or part thereof
 directly involved in the controversy in which such judgment  shall  have
 been rendered. It is hereby declared to be the intent of the legislature
 that  this  act  would have been enacted even if such invalid provisions
 had not been included herein.
   § 3. This act shall take effect on the sixtieth  day  after  it  shall
 have become a law.

co-Sponsors

2023-S158A - Details

Law Section:: General Business Law
Laws Affected:: Add Art 42 §§1100 - 1103, Gen Bus L
Versions Introduced in 2025-2026 Legislative Session:: S929

2023-S158A - Summary

2023-S158A - Sponsor Memo

                                 
BILL NUMBER: S158A

SPONSOR: KRUEGER
 
TITLE OF BILL:

An act to amend the general business law, in relation to providing for
the protection of health information

 
PURPOSE OR GENERAL IDEA OF BILL:

This bill would govern companies that collect and sell healthcare infor-
mation, and provides additional rights and protections to users related
to the sale and of their private health information.

 
SUMMARY OF SPECIFIC PROVISIONS:

Section one creates article 42 to the General Business Law to govern the
collection of data for electronic health products and services.

Section 1100 creates various definitions that will be used in the rest
of the bill.

Section 1101 regulates how regulated entities shall communicate their
data collection policies to users and the need for consent from the
user.

Section for 1102 regulates the collection of data and what the data can
be used for.

Section 1103 explains the users rights and extent of control over their
personal health information.

Section have 1104 regulates the level of security that regulated enti-
ties must have.

Section 1105 regulates service providers that process data on behalf of
aregulated entity

Section 1106 provides for exemptions from this bill

Section 1107 creates an enforcement mechanism.

Section 2. Severability

Section 3. Effective Date

 
JUSTIFICATION:

Most residents of the State are under the impression that HIPAA protects
them and their health data from being accessed by third-parties and sold
by and to other organizations. Residents are generally unaware that
their technology is constantly tracking their movements, and geolocation
data is being sold to companies for the purposes of targeted advertise-
ments or tracking. Most users also do not have an understanding of how
much information is being collected, stored, and sold for the benefit of
third-parties. For example, a mobile app to track menstruation cycles
was recently caught selling users' data to antiabortion advocacy organ-
izations.

This bill creates a legal framework for residents to reclaim and retain
control of their healthcare information. Electronic apps or websites
that are designed to provide a diagnosis or retain health information
will be required to receive affirmative consent by the user to retain
such information and would need separate consent to sell such informa-
tion to third-parties.

 
PRIOR LEGISLATIVE HISTORY:

2022: S.9599 - Referred to Rules

 
FISCAL IMPLICATIONS:

None to the State.

 
EFFECTIVE DATE:
This act shall take effect on July 1,2024.

2023-S158A - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                  158--A
     Cal. No. 429
 
                        2023-2024 Regular Sessions
 
                             I N  S E N A T E
 
                                (PREFILED)
 
                              January 4, 2023
                                ___________
 
 Introduced  by  Sens.  KRUEGER,  COMRIE,  HINCHEY, HOYLMAN-SIGAL -- read
   twice and ordered printed, and when printed to  be  committed  to  the
   Committee  on  Internet and Technology -- reported favorably from said
   committee, ordered to first and second  report,  ordered  to  a  third
   reading,  amended  and  ordered  reprinted, retaining its place in the
   order of third reading
 
 AN ACT to amend the general business law, in relation to  providing  for
   the protection of health information
 
   THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. The general business law is amended by adding a new article
 42 to read as follows:
                                ARTICLE 42
                  NEW YORK HEALTH INFORMATION PRIVACY ACT
 SECTION 1100. DEFINITIONS.
         1101. REQUIREMENTS FOR COMMUNICATIONS TO INDIVIDUALS.
         1102. LAWFULNESS OF PROCESSING REGULATED HEALTH INFORMATION.
         1103. INDIVIDUAL RIGHTS.
         1104. SECURITY.
         1105. SERVICE PROVIDERS.
         1106. EXEMPTIONS.
         1107. ENFORCEMENT.
   § 1100. DEFINITIONS. AS USED IN  THIS  ARTICLE,  THE  FOLLOWING  TERMS
 SHALL HAVE THE FOLLOWING MEANINGS:
   1. "DEIDENTIFIED INFORMATION" MEANS INFORMATION THAT CANNOT REASONABLY
 BE  USED TO INFER INFORMATION ABOUT, OR OTHERWISE BE LINKED TO A PARTIC-
 ULAR INDIVIDUAL, HOUSEHOLD, OR DEVICE, PROVIDED THAT THE REGULATED ENTI-
 TY OR SERVICE PROVIDER THAT PROCESSES THE INFORMATION:
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD01105-04-3

 S. 158--A                           2
 
   (A) IMPLEMENTS REASONABLE TECHNICAL  SAFEGUARDS  TO  ENSURE  THAT  THE
 INFORMATION  CANNOT  BE  ASSOCIATED  WITH  AN  INDIVIDUAL, HOUSEHOLD, OR
 DEVICE;
   (B)  PUBLICLY  COMMITS TO PROCESS THE INFORMATION ONLY AS DEIDENTIFIED
 INFORMATION AND NOT ATTEMPT TO REIDENTIFY THE INFORMATION,  EXCEPT  THAT
 THE  REGULATED  ENTITY OR SERVICE PROVIDER MAY ATTEMPT TO REIDENTIFY THE
 INFORMATION SOLELY FOR THE PURPOSE OF DETERMINING  WHETHER  ITS  DEIDEN-
 TIFICATION PROCESSES SATISFY THE REQUIREMENTS OF THIS SECTION; AND
   (C) CONTRACTUALLY OBLIGATES ANY RECIPIENT OF THE DEIDENTIFIED INFORMA-
 TION TO COMPLY WITH ALL REQUIREMENTS OF THIS SECTION.
   2.  "REGULATED  HEALTH INFORMATION" MEANS ANY INFORMATION THAT RELATES
 TO AN INDIVIDUAL OR A DEVICE THAT IS REASONABLY LINKABLE TO AN  INDIVID-
 UAL OR INDIVIDUALS IN CONNECTION WITH PHYSICAL OR MENTAL HEALTH. FOR THE
 AVOIDANCE  OF  DOUBT, LOCATION OR PAYMENT INFORMATION THAT RELATES TO AN
 INDIVIDUAL'S PHYSICAL OR MENTAL HEALTH OR ANY INFERENCE DRAWN OR DERIVED
 DATA ABOUT AN INDIVIDUAL OR A DEVICE THAT IS REASONABLY LINKABLE  TO  AN
 INDIVIDUAL  OR  INDIVIDUALS THAT RELATES TO PHYSICAL OR MENTAL HEALTH IS
 REGULATED HEALTH INFORMATION.  REGULATED  HEALTH  INFORMATION  DOES  NOT
 INCLUDE DEIDENTIFIED INFORMATION.
   3.  "PROCESS"  OR "PROCESSING" MEANS AN OPERATION OR SET OF OPERATIONS
 PERFORMED ON REGULATED HEALTH INFORMATION, INCLUDING BUT NOT LIMITED  TO
 THE  COLLECTION,  USE,  ACCESS,  SHARING,  SALE, MONETIZATION, ANALYSIS,
 RETENTION, CREATION, GENERATION,  DERIVATION,  RECORDING,  ORGANIZATION,
 STRUCTURING,  STORAGE,  DISCLOSURE,  TRANSMISSION,  DISPOSAL, LICENSING,
 DESTRUCTION, DELETION, MODIFICATION, OR  DEIDENTIFICATION  OF  REGULATED
 HEALTH INFORMATION.
   4.  "REGULATED ENTITY" MEANS ANY ENTITY THAT (A) CONTROLS THE PROCESS-
 ING OF REGULATED HEALTH INFORMATION OF AN INDIVIDUAL WHO IS A  NEW  YORK
 RESIDENT, (B) CONTROLS THE PROCESSING OF REGULATED HEALTH INFORMATION OF
 AN  INDIVIDUAL WHO IS PHYSICALLY PRESENT IN NEW YORK WHILE THAT INDIVID-
 UAL IS IN NEW YORK, OR (C) IS LOCATED IN NEW YORK AND CONTROLS THE PROC-
 ESSING OF REGULATED HEALTH INFORMATION OF  AN  INDIVIDUAL.  A  REGULATED
 ENTITY  MAY  ALSO  BE  A  SERVICE PROVIDER DEPENDING UPON THE CONTEXT IN
 WHICH REGULATED HEALTH INFORMATION IS PROCESSED.
   5. "SELL" MEANS TO SHARE REGULATED HEALTH INFORMATION FOR MONETARY  OR
 OTHER  VALUABLE  CONSIDERATION.  SELLING DOES NOT INCLUDE THE SHARING OF
 REGULATED HEALTH INFORMATION FOR MONETARY OR  OTHER  VALUABLE  CONSIDER-
 ATION  TO  A  THIRD PARTY AS AN ASSET THAT IS PART OF A MERGER, ACQUISI-
 TION, BANKRUPTCY, OR OTHER TRANSACTION IN WHICH THE THIRD PARTY  ASSUMES
 CONTROL OF ALL OR PART OF THE REGULATED ENTITY'S ASSETS.
   6.  "SERVICE PROVIDER" MEANS ANY PERSON OR ENTITY THAT PROCESSES REGU-
 LATED HEALTH INFORMATION ON BEHALF OF  A  REGULATED  ENTITY.  A  SERVICE
 PROVIDER  MAY  ALSO  BE A REGULATED ENTITY DEPENDING UPON THE CONTEXT IN
 WHICH REGULATED HEALTH INFORMATION IS PROCESSED.
   7. "THIRD PARTY" MEANS A PERSON OR ENTITY OTHER THAN  THE  INDIVIDUAL,
 REGULATED  ENTITY,  OR  SERVICE  PROVIDER  INVOLVED  IN A TRANSACTION OR
 OCCURRENCE THAT INVOLVES REGULATED HEALTH INFORMATION. A THIRD PARTY MAY
 ALSO BE A REGULATED  ENTITY  OR  SERVICE  PROVIDER  DEPENDING  UPON  THE
 CONTEXT IN WHICH REGULATED HEALTH INFORMATION IS PROCESSED.
   §  1101.  REQUIREMENTS FOR COMMUNICATIONS TO INDIVIDUALS. ALL NOTICES,
 DISCLOSURES, FORMS, AND OTHER  COMMUNICATIONS  TO  INDIVIDUALS  PROVIDED
 PURSUANT TO THIS ARTICLE SHALL COMPLY WITH THE FOLLOWING:
   1.  IN  GENERAL,  ALL  COMMUNICATIONS SHALL USE PLAIN, STRAIGHTFORWARD
 LANGUAGE, AVOIDING TECHNICAL OR  LEGAL  JARGON,  AND  MUST  BE  PROVIDED
 THROUGH  AN  INTERFACE  REGULARLY USED IN CONJUNCTION WITH THE REGULATED
 ENTITY'S PRODUCT OR SERVICE.
 S. 158--A                           3
 
   2. ALL COMMUNICATIONS SHALL BE REASONABLY  ACCESSIBLE  TO  INDIVIDUALS
 WITH DISABILITIES, INCLUDING BY:
   (A) UTILIZING DIGITAL ACCESSIBILITY TOOLS;
   (B)  FOR  NOTICES, COMPLYING WITH GENERALLY RECOGNIZED INDUSTRY STAND-
 ARDS, INCLUDING, BUT NOT  LIMITED  TO,  THE  WEB  CONTENT  ACCESSIBILITY
 GUIDELINES,  VERSION 2.1 OF JUNE 5, 2018, FROM THE WORLD WEB CONSORTIUM,
 INCORPORATED HEREIN BY REFERENCE; AND
   (C) FOR OTHER COMMUNICATIONS, PROVIDING INFORMATION ABOUT HOW AN INDI-
 VIDUAL WITH A DISABILITY MAY ACCESS THE COMMUNICATION IN AN  ALTERNATIVE
 FORMAT.
   3. ALL COMMUNICATIONS SHALL BE AVAILABLE IN THE LANGUAGES IN WHICH THE
 REGULATED  ENTITY PROVIDES INFORMATION VIA ITS WEBSITE AND SERVICES. ANY
 DIRECT COMMUNICATION TO AN INDIVIDUAL SHALL BE PROVIDED IN THE  LANGUAGE
 IN  WHICH  THE INDIVIDUAL ORDINARILY INTERACTS WITH THE REGULATED ENTITY
 OR ITS SERVICE PROVIDER.
   4. A REGULATED ENTITY SHALL MAKE ANY NOTICE FOR PROCESSING PURSUANT TO
 A PERMISSIBLE PURPOSE, PURSUANT TO SUBPARAGRAPH (II) OF PARAGRAPH (B) OF
 SUBDIVISION ONE OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE,  OR  FORM
 FOR  PROCESSING  PURSUANT TO AUTHORIZATION, PURSUANT TO SUBPARAGRAPH (I)
 OF PARAGRAPH (B) OF SUBDIVISION ONE OF SECTION  ELEVEN  HUNDRED  TWO  OF
 THIS  ARTICLE,  PUBLICLY  AVAILABLE  ON ITS WEBSITE. IF AN AUTHORIZATION
 FORM IS CUSTOMIZED FOR EACH INDIVIDUAL, THE REGULATED ENTITY MAY INSTEAD
 PUBLICLY POST A SAMPLE AUTHORIZATION FORM ON ITS WEBSITE.
   § 1102. LAWFULNESS OF PROCESSING REGULATED HEALTH INFORMATION.  1.  IN
 GENERAL, IT SHALL BE UNLAWFUL FOR A REGULATED ENTITY TO:
   (A)  SELL  AN  INDIVIDUAL'S  REGULATED  HEALTH  INFORMATION TO A THIRD
 PARTY; OR
   (B) OTHERWISE PROCESS AN  INDIVIDUAL'S  REGULATED  HEALTH  INFORMATION
 UNLESS:
   (I)  THE INDIVIDUAL HAS PROVIDED VALID AUTHORIZATION FOR SUCH PROCESS-
 ING; OR
   (II) PROCESSING OF AN INDIVIDUAL'S  REGULATED  HEALTH  INFORMATION  IS
 STRICTLY NECESSARY FOR THE PURPOSE OF:
   (A) PROVIDING A PRODUCT OR SERVICE REQUESTED BY SUCH INDIVIDUAL;
   (B)  CONDUCTING  THE  REGULATED ENTITY'S INTERNAL BUSINESS OPERATIONS,
 WHICH EXCLUDE ANY ACTIVITIES RELATED TO MARKETING, ADVERTISING, RESEARCH
 AND DEVELOPMENT, OR PROVIDING PRODUCTS OR SERVICES TO THIRD PARTIES;
   (C) PROTECTING AGAINST MALICIOUS, FRAUDULENT, OR ILLEGAL ACTIVITY;
   (D) DETECTING, RESPONDING TO,  OR  PREVENTING  SECURITY  INCIDENTS  OR
 THREATS;
   (E)  PROTECTING  THE  VITAL  INTERESTS  OF AN INDIVIDUAL OR THE PUBLIC
 INTEREST IN THE AREA OF PUBLIC HEALTH;
   (F) INVESTIGATING, ESTABLISHING, EXERCISING, PREPARING FOR, OR DEFEND-
 ING LEGAL CLAIMS; OR
   (G) COMPLYING WITH THE REGULATED ENTITY'S LEGAL OBLIGATIONS.
   2. A REGULATED ENTITY  THAT  PROCESSES  REGULATED  HEALTH  INFORMATION
 PURSUANT TO VALID AUTHORIZATION AS REQUIRED BY SUBPARAGRAPH (I) OF PARA-
 GRAPH  (B)  OF  SUBDIVISION  ONE  OF  THIS SECTION SHALL COMPLY WITH THE
 FOLLOWING:
   (A) A REQUEST FOR AUTHORIZATION TO PROCESS AN  INDIVIDUAL'S  REGULATED
 HEALTH INFORMATION SHALL:
   (I)  BE MADE SEPARATELY FROM ANY OTHER TRANSACTION OR PART OF A TRANS-
 ACTION;
   (II) BE MADE AT LEAST TWENTY-FOUR HOURS AFTER AN INDIVIDUAL CREATES AN
 ACCOUNT OR FIRST USES THE REQUESTED PRODUCT OR SERVICE;
 S. 158--A                           4
 
   (III) BE MADE IN THE ABSENCE OF ANY MECHANISM THAT HAS THE PURPOSE  OR
 SUBSTANTIAL  EFFECT  OF  OBSCURING, SUBVERTING, OR IMPAIRING AN INDIVID-
 UAL'S DECISION-MAKING REGARDING AUTHORIZATION FOR PROCESSING;
   (IV) IF REQUESTING AUTHORIZATION FOR MULTIPLE CATEGORIES OF PROCESSING
 ACTIVITIES, ALLOW THE INDIVIDUAL TO PROVIDE/WITHHOLD AUTHORIZATION SEPA-
 RATELY FOR EACH CATEGORY OF PROCESSING ACTIVITY; AND
   (V)  NOT INCLUDE ANY REQUEST FOR AUTHORIZATION FOR A PROCESSING ACTIV-
 ITY FOR WHICH AN INDIVIDUAL HAS WITHHELD OR REVOKED AUTHORIZATION WITHIN
 THE PAST CALENDAR YEAR.
   (B) A VALID AUTHORIZATION SHALL INCLUDE:
   (I) THE TYPES OF REGULATED HEALTH INFORMATION TO BE PROCESSED;
   (II) THE NATURE OF THE PROCESSING ACTIVITY;
   (III) THE SPECIFIC PURPOSES FOR SUCH PROCESSING;
   (IV) THE NAMES WHERE  READILY  AVAILABLE,  OR  CATEGORIES  OF  SERVICE
 PROVIDERS  AND  THIRD PARTIES TO WHICH THE REGULATED ENTITY MAY DISCLOSE
 THE INDIVIDUAL'S REGULATED HEALTH INFORMATION AND THE PURPOSES FOR  SUCH
 DISCLOSURE, INCLUDING THE CIRCUMSTANCES UNDER WHICH THE REGULATED ENTITY
 MAY DISCLOSE REGULATED HEALTH INFORMATION TO LAW ENFORCEMENT;
   (V)  ANY MONETARY OR OTHER VALUABLE CONSIDERATION THE REGULATED ENTITY
 MAY RECEIVE IN CONNECTION WITH  PROCESSING  THE  INDIVIDUAL'S  REGULATED
 HEALTH INFORMATION, WHERE APPLICABLE;
   (VI)  THAT  FAILING TO PROVIDE AUTHORIZATION WILL NOT AFFECT THE INDI-
 VIDUAL'S  EXPERIENCE  OF  USING  THE  REGULATED  ENTITY'S  PRODUCTS   OR
 SERVICES;
   (VII) THE EXPIRATION DATE OF THE AUTHORIZATION, WHICH MAY BE UP TO ONE
 YEAR FROM THE DATE AUTHORIZATION WAS PROVIDED;
   (VIII)  THE MECHANISM BY WHICH THE INDIVIDUAL MAY REVOKE AUTHORIZATION
 PRIOR TO EXPIRATION;
   (IX) THE MECHANISM BY WHICH THE INDIVIDUAL MAY REQUEST ACCESS  TO  AND
 DELETION OF THEIR REGULATED HEALTH INFORMATION;
   (X)  ANY OTHER INFORMATION MATERIAL TO AN INDIVIDUAL'S DECISION-MAKING
 REGARDING AUTHORIZATION FOR PROCESSING; AND
   (XI) THE SIGNATURE, WHICH MAY BE ELECTRONIC, OF THE INDIVIDUAL WHO  IS
 THE SUBJECT OF THE REGULATED HEALTH INFORMATION, OR A PARENT OR GUARDIAN
 AUTHORIZED  BY LAW TO TAKE ACTIONS OF LEGAL CONSEQUENCE ON BEHALF OF THE
 INDIVIDUAL WHO IS THE SUBJECT OF THE REGULATED HEALTH  INFORMATION,  AND
 THE DATE.
   (C)  (I) A REGULATED ENTITY THAT RECEIVES AUTHORIZATION FOR PROCESSING
 SHALL PROVIDE AN EFFECTIVE,  EFFICIENT,  AND  EASY-TO-USE  MECHANISM  BY
 WHICH  AN  INDIVIDUAL  MAY  REVOKE  AUTHORIZATION AT ANY TIME THROUGH AN
 INTERFACE REGULARLY USED IN  CONJUNCTION  WITH  THE  REGULATED  ENTITY'S
 PRODUCT OR SERVICE.
   (II)  UPON  AN INDIVIDUAL'S REVOCATION OF AUTHORIZATION, THE REGULATED
 ENTITY SHALL IMMEDIATELY  CEASE  ALL  PROCESSING  ACTIVITIES  FOR  WHICH
 AUTHORIZATION WAS REVOKED, EXCEPT TO THE EXTENT NECESSARY TO COMPLY WITH
 THE REGULATED ENTITY'S LEGAL OBLIGATIONS.
   (III)  FOR  INDIVIDUALS  WHO HAVE AN ONLINE ACCOUNT WITH THE REGULATED
 ENTITY, THE REGULATED ENTITY MUST PROVIDE, IN A CONSPICUOUS  AND  EASILY
 ACCESSIBLE  PLACE  WITHIN THE ACCOUNT SETTINGS, A LIST OF ALL PROCESSING
 ACTIVITIES FOR WHICH THE INDIVIDUAL HAS PROVIDED AUTHORIZATION AND,  FOR
 EACH  PROCESSING  ACTIVITY, ALLOW THE INDIVIDUAL TO REVOKE AUTHORIZATION
 IN THE SAME PLACE WITH ONE MOTION OR ACTION.
   (D) UPON OBTAINING VALID AUTHORIZATION FROM AN INDIVIDUAL,  THE  REGU-
 LATED  ENTITY SHALL PROVIDE THAT INDIVIDUAL A COPY OF THE AUTHORIZATION.
 THE AUTHORIZATION SHALL BE PROVIDED IN A MANNER THAT IS CAPABLE OF BEING
 RETAINED BY THE INDIVIDUAL.
 S. 158--A                           5
 
   (E) THE REGULATED ENTITY SHALL LIMIT ITS PROCESSING TO WHAT WAS CLEAR-
 LY DISCLOSED TO AN INDIVIDUAL PURSUANT TO PARAGRAPH (B) OF THIS SUBDIVI-
 SION WHEN THE REGULATED ENTITY RECEIVED AUTHORIZATION FROM THE  INDIVID-
 UAL.
   (F)  IF  THE REGULATED ENTITY SEEKS TO MATERIALLY ALTER ITS PROCESSING
 ACTIVITIES  FOR  REGULATED  HEALTH  INFORMATION  COLLECTED  PURSUANT  TO
 AUTHORIZATION, THE REGULATED ENTITY SHALL OBTAIN A NEW AUTHORIZATION FOR
 THE NEW OR ALTERED PROCESSING ACTIVITY.
   (G) PROVIDING A PRODUCT OR SERVICE REQUESTED BY AN INDIVIDUAL MUST NOT
 BE MADE CONTINGENT ON PROVIDING AUTHORIZATION. THE REGULATED ENTITY MUST
 NOT  DISCRIMINATE  AGAINST  AN INDIVIDUAL FOR WITHHOLDING AUTHORIZATION,
 SUCH AS BY CHARGING DIFFERENT PRICES OR RATES FOR PRODUCTS OR  SERVICES,
 INCLUDING  THROUGH  THE  USE  OF  DISCOUNTS  OR OTHER BENEFITS, IMPOSING
 PENALTIES, OR PROVIDING A DIFFERENT LEVEL  OR  QUALITY  OF  SERVICES  OR
 GOODS TO THE INDIVIDUAL.
   3.  A  REGULATED  ENTITY  THAT  PROCESSES REGULATED HEALTH INFORMATION
 PURSUANT TO A PERMISSIBLE PURPOSE PURSUANT TO SUBPARAGRAPH (II) OF PARA-
 GRAPH (B) OF SUBDIVISION ONE OF  THIS  SECTION  SHALL  COMPLY  WITH  THE
 FOLLOWING:
   (A) A REGULATED ENTITY SHALL PROVIDE CLEAR AND CONSPICUOUS NOTICE THAT
 DESCRIBES:
   (I) THE TYPES OF REGULATED HEALTH INFORMATION TO BE PROCESSED;
   (II) THE NATURE OF THE PROCESSING ACTIVITY;
   (III) THE SPECIFIC PURPOSES FOR SUCH PROCESSING;
   (IV)  THE  NAMES  WHERE  READILY  AVAILABLE,  OR CATEGORIES OF SERVICE
 PROVIDERS AND THIRD PARTIES TO WHICH THE REGULATED ENTITY  MAY  DISCLOSE
 THE  INDIVIDUAL'S REGULATED HEALTH INFORMATION AND THE PURPOSES FOR SUCH
 DISCLOSURE, INCLUDING THE CIRCUMSTANCES UNDER WHICH THE REGULATED ENTITY
 MAY DISCLOSE REGULATED HEALTH INFORMATION TO LAW ENFORCEMENT; AND
   (V) THE MECHANISM BY WHICH THE INDIVIDUAL MAY REQUEST  ACCESS  TO  AND
 DELETION OF THEIR REGULATED HEALTH INFORMATION.
   (B)  IF  THE  REGULATED ENTITY MATERIALLY ALTERS ITS PROCESSING ACTIV-
 ITIES FOR REGULATED HEALTH INFORMATION COLLECTED PURSUANT TO A PERMISSI-
 BLE PURPOSE, THE REGULATED ENTITY MUST PROVIDE A CLEAR  AND  CONSPICUOUS
 NOTICE  IN  PLAIN  LANGUAGE,  SEPARATE  FROM  A PRIVACY POLICY, TERMS OF
 SERVICE, OR SIMILAR DOCUMENT, THAT DESCRIBES ANY MATERIAL CHANGES TO THE
 PROCESSING ACTIVITIES AND PROVIDE THE INDIVIDUAL WITH AN OPPORTUNITY  TO
 REQUEST DELETION OF THEIR REGULATED HEALTH INFORMATION.
   § 1103. INDIVIDUAL RIGHTS. 1. (A) A REGULATED ENTITY SHALL MAKE AVAIL-
 ABLE  AN  EFFECTIVE,  EFFICIENT,  AND  EASY-TO-USE  MECHANISM THROUGH AN
 INTERFACE REGULARLY USED IN  CONJUNCTION  WITH  THE  REGULATED  ENTITY'S
 PRODUCT  OR  SERVICE  BY WHICH AN INDIVIDUAL MAY REQUEST ACCESS TO THEIR
 REGULATED HEALTH INFORMATION.
   (B) WITHIN THIRTY DAYS OF RECEIVING AN ACCESS REQUEST,  THE  REGULATED
 ENTITY  SHALL  MAKE AVAILABLE A COPY OF ALL REGULATED HEALTH INFORMATION
 ABOUT THE INDIVIDUAL THAT THE REGULATED ENTITY MAINTAINS OR THAT SERVICE
 PROVIDERS MAINTAIN ON BEHALF OF THE REGULATED ENTITY.
   2. (A) A REGULATED ENTITY SHALL MAKE  AVAILABLE  AN  EFFECTIVE,  EFFI-
 CIENT,  AND EASY-TO-USE MECHANISM THROUGH AN INTERFACE REGULARLY USED IN
 CONJUNCTION WITH THE REGULATED ENTITY'S PRODUCT OR SERVICE BY  WHICH  AN
 INDIVIDUAL  MAY  REQUEST THE DELETION OF THEIR REGULATED HEALTH INFORMA-
 TION.
   (B) AN INDIVIDUAL'S DELETION OR CANCELLATION OF THEIR  ONLINE  ACCOUNT
 SHALL  BE  TREATED  AS  A  REQUEST  TO DELETE THE INDIVIDUAL'S REGULATED
 HEALTH INFORMATION.
 S. 158--A                           6

   (C) WITHIN THIRTY DAYS OF RECEIVING A DELETION REQUEST, THE  REGULATED
 ENTITY SHALL:
   (I)  DELETE ALL REGULATED HEALTH INFORMATION ASSOCIATED WITH THE INDI-
 VIDUAL IN THE REGULATED ENTITY'S POSSESSION OR CONTROL,  EXCEPT  TO  THE
 EXTENT  NECESSARY  TO  COMPLY  WITH  THE  REGULATED ENTITY'S LEGAL OBLI-
 GATIONS; AND
   (II) UNLESS IT PROVES IMPOSSIBLE OR INVOLVES  DISPROPORTIONATE  EFFORT
 THAT  IS DOCUMENTED IN WRITING BY THE REGULATED ENTITY, COMMUNICATE SUCH
 REQUEST TO EACH SERVICE PROVIDER OR THIRD PARTY THAT PROCESSED THE INDI-
 VIDUAL'S REGULATED HEALTH INFORMATION IN CONNECTION WITH  A  TRANSACTION
 INVOLVING  THE  REGULATED  ENTITY WITHIN ONE YEAR PRECEDING THE INDIVID-
 UAL'S REQUEST.
   (D) ANY SERVICE PROVIDER OR THIRD PARTY THAT  RECEIVES  NOTICE  OF  AN
 INDIVIDUAL'S  DELETION REQUEST SHALL WITHIN THIRTY DAYS DELETE ALL REGU-
 LATED  HEALTH  INFORMATION  ASSOCIATED  WITH  THE  INDIVIDUAL   IN   ITS
 POSSESSION OR CONTROL, EXCEPT TO THE EXTENT NECESSARY TO COMPLY WITH ITS
 LEGAL OBLIGATIONS.
   3. ANY RIGHT SET FORTH IN THIS SECTION MAY BE EXERCISED AT ANY TIME BY
 THE INDIVIDUAL WHO IS THE SUBJECT OF THE REGULATED HEALTH INFORMATION OR
 AN AGENT AUTHORIZED BY SUCH INDIVIDUAL.
   §  1104.  SECURITY.  1.  IN GENERAL, A REGULATED ENTITY SHALL DEVELOP,
 IMPLEMENT, AND MAINTAIN REASONABLE ADMINISTRATIVE, TECHNICAL, AND  PHYS-
 ICAL  SAFEGUARDS TO PROTECT THE SECURITY, CONFIDENTIALITY, AND INTEGRITY
 OF REGULATED HEALTH INFORMATION.
   2. A REGULATED ENTITY MUST SECURELY DISPOSE OF AN  INDIVIDUAL'S  REGU-
 LATED  HEALTH  INFORMATION  PURSUANT  TO  A PUBLICLY AVAILABLE RETENTION
 SCHEDULE WITHIN A REASONABLE TIME, AND IN  NO  EVENT  LATER  THAN  SIXTY
 DAYS,  AFTER  IT  IS NO LONGER NECESSARY TO MAINTAIN FOR THE PERMISSIBLE
 PURPOSE OR PURPOSES IDENTIFIED IN THE NOTICE OR FOR WHICH THE INDIVIDUAL
 PROVIDED VALID AUTHORIZATION.
   § 1105. SERVICE PROVIDERS. 1. IN GENERAL, ANY PROCESSING OF  REGULATED
 HEALTH INFORMATION BY A SERVICE PROVIDER ON BEHALF OF A REGULATED ENTITY
 SHALL  BE GOVERNED BY A WRITTEN, BINDING AGREEMENT. SUCH AGREEMENT SHALL
 CLEARLY SET FORTH INSTRUCTIONS FOR PROCESSING REGULATED HEALTH  INFORMA-
 TION,  THE NATURE AND PURPOSE OF PROCESSING, THE DURATION OF PROCESSING,
 AND THE RIGHTS AND OBLIGATIONS OF BOTH PARTIES.
   2. AN AGREEMENT PURSUANT TO SUBDIVISION  ONE  OF  THIS  SECTION  SHALL
 REQUIRE THAT THE SERVICE PROVIDER:
   (A) ENSURE THAT EACH PERSON PROCESSING REGULATED HEALTH INFORMATION IS
 SUBJECT TO A DUTY OF CONFIDENTIALITY WITH RESPECT TO SUCH INFORMATION;
   (B)  PROTECT  REGULATED HEALTH INFORMATION IN A MANNER CONSISTENT WITH
 THE REQUIREMENTS OF THIS ARTICLE;
   (C) PROCESS REGULATED HEALTH INFORMATION ONLY WHEN AND TO  THE  EXTENT
 NECESSARY TO COMPLY WITH ITS OBLIGATIONS TO THE REGULATED ENTITY;
   (D)  NOT  COMBINE  THE  REGULATED HEALTH INFORMATION WHICH THE SERVICE
 PROVIDER RECEIVES FROM OR ON BEHALF OF THE  REGULATED  ENTITY  WITH  ANY
 OTHER  PERSONAL  INFORMATION WHICH THE SERVICE PROVIDER RECEIVES FROM OR
 ON BEHALF OF ANOTHER PARTY OR COLLECTS FROM ITS  OWN  RELATIONSHIP  WITH
 INDIVIDUALS;
   (E)  COMPLY WITH ANY EXERCISES OF AN INDIVIDUAL'S RIGHTS UNDER SECTION
 ELEVEN HUNDRED THREE OF THIS ARTICLE UPON THE REQUEST OF  THE  REGULATED
 ENTITY  AND  NOTIFY  ANY  SERVICE PROVIDERS OR THIRD PARTIES TO WHICH IT
 DISCLOSED REGULATED HEALTH INFORMATION OF THE REQUEST;
   (F) DELETE OR RETURN ALL REGULATED HEALTH INFORMATION TO THE REGULATED
 ENTITY AT THE END OF THE PROVISION OF SERVICES, UNLESS RETENTION OF  THE
 REGULATED HEALTH INFORMATION IS REQUIRED BY LAW;
 S. 158--A                           7
 
   (G)  UPON  THE REASONABLE REQUEST OF THE REGULATED ENTITY, MAKE AVAIL-
 ABLE TO THE REGULATED ENTITY ALL DATA IN  ITS  POSSESSION  NECESSARY  TO
 DEMONSTRATE  THE  SERVICE  PROVIDER'S COMPLIANCE WITH THE OBLIGATIONS IN
 THIS SECTION;
   (H) ALLOW, AND COOPERATE WITH, REASONABLE ASSESSMENTS BY THE REGULATED
 ENTITY  OR  THE  REGULATED  ENTITY'S DESIGNATED ASSESSOR FOR PURPOSES OF
 EVALUATING COMPLIANCE WITH THE OBLIGATIONS OF THIS ARTICLE; ALTERNATIVE-
 LY, THE SERVICE PROVIDER MAY ARRANGE FOR  A  QUALIFIED  AND  INDEPENDENT
 ASSESSOR  TO CONDUCT AN ASSESSMENT OF THE PROCESSOR'S POLICIES AND TECH-
 NICAL AND ORGANIZATIONAL MEASURES IN SUPPORT OF  THE  OBLIGATIONS  UNDER
 THIS  ARTICLE  USING  AN  APPROPRIATE  AND  ACCEPTED CONTROL STANDARD OR
 FRAMEWORK AND ASSESSMENT PROCEDURE FOR  SUCH  ASSESSMENTS.  THE  SERVICE
 PROVIDER  SHALL  PROVIDE  A  REPORT  OF SUCH ASSESSMENT TO THE REGULATED
 ENTITY UPON REQUEST;
   (I) A REASONABLE TIME IN ADVANCE  BEFORE  DISCLOSING  OR  TRANSFERRING
 REGULATED  HEALTH  INFORMATION  TO ANY FURTHER SERVICE PROVIDERS, NOTIFY
 THE REGULATED ENTITY OF SUCH A PROPOSED DISCLOSURE  OR  TRANSFER,  WHICH
 MAY  BE  IN  THE  FORM  OF  A  REGULARLY UPDATED LIST OF FURTHER SERVICE
 PROVIDERS THAT MAY ACCESS REGULATED HEALTH INFORMATION; AND
   (J) ENGAGE ANY FURTHER SERVICE PROVIDER PURSUANT TO A WRITTEN, BINDING
 AGREEMENT THAT INCLUDES THE CONTRACTUAL REQUIREMENTS  PROVIDED  IN  THIS
 SECTION,  CONTAINING  AT  MINIMUM  THE SAME OBLIGATIONS THAT THE SERVICE
 PROVIDER HAS ENTERED INTO WITH REGARD TO REGULATED HEALTH INFORMATION.
   § 1106. EXEMPTIONS. NOTHING IN THIS ARTICLE SHALL APPLY TO:
   1. INFORMATION PROCESSED BY LOCAL, STATE, AND FEDERAL GOVERNMENTS, AND
 MUNICIPAL CORPORATIONS;
   2. PROTECTED HEALTH INFORMATION THAT IS COLLECTED BY A COVERED  ENTITY
 OR  BUSINESS  ASSOCIATE  GOVERNED  BY  THE PRIVACY, SECURITY, AND BREACH
 NOTIFICATION RULES ISSUED BY THE UNITED STATES DEPARTMENT OF HEALTH  AND
 HUMAN  SERVICES,  PARTS  160  AND 164 OF TITLE 45 OF THE CODE OF FEDERAL
 REGULATIONS, ESTABLISHED PURSUANT TO THE  HEALTH  INSURANCE  PORTABILITY
 AND  ACCOUNTABILITY  ACT  OF  1996  (PUBLIC  LAW 104-191) AND THE HEALTH
 INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT (PUBLIC  LAW
 111-5);
   3.  ANY  COVERED  ENTITY GOVERNED BY THE PRIVACY, SECURITY, AND BREACH
 NOTIFICATION RULES ISSUED BY THE UNITED STATES DEPARTMENT OF HEALTH  AND
 HUMAN  SERVICES,  PARTS  160  AND 164 OF TITLE 45 OF THE CODE OF FEDERAL
 REGULATIONS, ESTABLISHED PURSUANT TO THE  HEALTH  INSURANCE  PORTABILITY
 AND  ACCOUNTABILITY  ACT OF 1996 (PUBLIC LAW 104-191), TO THE EXTENT THE
 COVERED ENTITY MAINTAINS PATIENT  INFORMATION  IN  THE  SAME  MANNER  AS
 PROTECTED  HEALTH  INFORMATION  AS  DESCRIBED IN SUBDIVISION TWO OF THIS
 SECTION;
   4. INFORMATION COLLECTED AS PART OF A CLINICAL TRIAL  SUBJECT  TO  THE
 FEDERAL  POLICY  FOR THE PROTECTION OF HUMAN SUBJECTS, ALSO KNOWN AS THE
 COMMON RULE, PURSUANT TO GOOD CLINICAL PRACTICE GUIDELINES ISSUED BY THE
 INTERNATIONAL COUNCIL FOR HARMONISATION OR  PURSUANT  TO  HUMAN  SUBJECT
 PROTECTION  REQUIREMENTS  OF  THE  UNITED  STATES FOOD AND DRUG ADMINIS-
 TRATION;
   5. INFORMATION PROCESSED PURSUANT TO THE  FEDERAL  FAMILY  EDUCATIONAL
 RIGHTS AND PRIVACY ACT (20 U.S.C. SEC. 1232G) AND ITS IMPLEMENTING REGU-
 LATIONS;
   6.  INFORMATION  PROCESSED  PURSUANT TO SECTION TWO-D OF THE EDUCATION
 LAW; AND
   7. INFORMATION PROCESSED PURSUANT  TO  THE  FEDERAL  DRIVER'S  PRIVACY
 PROTECTION ACT OF 1994 (18 U.S.C.  SEC. 2721 ET SEQ).
 S. 158--A                           8
 
   §  1107.  ENFORCEMENT. 1. WHENEVER IT APPEARS TO THE ATTORNEY GENERAL,
 EITHER UPON COMPLAINT OR OTHERWISE, THAT ANY PERSON OR  PERSONS,  WITHIN
 OR OUTSIDE THE STATE, HAS ENGAGED IN OR IS ABOUT TO ENGAGE IN ANY OF THE
 ACTS OR PRACTICES STATED TO BE UNLAWFUL UNDER THIS ARTICLE, THE ATTORNEY
 GENERAL  MAY  BRING  AN  ACTION OR SPECIAL PROCEEDING IN THE NAME AND ON
 BEHALF OF THE PEOPLE OF THE STATE OF NEW YORK TO ENJOIN ANY VIOLATION OF
 THIS ARTICLE, TO OBTAIN RESTITUTION OF ANY MONEYS OR  PROPERTY  OBTAINED
 DIRECTLY  OR INDIRECTLY BY ANY SUCH VIOLATION, TO OBTAIN DISGORGEMENT OF
 ANY PROFITS OBTAINED DIRECTLY OR INDIRECTLY BY ANY  SUCH  VIOLATION,  TO
 OBTAIN  CIVIL  PENALTIES  OF  NOT MORE THAN FIFTEEN THOUSAND DOLLARS PER
 VIOLATION OR TWENTY PERCENT OF REVENUE OBTAINED FROM NEW YORK  CONSUMERS
 WITHIN  THE  PAST  FISCAL  YEAR, WHICHEVER IS GREATER, AND TO OBTAIN ANY
 SUCH OTHER AND FURTHER RELIEF AS THE COURT MAY  DEEM  PROPER,  INCLUDING
 PRELIMINARY RELIEF.
   2.  THE  REMEDIES PROVIDED BY THIS SECTION SHALL BE IN ADDITION TO ANY
 OTHER LAWFUL REMEDY AVAILABLE.
   3. ANY ACTION OR SPECIAL PROCEEDING BROUGHT BY  THE  ATTORNEY  GENERAL
 PURSUANT  TO THIS SECTION MUST BE COMMENCED WITHIN SIX YEARS OF THE DATE
 ON WHICH THE ATTORNEY GENERAL BECAME AWARE OF THE VIOLATION.
   4. IN CONNECTION WITH ANY PROPOSED ACTION OR SPECIAL PROCEEDING  UNDER
 THIS  SECTION, THE ATTORNEY GENERAL IS AUTHORIZED TO TAKE PROOF AND MAKE
 A DETERMINATION OF THE RELEVANT FACTS, AND TO ISSUE SUBPOENAS IN ACCORD-
 ANCE WITH THE CIVIL PRACTICE LAW AND RULES.  THE  ATTORNEY  GENERAL  MAY
 ALSO REQUIRE SUCH OTHER DATA AND INFORMATION AS HE OR SHE MAY DEEM RELE-
 VANT  AND  MAY  REQUIRE  WRITTEN RESPONSES TO QUESTIONS UNDER OATH. SUCH
 POWER OF SUBPOENA AND EXAMINATION SHALL NOT ABATE OR TERMINATE BY REASON
 OF ANY ACTION OR SPECIAL PROCEEDING  BROUGHT  BY  THE  ATTORNEY  GENERAL
 UNDER THIS ARTICLE.
   5.  THIS  SECTION  SHALL  APPLY TO ALL ACTS DECLARED TO BE UNLAWFUL IN
 THIS ARTICLE, WHETHER OR NOT SUBJECT TO ANY OTHER LAW OF THIS STATE, AND
 SHALL NOT SUPERSEDE, AMEND OR REPEAL ANY OTHER LAW OF THIS  STATE  UNDER
 WHICH  THE  ATTORNEY GENERAL IS AUTHORIZED TO TAKE ANY ACTION OR CONDUCT
 ANY INQUIRY.
   6. ANY INDIVIDUAL WHO HAS BEEN INJURED BY A VIOLATION OF THIS  ARTICLE
 MAY  BRING  AN ACTION IN THEIR OWN NAME IN ANY COURT OF COMPETENT JURIS-
 DICTION TO ENJOIN SUCH UNLAWFUL ACT OR PRACTICE  AND  TO  RECOVER  THEIR
 ACTUAL  DAMAGES  OR  FIVE  THOUSAND DOLLARS PER INDIVIDUAL, WHICHEVER IS
 GREATER. THE COURT SHALL ALSO AWARD  REASONABLE  ATTORNEY'S  FEES  TO  A
 PREVAILING PLAINTIFF. ACTIONS PURSUANT TO THIS SECTION MAY BE BROUGHT ON
 A CLASS-WIDE BASIS.
   7.  THE  ATTORNEY GENERAL MAY PROMULGATE SUCH RULES AND REGULATIONS AS
 ARE NECESSARY TO EFFECTUATE AND ENFORCE THE PROVISIONS OF THIS SECTION.
   § 2. Severability. If any clause,  sentence,  paragraph,  subdivision,
 section  or part of this act shall be adjudged by any court of competent
 jurisdiction to be invalid, such judgment shall not affect,  impair,  or
 invalidate the remainder thereof, but shall be confined in its operation
 to the clause, sentence, paragraph, subdivision, section or part thereof
 directly  involved  in the controversy in which such judgment shall have
 been rendered. It is hereby declared to be the intent of the legislature
 that this act would have been enacted even if  such  invalid  provisions
 had not been included herein.
   § 3. This act shall take effect July 1, 2024.

co-Sponsors

2023-S158B - Details

Law Section:: General Business Law
Laws Affected:: Add Art 42 §§1100 - 1103, Gen Bus L
Versions Introduced in 2025-2026 Legislative Session:: S929

2023-S158B - Summary

2023-S158B - Sponsor Memo

                                 
BILL NUMBER: S158B

SPONSOR: KRUEGER
 
TITLE OF BILL:

An act to amend the general business law, in relation to providing for
the protection of health information

 
PURPOSE OR GENERAL IDEA OF BILL:

This bill would govern companies that collect and sell healthcare infor-
mation, and provides additional rights and protections to users related
to the sale and of their private health information.

 
SUMMARY OF SPECIFIC PROVISIONS:

Section one creates article 42 to the General Business Law to govern the
collection of data for electronic health products and services.

Section 1100 creates various definitions that will be used in the rest
of the bill.

Section 1101 regulates how regulated entities shall communicate their
data collection policies to users and the need for consent from the
user.

Section for 1102 regulates the collection of data and what the data can
be used for.

Section 1103 explains the users rights and extent of control over their
personal health information.

Section 1104 regulates the level of security that regulated entities
must have.

Section 1105 regulates service providers that process data on behalf of
a regulated entity

Section 1106 provides for exemptions from this bill

Section 1107 creates an enforcement mechanism.

Section 2. Severability

Section 3. Effective Date

 
JUSTIFICATION:

Most residents of the State are under the impression that HIPAA protects
them and their health data from being accessed by third-parties and sold
by and to other organizations. Residents are generally unaware that
their technology is constantly tracking their movements, and geolocation
data is being sold to companies for the purposes of targeted advertise-
ments or tracking. Most users also do not have an understanding of how
much information is being collected, stored, and sold for the benefit of
third-parties. For example, a mobile app to track menstruation cycles
was recently caught selling users' data to antiabortion advocacy organ-
izations.

This bill creates a legal framework for residents to reclaim and retain
control of their healthcare information. Electronic apps or websites
that are designed to provide a diagnosis or retain health information
will be required to receive affirmative consent by the user to retain
such information and would need separate consent to sell such informa-
tion to third-parties.

 
PRIOR LEGISLATIVE HISTORY:

2022: S.9599 - Referred to Rules

 
FISCAL IMPLICATIONS:

None to the State.

 
EFFECTIVE DATE:
This act shall take effect on July 1, 2024.

2023-S158B - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                  158--B
     Cal. No. 429
 
                        2023-2024 Regular Sessions
 
                             I N  S E N A T E
 
                                (PREFILED)
 
                              January 4, 2023
                                ___________
 
 Introduced  by  Sens.  KRUEGER,  COMRIE,  HINCHEY, HOYLMAN-SIGAL -- read
   twice and ordered printed, and when printed to  be  committed  to  the
   Committee  on  Internet and Technology -- reported favorably from said
   committee, ordered to first and second  report,  ordered  to  a  third
   reading,  amended  and  ordered  reprinted, retaining its place in the
   order of third reading -- again amended and ordered reprinted, retain-
   ing its place in the order of third reading
 
 AN ACT to amend the general business law, in relation to  providing  for
   the protection of health information
 
   THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. The general business law is amended by adding a new article
 42 to read as follows:
                                ARTICLE 42
                  NEW YORK HEALTH INFORMATION PRIVACY ACT
 SECTION 1100. DEFINITIONS.
         1101. REQUIREMENTS FOR COMMUNICATIONS TO INDIVIDUALS.
         1102. LAWFULNESS OF PROCESSING REGULATED HEALTH INFORMATION.
         1103. INDIVIDUAL RIGHTS.
         1104. SECURITY.
         1105. SERVICE PROVIDERS.
         1106. EXEMPTIONS.
         1107. ENFORCEMENT.
   § 1100. DEFINITIONS. AS USED IN  THIS  ARTICLE,  THE  FOLLOWING  TERMS
 SHALL HAVE THE FOLLOWING MEANINGS:
   1. "DEIDENTIFIED INFORMATION" MEANS INFORMATION THAT CANNOT REASONABLY
 BE  USED TO INFER INFORMATION ABOUT, OR OTHERWISE BE LINKED TO A PARTIC-
 ULAR INDIVIDUAL, HOUSEHOLD, OR DEVICE, PROVIDED THAT THE REGULATED ENTI-
 TY OR SERVICE PROVIDER THAT PROCESSES THE INFORMATION:
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.

                                                            LBD01105-06-3
 S. 158--B                           2
 
   (A) IMPLEMENTS REASONABLE TECHNICAL  SAFEGUARDS  TO  ENSURE  THAT  THE
 INFORMATION  CANNOT  BE  ASSOCIATED  WITH  AN  INDIVIDUAL, HOUSEHOLD, OR
 DEVICE;
   (B)  PUBLICLY  COMMITS TO PROCESS THE INFORMATION ONLY AS DEIDENTIFIED
 INFORMATION AND NOT ATTEMPT TO REIDENTIFY THE INFORMATION,  EXCEPT  THAT
 THE  REGULATED  ENTITY OR SERVICE PROVIDER MAY ATTEMPT TO REIDENTIFY THE
 INFORMATION SOLELY FOR THE PURPOSE OF DETERMINING  WHETHER  ITS  DEIDEN-
 TIFICATION PROCESSES SATISFY THE REQUIREMENTS OF THIS SECTION; AND
   (C) CONTRACTUALLY OBLIGATES ANY RECIPIENT OF THE DEIDENTIFIED INFORMA-
 TION TO COMPLY WITH ALL REQUIREMENTS OF THIS SECTION.
   2.  "REGULATED  HEALTH  INFORMATION"  MEANS  ANY  INFORMATION  THAT IS
 REASONABLY LINKABLE TO AN INDIVIDUAL, OR A DEVICE, AND IS  COLLECTED  OR
 PROCESSED  IN  CONNECTION WITH THE PHYSICAL OR MENTAL HEALTH OF AN INDI-
 VIDUAL.  LOCATION OR PAYMENT INFORMATION THAT RELATES TO AN INDIVIDUAL'S
 PHYSICAL OR MENTAL HEALTH OR ANY INFERENCE DRAWN  OR  DERIVED  ABOUT  AN
 INDIVIDUAL'S PHYSICAL OR MENTAL HEALTH THAT IS REASONABLY LINKABLE TO AN
 INDIVIDUAL,  OR A DEVICE, SHALL BE CONSIDERED, WITHOUT LIMITATION, REGU-
 LATED HEALTH INFORMATION. REGULATED HEALTH INFORMATION SHALL NOT INCLUDE
 DEIDENTIFIED INFORMATION.
   3. "PROCESS" OR "PROCESSING" MEANS AN OPERATION OR SET  OF  OPERATIONS
 PERFORMED  ON REGULATED HEALTH INFORMATION, INCLUDING BUT NOT LIMITED TO
 THE COLLECTION, USE,  ACCESS,  SHARING,  SALE,  MONETIZATION,  ANALYSIS,
 RETENTION,  CREATION,  GENERATION,  DERIVATION, RECORDING, ORGANIZATION,
 STRUCTURING, STORAGE,  DISCLOSURE,  TRANSMISSION,  DISPOSAL,  LICENSING,
 DESTRUCTION,  DELETION,  MODIFICATION,  OR DEIDENTIFICATION OF REGULATED
 HEALTH INFORMATION.
   4. "REGULATED ENTITY" MEANS ANY ENTITY THAT (A) CONTROLS THE  PROCESS-
 ING  OF  REGULATED HEALTH INFORMATION OF AN INDIVIDUAL WHO IS A NEW YORK
 RESIDENT, (B) CONTROLS THE PROCESSING OF REGULATED HEALTH INFORMATION OF
 AN INDIVIDUAL WHO IS PHYSICALLY PRESENT IN NEW YORK WHILE THAT  INDIVID-
 UAL IS IN NEW YORK, OR (C) IS LOCATED IN NEW YORK AND CONTROLS THE PROC-
 ESSING  OF  REGULATED  HEALTH  INFORMATION OF AN INDIVIDUAL. A REGULATED
 ENTITY MAY ALSO BE A SERVICE PROVIDER  DEPENDING  UPON  THE  CONTEXT  IN
 WHICH REGULATED HEALTH INFORMATION IS PROCESSED.
   5.  "SELL" MEANS TO SHARE REGULATED HEALTH INFORMATION FOR MONETARY OR
 OTHER VALUABLE CONSIDERATION. SELLING DOES NOT INCLUDE  THE  SHARING  OF
 REGULATED  HEALTH  INFORMATION  FOR MONETARY OR OTHER VALUABLE CONSIDER-
 ATION TO A THIRD PARTY AS AN ASSET THAT IS PART OF  A  MERGER,  ACQUISI-
 TION,  BANKRUPTCY, OR OTHER TRANSACTION IN WHICH THE THIRD PARTY ASSUMES
 CONTROL OF ALL OR PART OF THE REGULATED ENTITY'S ASSETS.
   6. "SERVICE PROVIDER" MEANS ANY PERSON OR ENTITY THAT PROCESSES  REGU-
 LATED  HEALTH  INFORMATION  ON  BEHALF  OF A REGULATED ENTITY. A SERVICE
 PROVIDER MAY ALSO BE A REGULATED ENTITY DEPENDING UPON  THE  CONTEXT  IN
 WHICH REGULATED HEALTH INFORMATION IS PROCESSED.
   7.  "THIRD  PARTY" MEANS A PERSON OR ENTITY OTHER THAN THE INDIVIDUAL,
 REGULATED ENTITY, OR SERVICE  PROVIDER  INVOLVED  IN  A  TRANSACTION  OR
 OCCURRENCE THAT INVOLVES REGULATED HEALTH INFORMATION. A THIRD PARTY MAY
 ALSO  BE  A  REGULATED  ENTITY  OR  SERVICE  PROVIDER DEPENDING UPON THE
 CONTEXT IN WHICH REGULATED HEALTH INFORMATION IS PROCESSED.
   § 1101. REQUIREMENTS FOR COMMUNICATIONS TO INDIVIDUALS.  ALL  NOTICES,
 DISCLOSURES,  FORMS,  AND  OTHER  COMMUNICATIONS TO INDIVIDUALS PROVIDED
 PURSUANT TO THIS ARTICLE SHALL COMPLY WITH THE FOLLOWING:
   1. IN GENERAL, ALL COMMUNICATIONS  SHALL  USE  PLAIN,  STRAIGHTFORWARD
 LANGUAGE,  AVOIDING  TECHNICAL  OR  LEGAL  JARGON,  AND MUST BE PROVIDED
 THROUGH AN INTERFACE REGULARLY USED IN CONJUNCTION  WITH  THE  REGULATED
 ENTITY'S PRODUCT OR SERVICE.
 S. 158--B                           3
 
   2.  ALL  COMMUNICATIONS  SHALL BE REASONABLY ACCESSIBLE TO INDIVIDUALS
 WITH DISABILITIES, INCLUDING BY:
   (A) UTILIZING DIGITAL ACCESSIBILITY TOOLS;
   (B)  FOR  NOTICES, COMPLYING WITH GENERALLY RECOGNIZED INDUSTRY STAND-
 ARDS, INCLUDING, BUT NOT  LIMITED  TO,  THE  WEB  CONTENT  ACCESSIBILITY
 GUIDELINES,  VERSION 2.1 OF JUNE 5, 2018, FROM THE WORLD WEB CONSORTIUM,
 INCORPORATED HEREIN BY REFERENCE; AND
   (C) FOR OTHER COMMUNICATIONS, PROVIDING INFORMATION ABOUT HOW AN INDI-
 VIDUAL WITH A DISABILITY MAY ACCESS THE COMMUNICATION IN AN  ALTERNATIVE
 FORMAT.
   3. ALL COMMUNICATIONS SHALL BE AVAILABLE IN THE LANGUAGES IN WHICH THE
 REGULATED  ENTITY PROVIDES INFORMATION VIA ITS WEBSITE AND SERVICES. ANY
 DIRECT COMMUNICATION TO AN INDIVIDUAL SHALL BE PROVIDED IN THE  LANGUAGE
 IN  WHICH  THE INDIVIDUAL ORDINARILY INTERACTS WITH THE REGULATED ENTITY
 OR ITS SERVICE PROVIDER.
   4. A REGULATED ENTITY SHALL MAKE ANY NOTICE FOR PROCESSING PURSUANT TO
 A PERMISSIBLE PURPOSE, PURSUANT TO SUBPARAGRAPH (II) OF PARAGRAPH (B) OF
 SUBDIVISION ONE OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE,  OR  FORM
 FOR  PROCESSING  PURSUANT TO AUTHORIZATION, PURSUANT TO SUBPARAGRAPH (I)
 OF PARAGRAPH (B) OF SUBDIVISION ONE OF SECTION  ELEVEN  HUNDRED  TWO  OF
 THIS  ARTICLE,  PUBLICLY  AVAILABLE  ON ITS WEBSITE. IF AN AUTHORIZATION
 FORM IS CUSTOMIZED FOR EACH INDIVIDUAL, THE REGULATED ENTITY MAY INSTEAD
 PUBLICLY POST A SAMPLE AUTHORIZATION FORM ON ITS WEBSITE.
   § 1102. LAWFULNESS OF PROCESSING REGULATED HEALTH INFORMATION.  1.  IN
 GENERAL, IT SHALL BE UNLAWFUL FOR A REGULATED ENTITY TO:
   (A)  SELL  AN  INDIVIDUAL'S  REGULATED  HEALTH  INFORMATION TO A THIRD
 PARTY; OR
   (B) OTHERWISE PROCESS AN  INDIVIDUAL'S  REGULATED  HEALTH  INFORMATION
 UNLESS:
   (I)  THE INDIVIDUAL HAS PROVIDED VALID AUTHORIZATION FOR SUCH PROCESS-
 ING; OR
   (II) PROCESSING OF AN INDIVIDUAL'S  REGULATED  HEALTH  INFORMATION  IS
 STRICTLY NECESSARY FOR THE PURPOSE OF:
   (A) PROVIDING A PRODUCT OR SERVICE REQUESTED BY SUCH INDIVIDUAL;
   (B)  CONDUCTING  THE  REGULATED ENTITY'S INTERNAL BUSINESS OPERATIONS,
 WHICH EXCLUDE ANY ACTIVITIES RELATED TO MARKETING, ADVERTISING, RESEARCH
 AND DEVELOPMENT, OR PROVIDING PRODUCTS OR SERVICES TO THIRD PARTIES;
   (C) PROTECTING AGAINST MALICIOUS, FRAUDULENT, OR ILLEGAL ACTIVITY;
   (D) DETECTING, RESPONDING TO,  OR  PREVENTING  SECURITY  INCIDENTS  OR
 THREATS;
   (E)  PROTECTING  THE  VITAL  INTERESTS  OF AN INDIVIDUAL OR THE PUBLIC
 INTEREST IN THE AREA OF PUBLIC HEALTH;
   (F) INVESTIGATING, ESTABLISHING, EXERCISING, PREPARING FOR, OR DEFEND-
 ING LEGAL CLAIMS; OR
   (G) COMPLYING WITH THE REGULATED ENTITY'S LEGAL OBLIGATIONS.
   2. A REGULATED ENTITY  THAT  PROCESSES  REGULATED  HEALTH  INFORMATION
 PURSUANT TO VALID AUTHORIZATION AS REQUIRED BY SUBPARAGRAPH (I) OF PARA-
 GRAPH  (B)  OF  SUBDIVISION  ONE  OF  THIS SECTION SHALL COMPLY WITH THE
 FOLLOWING:
   (A) A REQUEST FOR AUTHORIZATION TO PROCESS AN  INDIVIDUAL'S  REGULATED
 HEALTH INFORMATION SHALL:
   (I)  BE MADE SEPARATELY FROM ANY OTHER TRANSACTION OR PART OF A TRANS-
 ACTION;
   (II) BE MADE AT LEAST TWENTY-FOUR HOURS AFTER AN INDIVIDUAL CREATES AN
 ACCOUNT OR FIRST USES THE REQUESTED PRODUCT OR SERVICE;
 S. 158--B                           4
 
   (III) BE MADE IN THE ABSENCE OF ANY MECHANISM THAT HAS THE PURPOSE  OR
 SUBSTANTIAL  EFFECT  OF  OBSCURING, SUBVERTING, OR IMPAIRING AN INDIVID-
 UAL'S DECISION-MAKING REGARDING AUTHORIZATION FOR PROCESSING;
   (IV) IF REQUESTING AUTHORIZATION FOR MULTIPLE CATEGORIES OF PROCESSING
 ACTIVITIES, ALLOW THE INDIVIDUAL TO PROVIDE/WITHHOLD AUTHORIZATION SEPA-
 RATELY FOR EACH CATEGORY OF PROCESSING ACTIVITY; AND
   (V)  NOT INCLUDE ANY REQUEST FOR AUTHORIZATION FOR A PROCESSING ACTIV-
 ITY FOR WHICH AN INDIVIDUAL HAS WITHHELD OR REVOKED AUTHORIZATION WITHIN
 THE PAST CALENDAR YEAR.
   (B) A VALID AUTHORIZATION SHALL INCLUDE:
   (I) THE TYPES OF REGULATED HEALTH INFORMATION TO BE PROCESSED;
   (II) THE NATURE OF THE PROCESSING ACTIVITY;
   (III) THE SPECIFIC PURPOSES FOR SUCH PROCESSING;
   (IV) THE NAMES WHERE  READILY  AVAILABLE,  OR  CATEGORIES  OF  SERVICE
 PROVIDERS  AND  THIRD PARTIES TO WHICH THE REGULATED ENTITY MAY DISCLOSE
 THE INDIVIDUAL'S REGULATED HEALTH INFORMATION AND THE PURPOSES FOR  SUCH
 DISCLOSURE, INCLUDING THE CIRCUMSTANCES UNDER WHICH THE REGULATED ENTITY
 MAY DISCLOSE REGULATED HEALTH INFORMATION TO LAW ENFORCEMENT;
   (V)  ANY MONETARY OR OTHER VALUABLE CONSIDERATION THE REGULATED ENTITY
 MAY RECEIVE IN CONNECTION WITH  PROCESSING  THE  INDIVIDUAL'S  REGULATED
 HEALTH INFORMATION, WHERE APPLICABLE;
   (VI)  THAT  FAILING TO PROVIDE AUTHORIZATION WILL NOT AFFECT THE INDI-
 VIDUAL'S  EXPERIENCE  OF  USING  THE  REGULATED  ENTITY'S  PRODUCTS   OR
 SERVICES;
   (VII) THE EXPIRATION DATE OF THE AUTHORIZATION, WHICH MAY BE UP TO ONE
 YEAR FROM THE DATE AUTHORIZATION WAS PROVIDED;
   (VIII)  THE MECHANISM BY WHICH THE INDIVIDUAL MAY REVOKE AUTHORIZATION
 PRIOR TO EXPIRATION;
   (IX) THE MECHANISM BY WHICH THE INDIVIDUAL MAY REQUEST ACCESS  TO  AND
 DELETION OF THEIR REGULATED HEALTH INFORMATION;
   (X)  ANY OTHER INFORMATION MATERIAL TO AN INDIVIDUAL'S DECISION-MAKING
 REGARDING AUTHORIZATION FOR PROCESSING; AND
   (XI) THE SIGNATURE, WHICH MAY BE ELECTRONIC, OF THE INDIVIDUAL WHO  IS
 THE SUBJECT OF THE REGULATED HEALTH INFORMATION, OR A PARENT OR GUARDIAN
 AUTHORIZED  BY LAW TO TAKE ACTIONS OF LEGAL CONSEQUENCE ON BEHALF OF THE
 INDIVIDUAL WHO IS THE SUBJECT OF THE REGULATED HEALTH  INFORMATION,  AND
 THE DATE.
   (C)  (I) A REGULATED ENTITY THAT RECEIVES AUTHORIZATION FOR PROCESSING
 SHALL PROVIDE AN EFFECTIVE,  EFFICIENT,  AND  EASY-TO-USE  MECHANISM  BY
 WHICH  AN  INDIVIDUAL  MAY  REVOKE  AUTHORIZATION AT ANY TIME THROUGH AN
 INTERFACE REGULARLY USED IN  CONJUNCTION  WITH  THE  REGULATED  ENTITY'S
 PRODUCT OR SERVICE.
   (II)  UPON  AN INDIVIDUAL'S REVOCATION OF AUTHORIZATION, THE REGULATED
 ENTITY SHALL IMMEDIATELY  CEASE  ALL  PROCESSING  ACTIVITIES  FOR  WHICH
 AUTHORIZATION WAS REVOKED, EXCEPT TO THE EXTENT NECESSARY TO COMPLY WITH
 THE REGULATED ENTITY'S LEGAL OBLIGATIONS.
   (III)  FOR  INDIVIDUALS  WHO HAVE AN ONLINE ACCOUNT WITH THE REGULATED
 ENTITY, THE REGULATED ENTITY MUST PROVIDE, IN A CONSPICUOUS  AND  EASILY
 ACCESSIBLE  PLACE  WITHIN THE ACCOUNT SETTINGS, A LIST OF ALL PROCESSING
 ACTIVITIES FOR WHICH THE INDIVIDUAL HAS PROVIDED AUTHORIZATION AND,  FOR
 EACH  PROCESSING  ACTIVITY, ALLOW THE INDIVIDUAL TO REVOKE AUTHORIZATION
 IN THE SAME PLACE WITH ONE MOTION OR ACTION.
   (D) UPON OBTAINING VALID AUTHORIZATION FROM AN INDIVIDUAL,  THE  REGU-
 LATED  ENTITY SHALL PROVIDE THAT INDIVIDUAL A COPY OF THE AUTHORIZATION.
 THE AUTHORIZATION SHALL BE PROVIDED IN A MANNER THAT IS CAPABLE OF BEING
 RETAINED BY THE INDIVIDUAL.
 S. 158--B                           5
 
   (E) THE REGULATED ENTITY SHALL LIMIT ITS PROCESSING TO WHAT WAS CLEAR-
 LY DISCLOSED TO AN INDIVIDUAL PURSUANT TO PARAGRAPH (B) OF THIS SUBDIVI-
 SION WHEN THE REGULATED ENTITY RECEIVED AUTHORIZATION FROM THE  INDIVID-
 UAL.
   (F)  IF  THE REGULATED ENTITY SEEKS TO MATERIALLY ALTER ITS PROCESSING
 ACTIVITIES  FOR  REGULATED  HEALTH  INFORMATION  COLLECTED  PURSUANT  TO
 AUTHORIZATION, THE REGULATED ENTITY SHALL OBTAIN A NEW AUTHORIZATION FOR
 THE NEW OR ALTERED PROCESSING ACTIVITY.
   (G) PROVIDING A PRODUCT OR SERVICE REQUESTED BY AN INDIVIDUAL MUST NOT
 BE MADE CONTINGENT ON PROVIDING AUTHORIZATION. THE REGULATED ENTITY MUST
 NOT  DISCRIMINATE  AGAINST  AN INDIVIDUAL FOR WITHHOLDING AUTHORIZATION,
 SUCH AS BY CHARGING DIFFERENT PRICES OR RATES FOR PRODUCTS OR  SERVICES,
 INCLUDING  THROUGH  THE  USE  OF  DISCOUNTS  OR OTHER BENEFITS, IMPOSING
 PENALTIES, OR PROVIDING A DIFFERENT LEVEL  OR  QUALITY  OF  SERVICES  OR
 GOODS TO THE INDIVIDUAL.
   3.  A  REGULATED  ENTITY  THAT  PROCESSES REGULATED HEALTH INFORMATION
 PURSUANT TO A PERMISSIBLE PURPOSE PURSUANT TO SUBPARAGRAPH (II) OF PARA-
 GRAPH (B) OF SUBDIVISION ONE OF  THIS  SECTION  SHALL  COMPLY  WITH  THE
 FOLLOWING:
   (A) A REGULATED ENTITY SHALL PROVIDE CLEAR AND CONSPICUOUS NOTICE THAT
 DESCRIBES:
   (I) THE TYPES OF REGULATED HEALTH INFORMATION TO BE PROCESSED;
   (II) THE NATURE OF THE PROCESSING ACTIVITY;
   (III) THE SPECIFIC PURPOSES FOR SUCH PROCESSING;
   (IV)  THE  NAMES  WHERE  READILY  AVAILABLE,  OR CATEGORIES OF SERVICE
 PROVIDERS AND THIRD PARTIES TO WHICH THE REGULATED ENTITY  MAY  DISCLOSE
 THE  INDIVIDUAL'S REGULATED HEALTH INFORMATION AND THE PURPOSES FOR SUCH
 DISCLOSURE, INCLUDING THE CIRCUMSTANCES UNDER WHICH THE REGULATED ENTITY
 MAY DISCLOSE REGULATED HEALTH INFORMATION TO LAW ENFORCEMENT; AND
   (V) THE MECHANISM BY WHICH THE INDIVIDUAL MAY REQUEST  ACCESS  TO  AND
 DELETION OF THEIR REGULATED HEALTH INFORMATION.
   (B)  IF  THE  REGULATED ENTITY MATERIALLY ALTERS ITS PROCESSING ACTIV-
 ITIES FOR REGULATED HEALTH INFORMATION COLLECTED PURSUANT TO A PERMISSI-
 BLE PURPOSE, THE REGULATED ENTITY MUST PROVIDE A CLEAR  AND  CONSPICUOUS
 NOTICE  IN  PLAIN  LANGUAGE,  SEPARATE  FROM  A PRIVACY POLICY, TERMS OF
 SERVICE, OR SIMILAR DOCUMENT, THAT DESCRIBES ANY MATERIAL CHANGES TO THE
 PROCESSING ACTIVITIES AND PROVIDE THE INDIVIDUAL WITH AN OPPORTUNITY  TO
 REQUEST DELETION OF THEIR REGULATED HEALTH INFORMATION.
   § 1103. INDIVIDUAL RIGHTS. 1. (A) A REGULATED ENTITY SHALL MAKE AVAIL-
 ABLE  AN  EFFECTIVE,  EFFICIENT,  AND  EASY-TO-USE  MECHANISM THROUGH AN
 INTERFACE REGULARLY USED IN  CONJUNCTION  WITH  THE  REGULATED  ENTITY'S
 PRODUCT  OR  SERVICE  BY WHICH AN INDIVIDUAL MAY REQUEST ACCESS TO THEIR
 REGULATED HEALTH INFORMATION.
   (B) WITHIN THIRTY DAYS OF RECEIVING AN ACCESS REQUEST,  THE  REGULATED
 ENTITY  SHALL  MAKE AVAILABLE A COPY OF ALL REGULATED HEALTH INFORMATION
 ABOUT THE INDIVIDUAL THAT THE REGULATED ENTITY MAINTAINS OR THAT SERVICE
 PROVIDERS MAINTAIN ON BEHALF OF THE REGULATED ENTITY.
   2. (A) A REGULATED ENTITY SHALL MAKE  AVAILABLE  AN  EFFECTIVE,  EFFI-
 CIENT,  AND EASY-TO-USE MECHANISM THROUGH AN INTERFACE REGULARLY USED IN
 CONJUNCTION WITH THE REGULATED ENTITY'S PRODUCT OR SERVICE BY  WHICH  AN
 INDIVIDUAL  MAY  REQUEST THE DELETION OF THEIR REGULATED HEALTH INFORMA-
 TION.
   (B) AN INDIVIDUAL'S DELETION OR CANCELLATION OF THEIR  ONLINE  ACCOUNT
 SHALL  BE  TREATED  AS  A  REQUEST  TO DELETE THE INDIVIDUAL'S REGULATED
 HEALTH INFORMATION.
 S. 158--B                           6
 
   (C) WITHIN THIRTY DAYS OF RECEIVING A DELETION REQUEST, THE  REGULATED
 ENTITY SHALL:
   (I)  DELETE ALL REGULATED HEALTH INFORMATION ASSOCIATED WITH THE INDI-
 VIDUAL IN THE REGULATED ENTITY'S POSSESSION OR CONTROL,  EXCEPT  TO  THE
 EXTENT  NECESSARY  TO  COMPLY  WITH  THE  REGULATED ENTITY'S LEGAL OBLI-
 GATIONS; AND
   (II) UNLESS IT PROVES IMPOSSIBLE OR INVOLVES  DISPROPORTIONATE  EFFORT
 THAT  IS DOCUMENTED IN WRITING BY THE REGULATED ENTITY, COMMUNICATE SUCH
 REQUEST TO EACH SERVICE PROVIDER OR THIRD PARTY THAT PROCESSED THE INDI-
 VIDUAL'S REGULATED HEALTH INFORMATION IN CONNECTION WITH  A  TRANSACTION
 INVOLVING  THE  REGULATED  ENTITY OCCURING WITHIN ONE YEAR PRECEDING THE
 INDIVIDUAL'S REQUEST.
   (D) ANY SERVICE PROVIDER OR THIRD PARTY THAT  RECEIVES  NOTICE  OF  AN
 INDIVIDUAL'S  DELETION REQUEST SHALL WITHIN THIRTY DAYS DELETE ALL REGU-
 LATED  HEALTH  INFORMATION  ASSOCIATED  WITH  THE  INDIVIDUAL   IN   ITS
 POSSESSION OR CONTROL, EXCEPT TO THE EXTENT NECESSARY TO COMPLY WITH ITS
 LEGAL OBLIGATIONS.
   3. ANY RIGHT SET FORTH IN THIS SECTION MAY BE EXERCISED AT ANY TIME BY
 THE INDIVIDUAL WHO IS THE SUBJECT OF THE REGULATED HEALTH INFORMATION OR
 AN AGENT AUTHORIZED BY SUCH INDIVIDUAL.
   §  1104.  SECURITY.  1.  IN GENERAL, A REGULATED ENTITY SHALL DEVELOP,
 IMPLEMENT, AND MAINTAIN REASONABLE ADMINISTRATIVE, TECHNICAL, AND  PHYS-
 ICAL  SAFEGUARDS TO PROTECT THE SECURITY, CONFIDENTIALITY, AND INTEGRITY
 OF REGULATED HEALTH INFORMATION.
   2. A REGULATED ENTITY MUST SECURELY DISPOSE OF AN  INDIVIDUAL'S  REGU-
 LATED  HEALTH  INFORMATION  PURSUANT  TO  A PUBLICLY AVAILABLE RETENTION
 SCHEDULE WITHIN A REASONABLE TIME, AND IN  NO  EVENT  LATER  THAN  SIXTY
 DAYS,  AFTER  IT  IS NO LONGER NECESSARY TO MAINTAIN FOR THE PERMISSIBLE
 PURPOSE OR PURPOSES IDENTIFIED IN THE NOTICE OR FOR WHICH THE INDIVIDUAL
 PROVIDED VALID AUTHORIZATION.
   § 1105. SERVICE PROVIDERS. 1. IN GENERAL, ANY PROCESSING OF  REGULATED
 HEALTH INFORMATION BY A SERVICE PROVIDER ON BEHALF OF A REGULATED ENTITY
 SHALL  BE GOVERNED BY A WRITTEN, BINDING AGREEMENT. SUCH AGREEMENT SHALL
 CLEARLY SET FORTH INSTRUCTIONS FOR PROCESSING REGULATED HEALTH  INFORMA-
 TION,  THE NATURE AND PURPOSE OF PROCESSING, THE DURATION OF PROCESSING,
 AND THE RIGHTS AND OBLIGATIONS OF BOTH PARTIES.
   2. AN AGREEMENT PURSUANT TO SUBDIVISION  ONE  OF  THIS  SECTION  SHALL
 REQUIRE THAT THE SERVICE PROVIDER:
   (A) ENSURE THAT EACH PERSON PROCESSING REGULATED HEALTH INFORMATION IS
 SUBJECT TO A DUTY OF CONFIDENTIALITY WITH RESPECT TO SUCH INFORMATION;
   (B)  PROTECT  REGULATED HEALTH INFORMATION IN A MANNER CONSISTENT WITH
 THE REQUIREMENTS OF THIS ARTICLE;
   (C) PROCESS REGULATED HEALTH INFORMATION ONLY WHEN AND TO  THE  EXTENT
 NECESSARY TO COMPLY WITH ITS OBLIGATIONS TO THE REGULATED ENTITY;
   (D)  NOT  COMBINE  THE  REGULATED HEALTH INFORMATION WHICH THE SERVICE
 PROVIDER RECEIVES FROM OR ON BEHALF OF THE  REGULATED  ENTITY  WITH  ANY
 OTHER  PERSONAL  INFORMATION WHICH THE SERVICE PROVIDER RECEIVES FROM OR
 ON BEHALF OF ANOTHER PARTY OR COLLECTS FROM ITS  OWN  RELATIONSHIP  WITH
 INDIVIDUALS;
   (E)  COMPLY WITH ANY EXERCISES OF AN INDIVIDUAL'S RIGHTS UNDER SECTION
 ELEVEN HUNDRED THREE OF THIS ARTICLE UPON THE REQUEST OF  THE  REGULATED
 ENTITY  AND  NOTIFY  ANY  SERVICE PROVIDERS OR THIRD PARTIES TO WHICH IT
 DISCLOSED REGULATED HEALTH INFORMATION OF THE REQUEST;
   (F) DELETE OR RETURN ALL REGULATED HEALTH INFORMATION TO THE REGULATED
 ENTITY AT THE END OF THE PROVISION OF SERVICES, UNLESS RETENTION OF  THE
 REGULATED HEALTH INFORMATION IS REQUIRED BY LAW;
 S. 158--B                           7
 
   (G)  UPON  THE REASONABLE REQUEST OF THE REGULATED ENTITY, MAKE AVAIL-
 ABLE TO THE REGULATED ENTITY ALL DATA IN  ITS  POSSESSION  NECESSARY  TO
 DEMONSTRATE  THE  SERVICE  PROVIDER'S COMPLIANCE WITH THE OBLIGATIONS IN
 THIS SECTION;
   (H) ALLOW, AND COOPERATE WITH, REASONABLE ASSESSMENTS BY THE REGULATED
 ENTITY  OR  THE  REGULATED  ENTITY'S DESIGNATED ASSESSOR FOR PURPOSES OF
 EVALUATING COMPLIANCE WITH THE OBLIGATIONS OF THIS ARTICLE; ALTERNATIVE-
 LY, THE SERVICE PROVIDER MAY ARRANGE FOR  A  QUALIFIED  AND  INDEPENDENT
 ASSESSOR  TO CONDUCT AN ASSESSMENT OF THE PROCESSOR'S POLICIES AND TECH-
 NICAL AND ORGANIZATIONAL MEASURES IN SUPPORT OF  THE  OBLIGATIONS  UNDER
 THIS  ARTICLE  USING  AN  APPROPRIATE  AND  ACCEPTED CONTROL STANDARD OR
 FRAMEWORK AND ASSESSMENT PROCEDURE FOR  SUCH  ASSESSMENTS.  THE  SERVICE
 PROVIDER  SHALL  PROVIDE  A  REPORT  OF SUCH ASSESSMENT TO THE REGULATED
 ENTITY UPON REQUEST;
   (I) A REASONABLE TIME IN ADVANCE  BEFORE  DISCLOSING  OR  TRANSFERRING
 REGULATED  HEALTH  INFORMATION  TO ANY FURTHER SERVICE PROVIDERS, NOTIFY
 THE REGULATED ENTITY OF SUCH A PROPOSED DISCLOSURE  OR  TRANSFER,  WHICH
 MAY  BE  IN  THE  FORM  OF  A  REGULARLY UPDATED LIST OF FURTHER SERVICE
 PROVIDERS THAT MAY ACCESS REGULATED HEALTH INFORMATION; AND
   (J) ENGAGE ANY FURTHER SERVICE PROVIDER PURSUANT TO A WRITTEN, BINDING
 AGREEMENT THAT INCLUDES THE CONTRACTUAL REQUIREMENTS  PROVIDED  IN  THIS
 SECTION,  CONTAINING  AT  MINIMUM  THE SAME OBLIGATIONS THAT THE SERVICE
 PROVIDER HAS ENTERED INTO WITH REGARD TO REGULATED HEALTH INFORMATION.
   § 1106. EXEMPTIONS. NOTHING IN THIS ARTICLE SHALL APPLY TO:
   1. INFORMATION PROCESSED BY LOCAL, STATE, AND FEDERAL GOVERNMENTS, AND
 MUNICIPAL CORPORATIONS;
   2. PROTECTED HEALTH INFORMATION THAT IS COLLECTED BY A COVERED  ENTITY
 OR  BUSINESS  ASSOCIATE  GOVERNED  BY  THE PRIVACY, SECURITY, AND BREACH
 NOTIFICATION RULES ISSUED BY THE UNITED STATES DEPARTMENT OF HEALTH  AND
 HUMAN  SERVICES,  PARTS  160  AND 164 OF TITLE 45 OF THE CODE OF FEDERAL
 REGULATIONS, ESTABLISHED PURSUANT TO THE  HEALTH  INSURANCE  PORTABILITY
 AND  ACCOUNTABILITY  ACT  OF  1996  (PUBLIC  LAW 104-191) AND THE HEALTH
 INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT (PUBLIC  LAW
 111-5);
   3.  ANY  COVERED  ENTITY GOVERNED BY THE PRIVACY, SECURITY, AND BREACH
 NOTIFICATION RULES ISSUED BY THE UNITED STATES DEPARTMENT OF HEALTH  AND
 HUMAN  SERVICES,  PARTS  160  AND 164 OF TITLE 45 OF THE CODE OF FEDERAL
 REGULATIONS, ESTABLISHED PURSUANT TO THE  HEALTH  INSURANCE  PORTABILITY
 AND  ACCOUNTABILITY  ACT OF 1996 (PUBLIC LAW 104-191), TO THE EXTENT THE
 COVERED ENTITY MAINTAINS PATIENT  INFORMATION  IN  THE  SAME  MANNER  AS
 PROTECTED  HEALTH  INFORMATION  AS  DESCRIBED IN SUBDIVISION TWO OF THIS
 SECTION;
   4. INFORMATION COLLECTED AS PART OF A CLINICAL TRIAL  SUBJECT  TO  THE
 FEDERAL  POLICY  FOR THE PROTECTION OF HUMAN SUBJECTS, ALSO KNOWN AS THE
 COMMON RULE, PURSUANT TO GOOD CLINICAL PRACTICE GUIDELINES ISSUED BY THE
 INTERNATIONAL COUNCIL FOR HARMONISATION OR  PURSUANT  TO  HUMAN  SUBJECT
 PROTECTION  REQUIREMENTS  OF  THE  UNITED  STATES FOOD AND DRUG ADMINIS-
 TRATION;
   5. INFORMATION PROCESSED PURSUANT TO THE  FEDERAL  FAMILY  EDUCATIONAL
 RIGHTS AND PRIVACY ACT (20 U.S.C. SEC. 1232G) AND ITS IMPLEMENTING REGU-
 LATIONS;
   6.  INFORMATION  PROCESSED  PURSUANT TO SECTION TWO-D OF THE EDUCATION
 LAW; AND
   7. INFORMATION PROCESSED PURSUANT  TO  THE  FEDERAL  DRIVER'S  PRIVACY
 PROTECTION ACT OF 1994 (18 U.S.C.  SEC. 2721 ET SEQ).
 S. 158--B                           8
 
   §  1107.  ENFORCEMENT. 1. WHENEVER IT APPEARS TO THE ATTORNEY GENERAL,
 EITHER UPON COMPLAINT OR OTHERWISE, THAT ANY PERSON OR  PERSONS,  WITHIN
 OR OUTSIDE THE STATE, HAS ENGAGED IN OR IS ABOUT TO ENGAGE IN ANY OF THE
 ACTS OR PRACTICES STATED TO BE UNLAWFUL UNDER THIS ARTICLE, THE ATTORNEY
 GENERAL  MAY  BRING  AN  ACTION OR SPECIAL PROCEEDING IN THE NAME AND ON
 BEHALF OF THE PEOPLE OF THE STATE OF NEW YORK TO ENJOIN ANY VIOLATION OF
 THIS ARTICLE, TO OBTAIN RESTITUTION OF ANY MONEYS OR  PROPERTY  OBTAINED
 DIRECTLY  OR INDIRECTLY BY ANY SUCH VIOLATION, TO OBTAIN DISGORGEMENT OF
 ANY PROFITS OBTAINED DIRECTLY OR INDIRECTLY BY ANY  SUCH  VIOLATION,  TO
 OBTAIN  CIVIL  PENALTIES  OF  NOT MORE THAN FIFTEEN THOUSAND DOLLARS PER
 VIOLATION OR TWENTY PERCENT OF REVENUE OBTAINED FROM NEW YORK  CONSUMERS
 WITHIN  THE  PAST  FISCAL  YEAR, WHICHEVER IS GREATER, AND TO OBTAIN ANY
 SUCH OTHER AND FURTHER RELIEF AS THE COURT MAY  DEEM  PROPER,  INCLUDING
 PRELIMINARY RELIEF.
   2.  THE  REMEDIES PROVIDED BY THIS SECTION SHALL BE IN ADDITION TO ANY
 OTHER LAWFUL REMEDY AVAILABLE.
   3. ANY ACTION OR SPECIAL PROCEEDING BROUGHT BY  THE  ATTORNEY  GENERAL
 PURSUANT  TO THIS SECTION MUST BE COMMENCED WITHIN SIX YEARS OF THE DATE
 ON WHICH THE ATTORNEY GENERAL BECAME AWARE OF THE VIOLATION.
   4. IN CONNECTION WITH ANY PROPOSED ACTION OR SPECIAL PROCEEDING  UNDER
 THIS  SECTION, THE ATTORNEY GENERAL IS AUTHORIZED TO TAKE PROOF AND MAKE
 A DETERMINATION OF THE RELEVANT FACTS, AND TO ISSUE SUBPOENAS IN ACCORD-
 ANCE WITH THE CIVIL PRACTICE LAW AND RULES.  THE  ATTORNEY  GENERAL  MAY
 ALSO REQUIRE SUCH OTHER DATA AND INFORMATION AS HE OR SHE MAY DEEM RELE-
 VANT  AND  MAY  REQUIRE  WRITTEN RESPONSES TO QUESTIONS UNDER OATH. SUCH
 POWER OF SUBPOENA AND EXAMINATION SHALL NOT ABATE OR TERMINATE BY REASON
 OF ANY ACTION OR SPECIAL PROCEEDING  BROUGHT  BY  THE  ATTORNEY  GENERAL
 UNDER THIS ARTICLE.
   5.  THIS  SECTION  SHALL  APPLY TO ALL ACTS DECLARED TO BE UNLAWFUL IN
 THIS ARTICLE, WHETHER OR NOT SUBJECT TO ANY OTHER LAW OF THIS STATE, AND
 SHALL NOT SUPERSEDE, AMEND OR REPEAL ANY OTHER LAW OF THIS  STATE  UNDER
 WHICH  THE  ATTORNEY GENERAL IS AUTHORIZED TO TAKE ANY ACTION OR CONDUCT
 ANY INQUIRY.
   6.  THE ATTORNEY GENERAL MAY PROMULGATE SUCH RULES AND REGULATIONS  AS
 ARE NECESSARY TO EFFECTUATE AND ENFORCE THE PROVISIONS OF THIS SECTION.
   §  2.  Severability.  If any clause, sentence, paragraph, subdivision,
 section or part of this act shall be adjudged by any court of  competent
 jurisdiction  to  be invalid, such judgment shall not affect, impair, or
 invalidate the remainder thereof, but shall be confined in its operation
 to the clause, sentence, paragraph, subdivision, section or part thereof
 directly involved in the controversy in which such judgment  shall  have
 been rendered. It is hereby declared to be the intent of the legislature
 that  this  act  would have been enacted even if such invalid provisions
 had not been included herein.
   § 3. This act shall take effect July 1, 2024.

co-Sponsors

View additional co-sponsors

2023-S158C - Details

Law Section:: General Business Law
Laws Affected:: Add Art 42 §§1100 - 1103, Gen Bus L
Versions Introduced in 2025-2026 Legislative Session:: S929

2023-S158C - Summary

2023-S158C - Sponsor Memo

                                 
BILL NUMBER: S158C

SPONSOR: KRUEGER
 
TITLE OF BILL:

An act to amend the general business law, in relation to providing for
the protection of health information

 
PURPOSE OR GENERAL IDEA OF BILL:

This bill would govern companies that collect and sell healthcare infor-
mation, and provides additional rights and protections to users related
to the sale and of their private health information.

 
SUMMARY OF SPECIFIC PROVISIONS:

Section one creates article 42 to the General Business Law to govern the
collection of data for electronic health products and services.

Section 1100 creates various definitions that will be used in the rest
of the bill.

Section 1101 regulates how regulated entities shall communicate their
data collection policies to users and the need for consent from the
user.

Section for 1102 regulates the collection of data and what the data can
be used for.

Section 1103 explains the users rights and extent of control over their
personal health information.

Section 1104 regulates the level of security that regulated entities
must have.

Section 1105 regulates service providers that process data on behalf of
a regulated entity

Section 1106 provides for exemptions from this bill Section 1107 creates
an enforcement mechanism. Section 2. Severability

Section 3. Effective Date

 
JUSTIFICATION:

Most residents of the State are under the impression that HIPAA protects
them and their health data from being accessed by third-parties and sold
by and to other organizations. Residents are generally unaware that
their technology is constantly tracking their movements, and geolocation
data is being sold to companies for the purposes of targeted advertise-
ments or tracking. Most users also do not have an understanding of how
much information is being collected, stored, and sold for the benefit of
third-parties. For example, a mobile app to track menstruation cycles
was recently caught selling users' data to antiabortion advocacy organ-
izations.

This bill creates a legal framework for residents to reclaim and retain
control of their healthcare information. Electronic apps or websites
that are designed to provide a diagnosis or retain health information
will be required to receive affirmative consent by the user to retain
such information and would need separate consent to sell such informa-
tion to third-parties.

 
PRIOR LEGISLATIVE HISTORY:

2022: S.9599 - Referred to Rules

 
FISCAL IMPLICATIONS:

None to the State.

 
EFFECTIVE DATE:
This act shall take effect on July 1, 2025.

2023-S158C - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                  158--C
     Cal. No. 76
 
                        2023-2024 Regular Sessions
 
                             I N  S E N A T E
 
                                (PREFILED)
 
                              January 4, 2023
                                ___________
 
 Introduced by Sens. KRUEGER, COMRIE, HINCHEY, HOYLMAN-SIGAL, MAY -- read
   twice  and  ordered  printed,  and when printed to be committed to the
   Committee on Internet and Technology -- reported favorably  from  said
   committee,  ordered  to  first  and  second report, ordered to a third
   reading, amended and ordered reprinted, retaining  its  place  in  the
   order of third reading -- again amended and ordered reprinted, retain-
   ing  its  place  in  the  order of third reading -- recommitted to the
   Committee on Health in accordance  with  Senate  Rule  6,  sec.  8  --
   reported  favorably  from  said committee, ordered to first and second
   report, amended on second report, ordered to a third reading,  and  to
   be  reprinted  as  amended,  retaining its place in the order of third
   reading
 
 AN ACT to amend the general business law, in relation to  providing  for
   the protection of health information
 
   THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
 BLY, DO ENACT AS FOLLOWS:

   Section 1. The general business law is amended by adding a new article
 42 to read as follows:
                                ARTICLE 42
                  NEW YORK HEALTH INFORMATION PRIVACY ACT
 SECTION 1100. DEFINITIONS.
         1101. REQUIREMENTS FOR COMMUNICATIONS TO INDIVIDUALS.
         1102. LAWFULNESS OF PROCESSING REGULATED HEALTH INFORMATION.
         1103. INDIVIDUAL RIGHTS.
         1104. SECURITY.
         1105. SERVICE PROVIDERS.
         1106. EXEMPTIONS.
         1107. ENFORCEMENT.
   § 1100. DEFINITIONS. AS USED IN  THIS  ARTICLE,  THE  FOLLOWING  TERMS
 SHALL HAVE THE FOLLOWING MEANINGS:
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets

                       [ ] is old law to be omitted.
                                                            LBD01105-10-4
 S. 158--C                           2
 
   1. "DEIDENTIFIED INFORMATION" MEANS INFORMATION THAT CANNOT REASONABLY
 BE  USED TO INFER INFORMATION ABOUT, OR OTHERWISE BE LINKED TO A PARTIC-
 ULAR INDIVIDUAL, HOUSEHOLD, OR DEVICE, PROVIDED THAT THE REGULATED ENTI-
 TY OR SERVICE PROVIDER THAT PROCESSES THE INFORMATION:
   (A)  IMPLEMENTS  REASONABLE  TECHNICAL  SAFEGUARDS  TO ENSURE THAT THE
 INFORMATION CANNOT BE  ASSOCIATED  WITH  AN  INDIVIDUAL,  HOUSEHOLD,  OR
 DEVICE;
   (B)  PUBLICLY  COMMITS TO PROCESS THE INFORMATION ONLY AS DEIDENTIFIED
 INFORMATION AND NOT ATTEMPT TO REIDENTIFY THE INFORMATION,  EXCEPT  THAT
 THE  REGULATED  ENTITY OR SERVICE PROVIDER MAY ATTEMPT TO REIDENTIFY THE
 INFORMATION SOLELY FOR THE PURPOSE OF DETERMINING  WHETHER  ITS  DEIDEN-
 TIFICATION PROCESSES SATISFY THE REQUIREMENTS OF THIS SECTION; AND
   (C) CONTRACTUALLY OBLIGATES ANY RECIPIENT OF THE DEIDENTIFIED INFORMA-
 TION TO COMPLY WITH ALL REQUIREMENTS OF THIS SECTION.
   2.  "REGULATED  HEALTH  INFORMATION"  MEANS  ANY  INFORMATION  THAT IS
 REASONABLY LINKABLE TO AN INDIVIDUAL, OR A DEVICE, AND IS  COLLECTED  OR
 PROCESSED  IN  CONNECTION WITH THE PHYSICAL OR MENTAL HEALTH OF AN INDI-
 VIDUAL.  LOCATION OR PAYMENT INFORMATION THAT RELATES TO AN INDIVIDUAL'S
 PHYSICAL OR MENTAL HEALTH OR ANY INFERENCE DRAWN  OR  DERIVED  ABOUT  AN
 INDIVIDUAL'S PHYSICAL OR MENTAL HEALTH THAT IS REASONABLY LINKABLE TO AN
 INDIVIDUAL,  OR A DEVICE, SHALL BE CONSIDERED, WITHOUT LIMITATION, REGU-
 LATED HEALTH INFORMATION. REGULATED HEALTH INFORMATION SHALL NOT INCLUDE
 DEIDENTIFIED INFORMATION.
   3. "PROCESS" OR "PROCESSING" MEANS AN OPERATION OR SET  OF  OPERATIONS
 PERFORMED  ON REGULATED HEALTH INFORMATION, INCLUDING BUT NOT LIMITED TO
 THE COLLECTION, USE,  ACCESS,  SHARING,  SALE,  MONETIZATION,  ANALYSIS,
 RETENTION,  CREATION,  GENERATION,  DERIVATION, RECORDING, ORGANIZATION,
 STRUCTURING, STORAGE,  DISCLOSURE,  TRANSMISSION,  DISPOSAL,  LICENSING,
 DESTRUCTION,  DELETION,  MODIFICATION,  OR DEIDENTIFICATION OF REGULATED
 HEALTH INFORMATION.
   4. "REGULATED ENTITY" MEANS ANY ENTITY THAT (A) CONTROLS THE  PROCESS-
 ING  OF  REGULATED HEALTH INFORMATION OF AN INDIVIDUAL WHO IS A NEW YORK
 RESIDENT, (B) CONTROLS THE PROCESSING OF REGULATED HEALTH INFORMATION OF
 AN INDIVIDUAL WHO IS PHYSICALLY PRESENT IN NEW YORK WHILE THAT  INDIVID-
 UAL IS IN NEW YORK, OR (C) IS LOCATED IN NEW YORK AND CONTROLS THE PROC-
 ESSING  OF  REGULATED  HEALTH  INFORMATION OF AN INDIVIDUAL. A REGULATED
 ENTITY MAY ALSO BE A SERVICE PROVIDER  DEPENDING  UPON  THE  CONTEXT  IN
 WHICH REGULATED HEALTH INFORMATION IS PROCESSED.
   5.  "SELL" MEANS TO SHARE REGULATED HEALTH INFORMATION FOR MONETARY OR
 OTHER VALUABLE CONSIDERATION. SELLING DOES NOT INCLUDE  THE  SHARING  OF
 REGULATED  HEALTH  INFORMATION  FOR MONETARY OR OTHER VALUABLE CONSIDER-
 ATION TO A THIRD PARTY AS AN ASSET THAT IS PART OF  A  MERGER,  ACQUISI-
 TION,  BANKRUPTCY, OR OTHER TRANSACTION IN WHICH THE THIRD PARTY ASSUMES
 CONTROL OF ALL OR PART OF THE REGULATED ENTITY'S ASSETS.
   6. "SERVICE PROVIDER" MEANS ANY PERSON OR ENTITY THAT PROCESSES  REGU-
 LATED  HEALTH  INFORMATION  ON  BEHALF  OF A REGULATED ENTITY. A SERVICE
 PROVIDER MAY ALSO BE A REGULATED ENTITY DEPENDING UPON  THE  CONTEXT  IN
 WHICH REGULATED HEALTH INFORMATION IS PROCESSED.
   7.  "THIRD  PARTY" MEANS A PERSON OR ENTITY OTHER THAN THE INDIVIDUAL,
 REGULATED ENTITY, OR SERVICE  PROVIDER  INVOLVED  IN  A  TRANSACTION  OR
 OCCURRENCE THAT INVOLVES REGULATED HEALTH INFORMATION. A THIRD PARTY MAY
 ALSO  BE  A  REGULATED  ENTITY  OR  SERVICE  PROVIDER DEPENDING UPON THE
 CONTEXT IN WHICH REGULATED HEALTH INFORMATION IS PROCESSED.
   § 1101. REQUIREMENTS FOR COMMUNICATIONS TO INDIVIDUALS.  ALL  NOTICES,
 DISCLOSURES,  FORMS,  AND  OTHER  COMMUNICATIONS TO INDIVIDUALS PROVIDED
 PURSUANT TO THIS ARTICLE SHALL COMPLY WITH THE FOLLOWING:
 S. 158--C                           3
 
   1. IN GENERAL, ALL COMMUNICATIONS  SHALL  USE  PLAIN,  STRAIGHTFORWARD
 LANGUAGE,  AVOIDING  TECHNICAL  OR  LEGAL  JARGON,  AND MUST BE PROVIDED
 THROUGH AN INTERFACE REGULARLY USED IN CONJUNCTION  WITH  THE  REGULATED
 ENTITY'S PRODUCT OR SERVICE.
   2.  ALL  COMMUNICATIONS  SHALL BE REASONABLY ACCESSIBLE TO INDIVIDUALS
 WITH DISABILITIES, INCLUDING BY:
   (A) UTILIZING DIGITAL ACCESSIBILITY TOOLS;
   (B) FOR NOTICES, COMPLYING WITH GENERALLY RECOGNIZED  INDUSTRY  STAND-
 ARDS,  INCLUDING,  BUT  NOT  LIMITED  TO,  THE WEB CONTENT ACCESSIBILITY
 GUIDELINES, FROM THE WORLD WEB CONSORTIUM, INCORPORATED HEREIN BY REFER-
 ENCE; AND
   (C) FOR OTHER COMMUNICATIONS, PROVIDING INFORMATION ABOUT HOW AN INDI-
 VIDUAL WITH A DISABILITY MAY ACCESS THE COMMUNICATION IN AN  ALTERNATIVE
 FORMAT.
   3. ALL COMMUNICATIONS SHALL BE AVAILABLE IN THE LANGUAGES IN WHICH THE
 REGULATED  ENTITY PROVIDES INFORMATION VIA ITS WEBSITE AND SERVICES. ANY
 DIRECT COMMUNICATION TO AN INDIVIDUAL SHALL BE PROVIDED IN THE  LANGUAGE
 IN  WHICH  THE INDIVIDUAL ORDINARILY INTERACTS WITH THE REGULATED ENTITY
 OR ITS SERVICE PROVIDER.
   4. A REGULATED ENTITY SHALL MAKE ANY NOTICE FOR PROCESSING PURSUANT TO
 A PERMISSIBLE PURPOSE, PURSUANT TO SUBPARAGRAPH (II) OF PARAGRAPH (B) OF
 SUBDIVISION ONE OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE,  OR  FORM
 FOR  PROCESSING  PURSUANT TO AUTHORIZATION, PURSUANT TO SUBPARAGRAPH (I)
 OF PARAGRAPH (B) OF SUBDIVISION ONE OF SECTION  ELEVEN  HUNDRED  TWO  OF
 THIS  ARTICLE,  PUBLICLY  AVAILABLE  ON ITS WEBSITE. IF AN AUTHORIZATION
 FORM IS CUSTOMIZED FOR EACH INDIVIDUAL, THE REGULATED ENTITY MAY INSTEAD
 PUBLICLY POST A SAMPLE AUTHORIZATION FORM ON ITS WEBSITE.
   § 1102. LAWFULNESS OF PROCESSING REGULATED HEALTH INFORMATION.  1.  IN
 GENERAL, IT SHALL BE UNLAWFUL FOR A REGULATED ENTITY TO:
   (A)  SELL  AN  INDIVIDUAL'S  REGULATED  HEALTH  INFORMATION TO A THIRD
 PARTY; OR
   (B) OTHERWISE PROCESS AN  INDIVIDUAL'S  REGULATED  HEALTH  INFORMATION
 UNLESS:
   (I)  THE INDIVIDUAL HAS PROVIDED VALID AUTHORIZATION FOR SUCH PROCESS-
 ING; OR
   (II) PROCESSING OF AN INDIVIDUAL'S  REGULATED  HEALTH  INFORMATION  IS
 STRICTLY NECESSARY FOR THE PURPOSE OF:
   (A) PROVIDING A PRODUCT OR SERVICE REQUESTED BY SUCH INDIVIDUAL;
   (B)  CONDUCTING  THE  REGULATED ENTITY'S INTERNAL BUSINESS OPERATIONS,
 WHICH EXCLUDE ANY ACTIVITIES RELATED TO MARKETING, ADVERTISING, RESEARCH
 AND DEVELOPMENT, OR PROVIDING PRODUCTS OR SERVICES TO THIRD PARTIES;
   (C) PROTECTING AGAINST MALICIOUS, FRAUDULENT, OR ILLEGAL ACTIVITY;
   (D) DETECTING, RESPONDING TO,  OR  PREVENTING  SECURITY  INCIDENTS  OR
 THREATS;
   (E)  PROTECTING  THE  VITAL  INTERESTS  OF AN INDIVIDUAL OR THE PUBLIC
 INTEREST IN THE AREA OF PUBLIC HEALTH;
   (F) INVESTIGATING, ESTABLISHING, EXERCISING, PREPARING FOR, OR DEFEND-
 ING LEGAL CLAIMS;
   (G) COMPLYING WITH FEDERAL, STATE, OR  LOCAL  LAWS,  RULES,  OR  REGU-
 LATIONS; OR
   (H)  COMPLYING  WITH A COURT ORDER, VALID SUBPOENA, OR SIMILAR PROCESS
 AUTHORIZED UNDER LAW, PROVIDED THAT FOR ANY  SUBPOENA  OR  OTHER  LAWFUL
 PROCESS  THAT  IS  NOT IN CONNECTION WITH A LAW ENFORCEMENT INQUIRY, THE
 PARTY REQUESTING THE INFORMATION MUST PROVIDE PRIOR NOTICE TO THE  INDI-
 VIDUAL WHO IS THE SUBJECT OF THE REQUESTED INFORMATION.
 S. 158--C                           4
 
   2.  A  REGULATED  ENTITY  THAT  PROCESSES REGULATED HEALTH INFORMATION
 PURSUANT TO VALID AUTHORIZATION AS REQUIRED BY SUBPARAGRAPH (I) OF PARA-
 GRAPH (B) OF SUBDIVISION ONE OF  THIS  SECTION  SHALL  COMPLY  WITH  THE
 FOLLOWING:
   (A)  A  REQUEST FOR AUTHORIZATION TO PROCESS AN INDIVIDUAL'S REGULATED
 HEALTH INFORMATION SHALL:
   (I) BE MADE SEPARATELY FROM ANY OTHER TRANSACTION OR PART OF A  TRANS-
 ACTION;
   (II) BE MADE AT LEAST TWENTY-FOUR HOURS AFTER AN INDIVIDUAL CREATES AN
 ACCOUNT OR FIRST USES THE REQUESTED PRODUCT OR SERVICE;
   (III)  BE MADE IN THE ABSENCE OF ANY MECHANISM THAT HAS THE PURPOSE OR
 SUBSTANTIAL EFFECT OF OBSCURING, SUBVERTING, OR  IMPAIRING  AN  INDIVID-
 UAL'S DECISION-MAKING REGARDING AUTHORIZATION FOR PROCESSING;
   (IV) IF REQUESTING AUTHORIZATION FOR MULTIPLE CATEGORIES OF PROCESSING
 ACTIVITIES, ALLOW THE INDIVIDUAL TO PROVIDE/WITHHOLD AUTHORIZATION SEPA-
 RATELY FOR EACH CATEGORY OF PROCESSING ACTIVITY; AND
   (V)  NOT INCLUDE ANY REQUEST FOR AUTHORIZATION FOR A PROCESSING ACTIV-
 ITY FOR WHICH AN INDIVIDUAL HAS WITHHELD OR REVOKED AUTHORIZATION WITHIN
 THE PAST CALENDAR YEAR.
   (B) A VALID AUTHORIZATION SHALL INCLUDE:
   (I) THE TYPES OF REGULATED HEALTH INFORMATION TO BE PROCESSED;
   (II) THE NATURE OF THE PROCESSING ACTIVITY;
   (III) THE SPECIFIC PURPOSES FOR SUCH PROCESSING;
   (IV) THE NAMES WHERE  READILY  AVAILABLE,  OR  CATEGORIES  OF  SERVICE
 PROVIDERS  AND  THIRD PARTIES TO WHICH THE REGULATED ENTITY MAY DISCLOSE
 THE INDIVIDUAL'S REGULATED HEALTH INFORMATION AND THE PURPOSES FOR  SUCH
 DISCLOSURE, INCLUDING THE CIRCUMSTANCES UNDER WHICH THE REGULATED ENTITY
 MAY DISCLOSE REGULATED HEALTH INFORMATION TO LAW ENFORCEMENT;
   (V)  ANY MONETARY OR OTHER VALUABLE CONSIDERATION THE REGULATED ENTITY
 MAY RECEIVE IN CONNECTION WITH  PROCESSING  THE  INDIVIDUAL'S  REGULATED
 HEALTH INFORMATION, WHERE APPLICABLE;
   (VI)  THAT  FAILING TO PROVIDE AUTHORIZATION WILL NOT AFFECT THE INDI-
 VIDUAL'S  EXPERIENCE  OF  USING  THE  REGULATED  ENTITY'S  PRODUCTS   OR
 SERVICES;
   (VII) THE EXPIRATION DATE OF THE AUTHORIZATION, WHICH MAY BE UP TO ONE
 YEAR FROM THE DATE AUTHORIZATION WAS PROVIDED;
   (VIII)  THE MECHANISM BY WHICH THE INDIVIDUAL MAY REVOKE AUTHORIZATION
 PRIOR TO EXPIRATION;
   (IX) THE MECHANISM BY WHICH THE INDIVIDUAL MAY REQUEST ACCESS  TO  AND
 DELETION OF THEIR REGULATED HEALTH INFORMATION;
   (X)  ANY OTHER INFORMATION MATERIAL TO AN INDIVIDUAL'S DECISION-MAKING
 REGARDING AUTHORIZATION FOR PROCESSING; AND
   (XI) THE SIGNATURE, WHICH MAY BE ELECTRONIC, OF THE INDIVIDUAL WHO  IS
 THE SUBJECT OF THE REGULATED HEALTH INFORMATION, OR A PARENT OR GUARDIAN
 AUTHORIZED  BY LAW TO TAKE ACTIONS OF LEGAL CONSEQUENCE ON BEHALF OF THE
 INDIVIDUAL WHO IS THE SUBJECT OF THE REGULATED HEALTH  INFORMATION,  AND
 THE DATE.
   (C)  (I) A REGULATED ENTITY THAT RECEIVES AUTHORIZATION FOR PROCESSING
 SHALL PROVIDE AN EFFECTIVE,  EFFICIENT,  AND  EASY-TO-USE  MECHANISM  BY
 WHICH  AN  INDIVIDUAL  MAY  REVOKE  AUTHORIZATION AT ANY TIME THROUGH AN
 INTERFACE REGULARLY USED IN  CONJUNCTION  WITH  THE  REGULATED  ENTITY'S
 PRODUCT OR SERVICE.
   (II)  UPON  AN INDIVIDUAL'S REVOCATION OF AUTHORIZATION, THE REGULATED
 ENTITY SHALL IMMEDIATELY  CEASE  ALL  PROCESSING  ACTIVITIES  FOR  WHICH
 AUTHORIZATION WAS REVOKED, EXCEPT TO THE EXTENT NECESSARY TO COMPLY WITH
 THE REGULATED ENTITY'S LEGAL OBLIGATIONS.
 S. 158--C                           5
 
   (III)  FOR  INDIVIDUALS  WHO HAVE AN ONLINE ACCOUNT WITH THE REGULATED
 ENTITY, THE REGULATED ENTITY MUST PROVIDE, IN A CONSPICUOUS  AND  EASILY
 ACCESSIBLE  PLACE  WITHIN THE ACCOUNT SETTINGS, A LIST OF ALL PROCESSING
 ACTIVITIES FOR WHICH THE INDIVIDUAL HAS PROVIDED AUTHORIZATION AND,  FOR
 EACH  PROCESSING  ACTIVITY, ALLOW THE INDIVIDUAL TO REVOKE AUTHORIZATION
 IN THE SAME PLACE WITH ONE MOTION OR ACTION.
   (D) UPON OBTAINING VALID AUTHORIZATION FROM AN INDIVIDUAL,  THE  REGU-
 LATED  ENTITY SHALL PROVIDE THAT INDIVIDUAL A COPY OF THE AUTHORIZATION.
 THE AUTHORIZATION SHALL BE PROVIDED IN A MANNER THAT IS CAPABLE OF BEING
 RETAINED BY THE INDIVIDUAL.
   (E) THE REGULATED ENTITY SHALL LIMIT ITS PROCESSING TO WHAT WAS CLEAR-
 LY DISCLOSED TO AN INDIVIDUAL PURSUANT TO PARAGRAPH (B) OF THIS SUBDIVI-
 SION WHEN THE REGULATED ENTITY RECEIVED AUTHORIZATION FROM THE  INDIVID-
 UAL.
   (F)  IF  THE REGULATED ENTITY SEEKS TO MATERIALLY ALTER ITS PROCESSING
 ACTIVITIES  FOR  REGULATED  HEALTH  INFORMATION  COLLECTED  PURSUANT  TO
 AUTHORIZATION, THE REGULATED ENTITY SHALL OBTAIN A NEW AUTHORIZATION FOR
 THE NEW OR ALTERED PROCESSING ACTIVITY.
   (G) PROVIDING A PRODUCT OR SERVICE REQUESTED BY AN INDIVIDUAL MUST NOT
 BE MADE CONTINGENT ON PROVIDING AUTHORIZATION. THE REGULATED ENTITY MUST
 NOT  DISCRIMINATE  AGAINST  AN INDIVIDUAL FOR WITHHOLDING AUTHORIZATION,
 SUCH AS BY CHARGING DIFFERENT PRICES OR RATES FOR PRODUCTS OR  SERVICES,
 INCLUDING  THROUGH  THE  USE  OF  DISCOUNTS  OR OTHER BENEFITS, IMPOSING
 PENALTIES, OR PROVIDING A DIFFERENT LEVEL  OR  QUALITY  OF  SERVICES  OR
 GOODS TO THE INDIVIDUAL.
   3.  A  REGULATED  ENTITY  THAT  PROCESSES REGULATED HEALTH INFORMATION
 PURSUANT TO A PERMISSIBLE PURPOSE PURSUANT TO SUBPARAGRAPH (II) OF PARA-
 GRAPH (B) OF SUBDIVISION ONE OF  THIS  SECTION  SHALL  COMPLY  WITH  THE
 FOLLOWING:
   (A) A REGULATED ENTITY SHALL PROVIDE CLEAR AND CONSPICUOUS NOTICE THAT
 DESCRIBES:
   (I) THE TYPES OF REGULATED HEALTH INFORMATION TO BE PROCESSED;
   (II) THE NATURE OF THE PROCESSING ACTIVITY;
   (III) THE SPECIFIC PURPOSES FOR SUCH PROCESSING;
   (IV)  THE  NAMES  WHERE  READILY  AVAILABLE,  OR CATEGORIES OF SERVICE
 PROVIDERS AND THIRD PARTIES TO WHICH THE REGULATED ENTITY  MAY  DISCLOSE
 THE  INDIVIDUAL'S REGULATED HEALTH INFORMATION AND THE PURPOSES FOR SUCH
 DISCLOSURE, INCLUDING THE CIRCUMSTANCES UNDER WHICH THE REGULATED ENTITY
 MAY DISCLOSE REGULATED HEALTH INFORMATION TO LAW ENFORCEMENT; AND
   (V) THE MECHANISM BY WHICH THE INDIVIDUAL MAY REQUEST  ACCESS  TO  AND
 DELETION OF THEIR REGULATED HEALTH INFORMATION.
   (B)  IF  THE  REGULATED ENTITY MATERIALLY ALTERS ITS PROCESSING ACTIV-
 ITIES FOR REGULATED HEALTH INFORMATION COLLECTED PURSUANT TO A PERMISSI-
 BLE PURPOSE, THE REGULATED ENTITY MUST PROVIDE A CLEAR  AND  CONSPICUOUS
 NOTICE  IN  PLAIN  LANGUAGE,  SEPARATE  FROM  A PRIVACY POLICY, TERMS OF
 SERVICE, OR SIMILAR DOCUMENT, THAT DESCRIBES ANY MATERIAL CHANGES TO THE
 PROCESSING ACTIVITIES AND PROVIDE THE INDIVIDUAL WITH AN OPPORTUNITY  TO
 REQUEST DELETION OF THEIR REGULATED HEALTH INFORMATION.
   § 1103. INDIVIDUAL RIGHTS. 1. (A) A REGULATED ENTITY SHALL MAKE AVAIL-
 ABLE  AN  EFFECTIVE,  EFFICIENT,  AND  EASY-TO-USE  MECHANISM THROUGH AN
 INTERFACE REGULARLY USED IN  CONJUNCTION  WITH  THE  REGULATED  ENTITY'S
 PRODUCT  OR  SERVICE  BY WHICH AN INDIVIDUAL MAY REQUEST ACCESS TO THEIR
 REGULATED HEALTH INFORMATION.
   (B) WITHIN THIRTY DAYS OF RECEIVING AN ACCESS REQUEST,  THE  REGULATED
 ENTITY  SHALL  MAKE AVAILABLE A COPY OF ALL REGULATED HEALTH INFORMATION
 S. 158--C                           6
 
 ABOUT THE INDIVIDUAL THAT THE REGULATED ENTITY MAINTAINS OR THAT SERVICE
 PROVIDERS MAINTAIN ON BEHALF OF THE REGULATED ENTITY.
   2.  (A)  A  REGULATED  ENTITY SHALL MAKE AVAILABLE AN EFFECTIVE, EFFI-
 CIENT, AND EASY-TO-USE MECHANISM THROUGH AN INTERFACE REGULARLY USED  IN
 CONJUNCTION  WITH  THE REGULATED ENTITY'S PRODUCT OR SERVICE BY WHICH AN
 INDIVIDUAL MAY REQUEST THE DELETION OF THEIR REGULATED  HEALTH  INFORMA-
 TION.
   (B)  AN  INDIVIDUAL'S DELETION OR CANCELLATION OF THEIR ONLINE ACCOUNT
 SHALL BE TREATED AS A  REQUEST  TO  DELETE  THE  INDIVIDUAL'S  REGULATED
 HEALTH INFORMATION.
   (C)  WITHIN THIRTY DAYS OF RECEIVING A DELETION REQUEST, THE REGULATED
 ENTITY SHALL:
   (I) DELETE ALL REGULATED HEALTH INFORMATION ASSOCIATED WITH THE  INDI-
 VIDUAL  IN  THE  REGULATED ENTITY'S POSSESSION OR CONTROL, EXCEPT TO THE
 EXTENT NECESSARY TO COMPLY  WITH  THE  REGULATED  ENTITY'S  LEGAL  OBLI-
 GATIONS; AND
   (II)  UNLESS  IT PROVES IMPOSSIBLE OR INVOLVES DISPROPORTIONATE EFFORT
 THAT IS DOCUMENTED IN WRITING BY THE REGULATED ENTITY, COMMUNICATE  SUCH
 REQUEST TO EACH SERVICE PROVIDER OR THIRD PARTY THAT PROCESSED THE INDI-
 VIDUAL'S  REGULATED  HEALTH INFORMATION IN CONNECTION WITH A TRANSACTION
 INVOLVING THE REGULATED ENTITY OCCURRING WITHIN ONE YEAR  PRECEDING  THE
 INDIVIDUAL'S REQUEST.
   (D)  ANY  SERVICE  PROVIDER  OR THIRD PARTY THAT RECEIVES NOTICE OF AN
 INDIVIDUAL'S DELETION REQUEST SHALL WITHIN THIRTY DAYS DELETE ALL  REGU-
 LATED   HEALTH   INFORMATION  ASSOCIATED  WITH  THE  INDIVIDUAL  IN  ITS
 POSSESSION OR CONTROL, EXCEPT TO THE EXTENT NECESSARY TO COMPLY WITH ITS
 LEGAL OBLIGATIONS.
   3. ANY RIGHT SET FORTH IN THIS SECTION MAY BE EXERCISED AT ANY TIME BY
 THE INDIVIDUAL WHO IS THE SUBJECT OF THE REGULATED HEALTH INFORMATION OR
 AN AGENT AUTHORIZED BY SUCH INDIVIDUAL.
   § 1104. SECURITY. 1. IN GENERAL, A  REGULATED  ENTITY  SHALL  DEVELOP,
 IMPLEMENT,  AND MAINTAIN REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYS-
 ICAL SAFEGUARDS TO PROTECT THE SECURITY, CONFIDENTIALITY, AND  INTEGRITY
 OF REGULATED HEALTH INFORMATION.
   2.  A  REGULATED ENTITY MUST SECURELY DISPOSE OF AN INDIVIDUAL'S REGU-
 LATED HEALTH INFORMATION PURSUANT  TO  A  PUBLICLY  AVAILABLE  RETENTION
 SCHEDULE  WITHIN  A  REASONABLE  TIME,  AND IN NO EVENT LATER THAN SIXTY
 DAYS, AFTER IT IS NO LONGER NECESSARY TO MAINTAIN  FOR  THE  PERMISSIBLE
 PURPOSE OR PURPOSES IDENTIFIED IN THE NOTICE OR FOR WHICH THE INDIVIDUAL
 PROVIDED VALID AUTHORIZATION.
   §  1105. SERVICE PROVIDERS. 1. IN GENERAL, ANY PROCESSING OF REGULATED
 HEALTH INFORMATION BY A SERVICE PROVIDER ON BEHALF OF A REGULATED ENTITY
 SHALL BE GOVERNED BY A WRITTEN, BINDING AGREEMENT. SUCH AGREEMENT  SHALL
 CLEARLY  SET FORTH INSTRUCTIONS FOR PROCESSING REGULATED HEALTH INFORMA-
 TION, THE NATURE AND PURPOSE OF PROCESSING, THE DURATION OF  PROCESSING,
 AND THE RIGHTS AND OBLIGATIONS OF BOTH PARTIES.
   2.  AN  AGREEMENT  PURSUANT  TO  SUBDIVISION ONE OF THIS SECTION SHALL
 REQUIRE THAT THE SERVICE PROVIDER:
   (A) ENSURE THAT EACH PERSON PROCESSING REGULATED HEALTH INFORMATION IS
 SUBJECT TO A DUTY OF CONFIDENTIALITY WITH RESPECT TO SUCH INFORMATION;
   (B) PROTECT REGULATED HEALTH INFORMATION IN A MANNER  CONSISTENT  WITH
 THE REQUIREMENTS OF THIS ARTICLE;
   (C)  PROCESS  REGULATED HEALTH INFORMATION ONLY WHEN AND TO THE EXTENT
 NECESSARY TO COMPLY WITH ITS OBLIGATIONS TO THE REGULATED ENTITY;
   (D) NOT COMBINE THE REGULATED HEALTH  INFORMATION  WHICH  THE  SERVICE
 PROVIDER  RECEIVES  FROM  OR  ON BEHALF OF THE REGULATED ENTITY WITH ANY
 S. 158--C                           7
 
 OTHER PERSONAL INFORMATION WHICH THE SERVICE PROVIDER RECEIVES  FROM  OR
 ON  BEHALF  OF  ANOTHER PARTY OR COLLECTS FROM ITS OWN RELATIONSHIP WITH
 INDIVIDUALS;
   (E)  COMPLY WITH ANY EXERCISES OF AN INDIVIDUAL'S RIGHTS UNDER SECTION
 ELEVEN HUNDRED THREE OF THIS ARTICLE UPON THE REQUEST OF  THE  REGULATED
 ENTITY  AND  NOTIFY  ANY  SERVICE PROVIDERS OR THIRD PARTIES TO WHICH IT
 DISCLOSED REGULATED HEALTH INFORMATION OF THE REQUEST;
   (F) DELETE OR RETURN ALL REGULATED HEALTH INFORMATION TO THE REGULATED
 ENTITY AT THE END OF THE PROVISION OF SERVICES, UNLESS RETENTION OF  THE
 REGULATED HEALTH INFORMATION IS REQUIRED BY LAW;
   (G)  UPON  THE REASONABLE REQUEST OF THE REGULATED ENTITY, MAKE AVAIL-
 ABLE TO THE REGULATED ENTITY ALL DATA IN  ITS  POSSESSION  NECESSARY  TO
 DEMONSTRATE  THE  SERVICE  PROVIDER'S COMPLIANCE WITH THE OBLIGATIONS IN
 THIS SECTION;
   (H) ALLOW, AND COOPERATE WITH, REASONABLE ASSESSMENTS BY THE REGULATED
 ENTITY OR THE REGULATED ENTITY'S DESIGNATED  ASSESSOR  FOR  PURPOSES  OF
 EVALUATING COMPLIANCE WITH THE OBLIGATIONS OF THIS ARTICLE; ALTERNATIVE-
 LY,  THE  SERVICE  PROVIDER  MAY ARRANGE FOR A QUALIFIED AND INDEPENDENT
 ASSESSOR TO CONDUCT AN ASSESSMENT OF THE PROCESSOR'S POLICIES AND  TECH-
 NICAL  AND  ORGANIZATIONAL  MEASURES IN SUPPORT OF THE OBLIGATIONS UNDER
 THIS ARTICLE USING AN  APPROPRIATE  AND  ACCEPTED  CONTROL  STANDARD  OR
 FRAMEWORK  AND  ASSESSMENT  PROCEDURE  FOR SUCH ASSESSMENTS. THE SERVICE
 PROVIDER SHALL PROVIDE A REPORT OF  SUCH  ASSESSMENT  TO  THE  REGULATED
 ENTITY UPON REQUEST;
   (I)  A  REASONABLE  TIME  IN ADVANCE BEFORE DISCLOSING OR TRANSFERRING
 REGULATED HEALTH INFORMATION TO ANY FURTHER  SERVICE  PROVIDERS,  NOTIFY
 THE  REGULATED  ENTITY  OF SUCH A PROPOSED DISCLOSURE OR TRANSFER, WHICH
 MAY BE IN THE FORM OF  A  REGULARLY  UPDATED  LIST  OF  FURTHER  SERVICE
 PROVIDERS THAT MAY ACCESS REGULATED HEALTH INFORMATION; AND
   (J) ENGAGE ANY FURTHER SERVICE PROVIDER PURSUANT TO A WRITTEN, BINDING
 AGREEMENT  THAT  INCLUDES  THE CONTRACTUAL REQUIREMENTS PROVIDED IN THIS
 SECTION, CONTAINING AT MINIMUM THE SAME  OBLIGATIONS  THAT  THE  SERVICE
 PROVIDER HAS ENTERED INTO WITH REGARD TO REGULATED HEALTH INFORMATION.
   § 1106. EXEMPTIONS. NOTHING IN THIS ARTICLE SHALL APPLY TO:
   1. INFORMATION PROCESSED BY LOCAL, STATE, AND FEDERAL GOVERNMENTS, AND
 MUNICIPAL CORPORATIONS;
   2.  PROTECTED HEALTH INFORMATION THAT IS COLLECTED BY A COVERED ENTITY
 OR BUSINESS ASSOCIATE GOVERNED BY  THE  PRIVACY,  SECURITY,  AND  BREACH
 NOTIFICATION  RULES ISSUED BY THE UNITED STATES DEPARTMENT OF HEALTH AND
 HUMAN SERVICES, PARTS 160 AND 164 OF TITLE 45 OF  THE  CODE  OF  FEDERAL
 REGULATIONS,  ESTABLISHED  PURSUANT  TO THE HEALTH INSURANCE PORTABILITY
 AND ACCOUNTABILITY ACT OF 1996  (PUBLIC  LAW  104-191)  AND  THE  HEALTH
 INFORMATION  TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT (PUBLIC LAW
 111-5);
   3. ANY COVERED ENTITY GOVERNED BY THE PRIVACY,  SECURITY,  AND  BREACH
 NOTIFICATION  RULES ISSUED BY THE UNITED STATES DEPARTMENT OF HEALTH AND
 HUMAN SERVICES, PARTS 160 AND 164 OF TITLE 45 OF  THE  CODE  OF  FEDERAL
 REGULATIONS,  ESTABLISHED  PURSUANT  TO THE HEALTH INSURANCE PORTABILITY
 AND ACCOUNTABILITY ACT OF 1996 (PUBLIC LAW 104-191), TO THE  EXTENT  THE
 COVERED  ENTITY  MAINTAINS  PATIENT  INFORMATION  IN  THE SAME MANNER AS
 PROTECTED HEALTH INFORMATION AS DESCRIBED IN  SUBDIVISION  TWO  OF  THIS
 SECTION;
   4.  INFORMATION  COLLECTED  AS PART OF A CLINICAL TRIAL SUBJECT TO THE
 FEDERAL POLICY FOR THE PROTECTION OF HUMAN SUBJECTS, ALSO KNOWN  AS  THE
 COMMON RULE, PURSUANT TO GOOD CLINICAL PRACTICE GUIDELINES ISSUED BY THE
 INTERNATIONAL  COUNCIL  FOR  HARMONISATION  OR PURSUANT TO HUMAN SUBJECT
 S. 158--C                           8
 
 PROTECTION REQUIREMENTS OF THE UNITED  STATES  FOOD  AND  DRUG  ADMINIS-
 TRATION;
   5.  INFORMATION  PROCESSED  PURSUANT TO THE FEDERAL FAMILY EDUCATIONAL
 RIGHTS AND PRIVACY ACT (20 U.S.C. SEC. 1232G) AND ITS IMPLEMENTING REGU-
 LATIONS;
   6. INFORMATION PROCESSED PURSUANT TO SECTION TWO-D  OF  THE  EDUCATION
 LAW; AND
   7.  INFORMATION  PROCESSED  PURSUANT  TO  THE FEDERAL DRIVER'S PRIVACY
 PROTECTION ACT OF 1994 (18 U.S.C.  SEC. 2721 ET SEQ).
   § 1107. ENFORCEMENT. 1. WHENEVER IT APPEARS TO THE  ATTORNEY  GENERAL,
 EITHER  UPON  COMPLAINT OR OTHERWISE, THAT ANY PERSON OR PERSONS, WITHIN
 OR OUTSIDE THE STATE, HAS ENGAGED IN OR IS ABOUT TO ENGAGE IN ANY OF THE
 ACTS OR PRACTICES STATED TO BE UNLAWFUL UNDER THIS ARTICLE, THE ATTORNEY
 GENERAL MAY BRING AN ACTION OR SPECIAL PROCEEDING IN  THE  NAME  AND  ON
 BEHALF OF THE PEOPLE OF THE STATE OF NEW YORK TO ENJOIN ANY VIOLATION OF
 THIS  ARTICLE,  TO OBTAIN RESTITUTION OF ANY MONEYS OR PROPERTY OBTAINED
 DIRECTLY OR INDIRECTLY BY ANY SUCH VIOLATION, TO OBTAIN DISGORGEMENT  OF
 ANY  PROFITS  OBTAINED  DIRECTLY OR INDIRECTLY BY ANY SUCH VIOLATION, TO
 OBTAIN CIVIL PENALTIES OF NOT MORE THAN  FIFTEEN  THOUSAND  DOLLARS  PER
 VIOLATION  OR TWENTY PERCENT OF REVENUE OBTAINED FROM NEW YORK CONSUMERS
 WITHIN THE PAST FISCAL YEAR, WHICHEVER IS GREATER,  AND  TO  OBTAIN  ANY
 SUCH  OTHER  AND  FURTHER RELIEF AS THE COURT MAY DEEM PROPER, INCLUDING
 PRELIMINARY RELIEF.
   2. THE REMEDIES PROVIDED BY THIS SECTION SHALL BE IN ADDITION  TO  ANY
 OTHER LAWFUL REMEDY AVAILABLE.
   3.  ANY  ACTION  OR SPECIAL PROCEEDING BROUGHT BY THE ATTORNEY GENERAL
 PURSUANT TO THIS SECTION MUST BE COMMENCED WITHIN SIX YEARS OF THE  DATE
 ON WHICH THE ATTORNEY GENERAL BECAME AWARE OF THE VIOLATION.
   4.  IN CONNECTION WITH ANY PROPOSED ACTION OR SPECIAL PROCEEDING UNDER
 THIS SECTION, THE ATTORNEY GENERAL IS AUTHORIZED TO TAKE PROOF AND  MAKE
 A DETERMINATION OF THE RELEVANT FACTS, AND TO ISSUE SUBPOENAS IN ACCORD-
 ANCE  WITH  THE  CIVIL  PRACTICE LAW AND RULES. THE ATTORNEY GENERAL MAY
 ALSO REQUIRE SUCH OTHER DATA AND INFORMATION AS HE OR SHE MAY DEEM RELE-
 VANT AND MAY REQUIRE WRITTEN RESPONSES TO  QUESTIONS  UNDER  OATH.  SUCH
 POWER OF SUBPOENA AND EXAMINATION SHALL NOT ABATE OR TERMINATE BY REASON
 OF  ANY  ACTION  OR  SPECIAL  PROCEEDING BROUGHT BY THE ATTORNEY GENERAL
 UNDER THIS ARTICLE.
   5. THIS SECTION SHALL APPLY TO ALL ACTS DECLARED  TO  BE  UNLAWFUL  IN
 THIS ARTICLE, WHETHER OR NOT SUBJECT TO ANY OTHER LAW OF THIS STATE, AND
 SHALL  NOT  SUPERSEDE, AMEND OR REPEAL ANY OTHER LAW OF THIS STATE UNDER
 WHICH THE ATTORNEY GENERAL IS AUTHORIZED TO TAKE ANY ACTION  OR  CONDUCT
 ANY INQUIRY.
   6.   THE ATTORNEY GENERAL MAY PROMULGATE SUCH RULES AND REGULATIONS AS
 ARE NECESSARY TO EFFECTUATE AND ENFORCE THE PROVISIONS OF THIS SECTION.
   § 2. Severability. If any clause,  sentence,  paragraph,  subdivision,
 section  or part of this act shall be adjudged by any court of competent
 jurisdiction to be invalid, such judgment shall not affect,  impair,  or
 invalidate the remainder thereof, but shall be confined in its operation
 to the clause, sentence, paragraph, subdivision, section or part thereof
 directly  involved  in the controversy in which such judgment shall have
 been rendered. It is hereby declared to be the intent of the legislature
 that this act would have been enacted even if  such  invalid  provisions
 had not been included herein.
   § 3. This act shall take effect July 1, 2025.

co-Sponsors

View additional co-sponsors

2023-S158D - Details

Law Section:: General Business Law
Laws Affected:: Add Art 42 §§1100 - 1103, Gen Bus L
Versions Introduced in 2025-2026 Legislative Session:: S929

2023-S158D - Summary

2023-S158D - Sponsor Memo

                                 
BILL NUMBER: S158D

SPONSOR: KRUEGER
 
TITLE OF BILL:

An act to amend the general business law, in relation to providing for
the protection of health information

 
PURPOSE OR GENERAL IDEA OF BILL:

This bill would govern companies that collect and sell healthcare infor-
mation, and provides additional rights and protections to users related
to the sale and of their private health information.

 
SUMMARY OF SPECIFIC PROVISIONS:

Section one creates article 42 to the General Business Law to govern the
collection of data for electronic health products and services.

Section 1100 creates various definitions that will be used in the rest
of the bill.

Section 1101 regulates how regulated entities shall communicate their
data collection policies to users and the need for consent from the
user.

Section for 1102 regulates the collection of data and what the data can
be used for.

Section 1103 explains the users rights and extent of control over their
personal health information.

Section 1104 regulates the level of security that regulated entities
must have.

Section 1105 regulates service providers that process data on behalf of
a regulated entity

Section 1106 provides for exemptions from this bill

Section 1107 creates an enforcement mechanism.

Section 2. Severability

Section 3. Effective Date

 
JUSTIFICATION:

Most residents of the State are under the impression that HIPAA protects
them and their health data from being accessed by third-parties and sold
by and to other organizations. Residents are generally unaware that
their technology is constantly tracking their movements, and geolocation
data is being sold to companies for the purposes of targeted advertise-
ments or tracking. Most users also do not have an understanding of how
much information is being collected, stored, and sold for the benefit of
third-parties. For example, a mobile app to track menstruation cycles
was recently caught selling users' data to antiabortion advocacy organ-
izations.

This bill creates a legal framework for residents to reclaim and retain
control of their healthcare information. Electronic apps or websites
that are designed to provide a diagnosis or retain health information
will be required to receive affirmative consent by the user to retain
such information and would need separate consent to sell such informa-
tion to third-parties.

 
PRIOR LEGISLATIVE HISTORY:

2022: S.9599 - Referred to Rules

 
FISCAL IMPLICATIONS:

None to the State.

 
EFFECTIVE DATE:
This act shall take effect on July 1, 2025.

2023-S158D - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                  158--D
     Cal. No. 76
 
                        2023-2024 Regular Sessions
 
                             I N  S E N A T E
 
                                (PREFILED)
 
                              January 4, 2023
                                ___________
 
 Introduced  by  Sens.  KRUEGER, COMRIE, HINCHEY, HOYLMAN-SIGAL, JACKSON,
   MAY -- read twice and ordered printed, and when printed to be  commit-
   ted  to the Committee on Internet and Technology -- reported favorably
   from said committee, ordered to first and second report, ordered to  a
   third  reading,  amended and ordered reprinted, retaining its place in
   the order of third reading -- again  amended  and  ordered  reprinted,
   retaining  its  place  in the order of third reading -- recommitted to
   the Committee on Health in accordance with Senate Rule 6,  sec.  8  --
   reported  favorably  from  said committee, ordered to first and second
   report, amended on second report, ordered to a third reading,  and  to
   be  reprinted  as  amended,  retaining its place in the order of third
   reading -- reported favorably from said committee  to  third  reading,
   amended  and  ordered  reprinted,  retaining its place in the order of
   third reading
 
 AN ACT to amend the general business law, in relation to  providing  for
   the protection of health information

   THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. The general business law is amended by adding a new article
 42 to read as follows:
                                ARTICLE 42
                  NEW YORK HEALTH INFORMATION PRIVACY ACT
 SECTION 1100. DEFINITIONS.
         1101. REQUIREMENTS FOR COMMUNICATIONS TO INDIVIDUALS.
         1102. LAWFULNESS OF PROCESSING REGULATED HEALTH INFORMATION.
         1103. INDIVIDUAL RIGHTS.
         1104. SECURITY.
         1105. SERVICE PROVIDERS.
         1106. EXEMPTIONS.
         1107. ENFORCEMENT.
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets

                       [ ] is old law to be omitted.
                                                            LBD01105-12-4
 S. 158--D                           2
 
   § 1100. DEFINITIONS. AS USED IN  THIS  ARTICLE,  THE  FOLLOWING  TERMS
 SHALL HAVE THE FOLLOWING MEANINGS:
   1. "DEIDENTIFIED INFORMATION" MEANS INFORMATION THAT CANNOT REASONABLY
 BE  USED TO INFER INFORMATION ABOUT, OR OTHERWISE BE LINKED TO A PARTIC-
 ULAR INDIVIDUAL, HOUSEHOLD, OR DEVICE, PROVIDED THAT THE REGULATED ENTI-
 TY OR SERVICE PROVIDER THAT PROCESSES THE INFORMATION:
   (A) IMPLEMENTS REASONABLE TECHNICAL  SAFEGUARDS  TO  ENSURE  THAT  THE
 INFORMATION  CANNOT  BE  ASSOCIATED  WITH  AN  INDIVIDUAL, HOUSEHOLD, OR
 DEVICE;
   (B) PUBLICLY COMMITS TO PROCESS THE INFORMATION ONLY  AS  DEIDENTIFIED
 INFORMATION  AND  NOT ATTEMPT TO REIDENTIFY THE INFORMATION, EXCEPT THAT
 THE REGULATED ENTITY OR SERVICE PROVIDER MAY ATTEMPT TO  REIDENTIFY  THE
 INFORMATION  SOLELY  FOR  THE PURPOSE OF DETERMINING WHETHER ITS DEIDEN-
 TIFICATION PROCESSES SATISFY THE REQUIREMENTS OF THIS SECTION; AND
   (C) CONTRACTUALLY OBLIGATES ANY RECIPIENT OF THE DEIDENTIFIED INFORMA-
 TION TO COMPLY WITH ALL REQUIREMENTS OF THIS SECTION.
   2. "REGULATED  HEALTH  INFORMATION"  MEANS  ANY  INFORMATION  THAT  IS
 REASONABLY  LINKABLE  TO AN INDIVIDUAL, OR A DEVICE, AND IS COLLECTED OR
 PROCESSED IN CONNECTION WITH THE PHYSICAL OR MENTAL HEALTH OF  AN  INDI-
 VIDUAL.  LOCATION OR PAYMENT INFORMATION THAT RELATES TO AN INDIVIDUAL'S
 PHYSICAL  OR  MENTAL  HEALTH  OR ANY INFERENCE DRAWN OR DERIVED ABOUT AN
 INDIVIDUAL'S PHYSICAL OR MENTAL HEALTH THAT IS REASONABLY LINKABLE TO AN
 INDIVIDUAL, OR A DEVICE, SHALL BE CONSIDERED, WITHOUT LIMITATION,  REGU-
 LATED HEALTH INFORMATION. REGULATED HEALTH INFORMATION SHALL NOT INCLUDE
 DEIDENTIFIED INFORMATION.
   3.  "PROCESS"  OR "PROCESSING" MEANS AN OPERATION OR SET OF OPERATIONS
 PERFORMED ON REGULATED HEALTH INFORMATION, INCLUDING BUT NOT LIMITED  TO
 THE  COLLECTION,  USE,  ACCESS,  SHARING,  SALE, MONETIZATION, ANALYSIS,
 RETENTION, CREATION, GENERATION,  DERIVATION,  RECORDING,  ORGANIZATION,
 STRUCTURING,  STORAGE,  DISCLOSURE,  TRANSMISSION,  DISPOSAL, LICENSING,
 DESTRUCTION, DELETION, MODIFICATION, OR  DEIDENTIFICATION  OF  REGULATED
 HEALTH INFORMATION.
   4.  "REGULATED ENTITY" MEANS ANY ENTITY THAT (A) CONTROLS THE PROCESS-
 ING OF REGULATED HEALTH INFORMATION OF AN INDIVIDUAL WHO IS A  NEW  YORK
 RESIDENT, (B) CONTROLS THE PROCESSING OF REGULATED HEALTH INFORMATION OF
 AN  INDIVIDUAL WHO IS PHYSICALLY PRESENT IN NEW YORK WHILE THAT INDIVID-
 UAL IS IN NEW YORK, OR (C) IS LOCATED IN NEW YORK AND CONTROLS THE PROC-
 ESSING OF REGULATED HEALTH INFORMATION OF  AN  INDIVIDUAL.  A  REGULATED
 ENTITY  MAY  ALSO  BE  A  SERVICE PROVIDER DEPENDING UPON THE CONTEXT IN
 WHICH REGULATED HEALTH INFORMATION IS PROCESSED.
   5. "SELL" MEANS TO SHARE REGULATED HEALTH INFORMATION FOR MONETARY  OR
 OTHER  VALUABLE  CONSIDERATION.  SELLING DOES NOT INCLUDE THE SHARING OF
 REGULATED HEALTH INFORMATION FOR MONETARY OR  OTHER  VALUABLE  CONSIDER-
 ATION  TO  A  THIRD PARTY AS AN ASSET THAT IS PART OF A MERGER, ACQUISI-
 TION, BANKRUPTCY, OR OTHER TRANSACTION IN WHICH THE THIRD PARTY  ASSUMES
 CONTROL OF ALL OR PART OF THE REGULATED ENTITY'S ASSETS.
   6.  "SERVICE PROVIDER" MEANS ANY PERSON OR ENTITY THAT PROCESSES REGU-
 LATED HEALTH INFORMATION ON BEHALF OF  A  REGULATED  ENTITY.  A  SERVICE
 PROVIDER  MAY  ALSO  BE A REGULATED ENTITY DEPENDING UPON THE CONTEXT IN
 WHICH REGULATED HEALTH INFORMATION IS PROCESSED.
   7. "THIRD PARTY" MEANS A PERSON OR ENTITY OTHER THAN  THE  INDIVIDUAL,
 REGULATED  ENTITY,  OR  SERVICE  PROVIDER  INVOLVED  IN A TRANSACTION OR
 OCCURRENCE THAT INVOLVES REGULATED HEALTH INFORMATION. A THIRD PARTY MAY
 ALSO BE A REGULATED  ENTITY  OR  SERVICE  PROVIDER  DEPENDING  UPON  THE
 CONTEXT IN WHICH REGULATED HEALTH INFORMATION IS PROCESSED.
 S. 158--D                           3
 
   §  1101.  REQUIREMENTS FOR COMMUNICATIONS TO INDIVIDUALS. ALL NOTICES,
 DISCLOSURES, FORMS, AND OTHER  COMMUNICATIONS  TO  INDIVIDUALS  PROVIDED
 PURSUANT TO THIS ARTICLE SHALL COMPLY WITH THE FOLLOWING:
   1.  IN  GENERAL,  ALL  COMMUNICATIONS SHALL USE PLAIN, STRAIGHTFORWARD
 LANGUAGE, AVOIDING TECHNICAL OR  LEGAL  JARGON,  AND  MUST  BE  PROVIDED
 THROUGH  AN  INTERFACE  REGULARLY USED IN CONJUNCTION WITH THE REGULATED
 ENTITY'S PRODUCT OR SERVICE.
   2. ALL COMMUNICATIONS SHALL BE REASONABLY  ACCESSIBLE  TO  INDIVIDUALS
 WITH DISABILITIES, INCLUDING BY:
   (A) UTILIZING DIGITAL ACCESSIBILITY TOOLS;
   (B)  FOR  NOTICES, COMPLYING WITH GENERALLY RECOGNIZED INDUSTRY STAND-
 ARDS, INCLUDING, BUT NOT  LIMITED  TO,  THE  WEB  CONTENT  ACCESSIBILITY
 GUIDELINES, FROM THE WORLD WEB CONSORTIUM, INCORPORATED HEREIN BY REFER-
 ENCE; AND
   (C) FOR OTHER COMMUNICATIONS, PROVIDING INFORMATION ABOUT HOW AN INDI-
 VIDUAL  WITH A DISABILITY MAY ACCESS THE COMMUNICATION IN AN ALTERNATIVE
 FORMAT.
   3. ALL COMMUNICATIONS SHALL BE AVAILABLE IN THE LANGUAGES IN WHICH THE
 REGULATED ENTITY PROVIDES INFORMATION VIA ITS WEBSITE AND SERVICES.  ANY
 DIRECT  COMMUNICATION TO AN INDIVIDUAL SHALL BE PROVIDED IN THE LANGUAGE
 IN WHICH THE INDIVIDUAL ORDINARILY INTERACTS WITH THE  REGULATED  ENTITY
 OR ITS SERVICE PROVIDER.
   4. A REGULATED ENTITY SHALL MAKE ANY NOTICE FOR PROCESSING PURSUANT TO
 A PERMISSIBLE PURPOSE, PURSUANT TO SUBPARAGRAPH (II) OF PARAGRAPH (B) OF
 SUBDIVISION  ONE  OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE, OR FORM
 FOR PROCESSING PURSUANT TO AUTHORIZATION, PURSUANT TO  SUBPARAGRAPH  (I)
 OF  PARAGRAPH  (B)  OF  SUBDIVISION ONE OF SECTION ELEVEN HUNDRED TWO OF
 THIS ARTICLE, PUBLICLY AVAILABLE ON ITS  WEBSITE.  IF  AN  AUTHORIZATION
 FORM IS CUSTOMIZED FOR EACH INDIVIDUAL, THE REGULATED ENTITY MAY INSTEAD
 PUBLICLY POST A SAMPLE AUTHORIZATION FORM ON ITS WEBSITE.
   §  1102. LAWFULNESS OF PROCESSING REGULATED HEALTH INFORMATION.  1. IN
 GENERAL, IT SHALL BE UNLAWFUL FOR A REGULATED ENTITY TO:
   (A) SELL AN INDIVIDUAL'S  REGULATED  HEALTH  INFORMATION  TO  A  THIRD
 PARTY; OR
   (B)  OTHERWISE  PROCESS  AN  INDIVIDUAL'S REGULATED HEALTH INFORMATION
 UNLESS:
   (I) THE INDIVIDUAL HAS PROVIDED VALID AUTHORIZATION FOR SUCH  PROCESS-
 ING; OR
   (II)  PROCESSING  OF  AN  INDIVIDUAL'S REGULATED HEALTH INFORMATION IS
 STRICTLY NECESSARY FOR THE PURPOSE OF:
   (A) PROVIDING A PRODUCT OR SERVICE REQUESTED BY SUCH INDIVIDUAL;
   (B) CONDUCTING THE REGULATED ENTITY'S  INTERNAL  BUSINESS  OPERATIONS,
 WHICH EXCLUDE ANY ACTIVITIES RELATED TO MARKETING, ADVERTISING, RESEARCH
 AND DEVELOPMENT, OR PROVIDING PRODUCTS OR SERVICES TO THIRD PARTIES;
   (C) PROTECTING AGAINST MALICIOUS, FRAUDULENT, OR ILLEGAL ACTIVITY;
   (D)  DETECTING,  RESPONDING  TO,  OR  PREVENTING SECURITY INCIDENTS OR
 THREATS;
   (E) PROTECTING THE VITAL INTERESTS OF  AN  INDIVIDUAL  OR  THE  PUBLIC
 INTEREST IN THE AREA OF PUBLIC HEALTH;
   (F) INVESTIGATING, ESTABLISHING, EXERCISING, PREPARING FOR, OR DEFEND-
 ING LEGAL CLAIMS; OR
   (G) COMPLYING WITH THE REGULATED ENTITY'S LEGAL OBLIGATIONS.
   2.  A  REGULATED  ENTITY  THAT  PROCESSES REGULATED HEALTH INFORMATION
 PURSUANT TO VALID AUTHORIZATION AS REQUIRED BY SUBPARAGRAPH (I) OF PARA-
 GRAPH (B) OF SUBDIVISION ONE OF  THIS  SECTION  SHALL  COMPLY  WITH  THE
 FOLLOWING:
 S. 158--D                           4
 
   (A)  A  REQUEST FOR AUTHORIZATION TO PROCESS AN INDIVIDUAL'S REGULATED
 HEALTH INFORMATION SHALL:
   (I)  BE MADE SEPARATELY FROM ANY OTHER TRANSACTION OR PART OF A TRANS-
 ACTION;
   (II) BE MADE AT LEAST TWENTY-FOUR HOURS AFTER AN INDIVIDUAL CREATES AN
 ACCOUNT OR FIRST USES THE REQUESTED PRODUCT OR SERVICE;
   (III) BE MADE IN THE ABSENCE OF ANY MECHANISM THAT HAS THE PURPOSE  OR
 SUBSTANTIAL  EFFECT  OF  OBSCURING, SUBVERTING, OR IMPAIRING AN INDIVID-
 UAL'S DECISION-MAKING REGARDING AUTHORIZATION FOR PROCESSING;
   (IV) IF REQUESTING AUTHORIZATION FOR MULTIPLE CATEGORIES OF PROCESSING
 ACTIVITIES, ALLOW THE INDIVIDUAL TO PROVIDE/WITHHOLD AUTHORIZATION SEPA-
 RATELY FOR EACH CATEGORY OF PROCESSING ACTIVITY; AND
   (V) NOT INCLUDE ANY REQUEST FOR AUTHORIZATION FOR A PROCESSING  ACTIV-
 ITY FOR WHICH AN INDIVIDUAL HAS WITHHELD OR REVOKED AUTHORIZATION WITHIN
 THE PAST CALENDAR YEAR.
   (B) A VALID AUTHORIZATION SHALL INCLUDE:
   (I) THE TYPES OF REGULATED HEALTH INFORMATION TO BE PROCESSED;
   (II) THE NATURE OF THE PROCESSING ACTIVITY;
   (III) THE SPECIFIC PURPOSES FOR SUCH PROCESSING;
   (IV)  THE  NAMES  WHERE  READILY  AVAILABLE,  OR CATEGORIES OF SERVICE
 PROVIDERS AND THIRD PARTIES TO WHICH THE REGULATED ENTITY  MAY  DISCLOSE
 THE  INDIVIDUAL'S REGULATED HEALTH INFORMATION AND THE PURPOSES FOR SUCH
 DISCLOSURE, INCLUDING THE CIRCUMSTANCES UNDER WHICH THE REGULATED ENTITY
 MAY DISCLOSE REGULATED HEALTH INFORMATION TO LAW ENFORCEMENT;
   (V) ANY MONETARY OR OTHER VALUABLE CONSIDERATION THE REGULATED  ENTITY
 MAY  RECEIVE  IN  CONNECTION  WITH PROCESSING THE INDIVIDUAL'S REGULATED
 HEALTH INFORMATION, WHERE APPLICABLE;
   (VI) THAT FAILING TO PROVIDE AUTHORIZATION WILL NOT AFFECT  THE  INDI-
 VIDUAL'S   EXPERIENCE  OF  USING  THE  REGULATED  ENTITY'S  PRODUCTS  OR
 SERVICES;
   (VII) THE EXPIRATION DATE OF THE AUTHORIZATION, WHICH MAY BE UP TO ONE
 YEAR FROM THE DATE AUTHORIZATION WAS PROVIDED;
   (VIII) THE MECHANISM BY WHICH THE INDIVIDUAL MAY REVOKE  AUTHORIZATION
 PRIOR TO EXPIRATION;
   (IX)  THE  MECHANISM BY WHICH THE INDIVIDUAL MAY REQUEST ACCESS TO AND
 DELETION OF THEIR REGULATED HEALTH INFORMATION;
   (X) ANY OTHER INFORMATION MATERIAL TO AN INDIVIDUAL'S  DECISION-MAKING
 REGARDING AUTHORIZATION FOR PROCESSING; AND
   (XI)  THE SIGNATURE, WHICH MAY BE ELECTRONIC, OF THE INDIVIDUAL WHO IS
 THE SUBJECT OF THE REGULATED HEALTH INFORMATION, OR A PARENT OR GUARDIAN
 AUTHORIZED BY LAW TO TAKE ACTIONS OF LEGAL CONSEQUENCE ON BEHALF OF  THE
 INDIVIDUAL  WHO  IS THE SUBJECT OF THE REGULATED HEALTH INFORMATION, AND
 THE DATE.
   (C) (I) A REGULATED ENTITY THAT RECEIVES AUTHORIZATION FOR  PROCESSING
 SHALL  PROVIDE  AN  EFFECTIVE,  EFFICIENT,  AND EASY-TO-USE MECHANISM BY
 WHICH AN INDIVIDUAL MAY REVOKE AUTHORIZATION  AT  ANY  TIME  THROUGH  AN
 INTERFACE  REGULARLY  USED  IN  CONJUNCTION  WITH THE REGULATED ENTITY'S
 PRODUCT OR SERVICE.
   (II) UPON AN INDIVIDUAL'S REVOCATION OF AUTHORIZATION,  THE  REGULATED
 ENTITY  SHALL  IMMEDIATELY  CEASE  ALL  PROCESSING  ACTIVITIES FOR WHICH
 AUTHORIZATION WAS REVOKED, EXCEPT TO THE EXTENT NECESSARY TO COMPLY WITH
 THE REGULATED ENTITY'S LEGAL OBLIGATIONS.
   (III) FOR INDIVIDUALS WHO HAVE AN ONLINE ACCOUNT  WITH  THE  REGULATED
 ENTITY,  THE  REGULATED ENTITY MUST PROVIDE, IN A CONSPICUOUS AND EASILY
 ACCESSIBLE PLACE WITHIN THE ACCOUNT SETTINGS, A LIST OF  ALL  PROCESSING
 ACTIVITIES  FOR WHICH THE INDIVIDUAL HAS PROVIDED AUTHORIZATION AND, FOR
 S. 158--D                           5
 
 EACH PROCESSING ACTIVITY, ALLOW THE INDIVIDUAL TO  REVOKE  AUTHORIZATION
 IN THE SAME PLACE WITH ONE MOTION OR ACTION.
   (D)  UPON  OBTAINING VALID AUTHORIZATION FROM AN INDIVIDUAL, THE REGU-
 LATED ENTITY SHALL PROVIDE THAT INDIVIDUAL A COPY OF THE  AUTHORIZATION.
 THE AUTHORIZATION SHALL BE PROVIDED IN A MANNER THAT IS CAPABLE OF BEING
 RETAINED BY THE INDIVIDUAL.
   (E) THE REGULATED ENTITY SHALL LIMIT ITS PROCESSING TO WHAT WAS CLEAR-
 LY DISCLOSED TO AN INDIVIDUAL PURSUANT TO PARAGRAPH (B) OF THIS SUBDIVI-
 SION  WHEN THE REGULATED ENTITY RECEIVED AUTHORIZATION FROM THE INDIVID-
 UAL.
   (F) IF THE REGULATED ENTITY SEEKS TO MATERIALLY ALTER  ITS  PROCESSING
 ACTIVITIES  FOR  REGULATED  HEALTH  INFORMATION  COLLECTED  PURSUANT  TO
 AUTHORIZATION, THE REGULATED ENTITY SHALL OBTAIN A NEW AUTHORIZATION FOR
 THE NEW OR ALTERED PROCESSING ACTIVITY.
   (G) PROVIDING A PRODUCT OR SERVICE REQUESTED BY AN INDIVIDUAL MUST NOT
 BE MADE CONTINGENT ON PROVIDING AUTHORIZATION. THE REGULATED ENTITY MUST
 NOT DISCRIMINATE AGAINST AN INDIVIDUAL  FOR  WITHHOLDING  AUTHORIZATION,
 SUCH  AS BY CHARGING DIFFERENT PRICES OR RATES FOR PRODUCTS OR SERVICES,
 INCLUDING THROUGH THE USE  OF  DISCOUNTS  OR  OTHER  BENEFITS,  IMPOSING
 PENALTIES,  OR  PROVIDING  A  DIFFERENT  LEVEL OR QUALITY OF SERVICES OR
 GOODS TO THE INDIVIDUAL.
   3. A REGULATED ENTITY  THAT  PROCESSES  REGULATED  HEALTH  INFORMATION
 PURSUANT TO A PERMISSIBLE PURPOSE PURSUANT TO SUBPARAGRAPH (II) OF PARA-
 GRAPH  (B)  OF  SUBDIVISION  ONE  OF  THIS SECTION SHALL COMPLY WITH THE
 FOLLOWING:
   (A) A REGULATED ENTITY SHALL PROVIDE CLEAR AND CONSPICUOUS NOTICE THAT
 DESCRIBES:
   (I) THE TYPES OF REGULATED HEALTH INFORMATION TO BE PROCESSED;
   (II) THE NATURE OF THE PROCESSING ACTIVITY;
   (III) THE SPECIFIC PURPOSES FOR SUCH PROCESSING;
   (IV) THE NAMES WHERE  READILY  AVAILABLE,  OR  CATEGORIES  OF  SERVICE
 PROVIDERS  AND  THIRD PARTIES TO WHICH THE REGULATED ENTITY MAY DISCLOSE
 THE INDIVIDUAL'S REGULATED HEALTH INFORMATION AND THE PURPOSES FOR  SUCH
 DISCLOSURE, INCLUDING THE CIRCUMSTANCES UNDER WHICH THE REGULATED ENTITY
 MAY DISCLOSE REGULATED HEALTH INFORMATION TO LAW ENFORCEMENT; AND
   (V)  THE  MECHANISM  BY WHICH THE INDIVIDUAL MAY REQUEST ACCESS TO AND
 DELETION OF THEIR REGULATED HEALTH INFORMATION.
   (B) IF THE REGULATED ENTITY MATERIALLY ALTERS  ITS  PROCESSING  ACTIV-
 ITIES FOR REGULATED HEALTH INFORMATION COLLECTED PURSUANT TO A PERMISSI-
 BLE  PURPOSE,  THE REGULATED ENTITY MUST PROVIDE A CLEAR AND CONSPICUOUS
 NOTICE IN PLAIN LANGUAGE, SEPARATE  FROM  A  PRIVACY  POLICY,  TERMS  OF
 SERVICE, OR SIMILAR DOCUMENT, THAT DESCRIBES ANY MATERIAL CHANGES TO THE
 PROCESSING  ACTIVITIES AND PROVIDE THE INDIVIDUAL WITH AN OPPORTUNITY TO
 REQUEST DELETION OF THEIR REGULATED HEALTH INFORMATION.
   § 1103. INDIVIDUAL RIGHTS. 1. (A) A REGULATED ENTITY SHALL MAKE AVAIL-
 ABLE AN EFFECTIVE,  EFFICIENT,  AND  EASY-TO-USE  MECHANISM  THROUGH  AN
 INTERFACE  REGULARLY  USED  IN  CONJUNCTION  WITH THE REGULATED ENTITY'S
 PRODUCT OR SERVICE BY WHICH AN INDIVIDUAL MAY REQUEST  ACCESS  TO  THEIR
 REGULATED HEALTH INFORMATION.
   (B)  WITHIN  THIRTY DAYS OF RECEIVING AN ACCESS REQUEST, THE REGULATED
 ENTITY SHALL MAKE AVAILABLE A COPY OF ALL REGULATED  HEALTH  INFORMATION
 ABOUT THE INDIVIDUAL THAT THE REGULATED ENTITY MAINTAINS OR THAT SERVICE
 PROVIDERS MAINTAIN ON BEHALF OF THE REGULATED ENTITY.
   2.  (A)  A  REGULATED  ENTITY SHALL MAKE AVAILABLE AN EFFECTIVE, EFFI-
 CIENT, AND EASY-TO-USE MECHANISM THROUGH AN INTERFACE REGULARLY USED  IN
 CONJUNCTION  WITH  THE REGULATED ENTITY'S PRODUCT OR SERVICE BY WHICH AN
 S. 158--D                           6
 
 INDIVIDUAL MAY REQUEST THE DELETION OF THEIR REGULATED  HEALTH  INFORMA-
 TION.
   (B)  AN  INDIVIDUAL'S DELETION OR CANCELLATION OF THEIR ONLINE ACCOUNT
 SHALL BE TREATED AS A  REQUEST  TO  DELETE  THE  INDIVIDUAL'S  REGULATED
 HEALTH INFORMATION.
   (C)  WITHIN THIRTY DAYS OF RECEIVING A DELETION REQUEST, THE REGULATED
 ENTITY SHALL:
   (I) DELETE ALL REGULATED HEALTH INFORMATION ASSOCIATED WITH THE  INDI-
 VIDUAL  IN  THE  REGULATED ENTITY'S POSSESSION OR CONTROL, EXCEPT TO THE
 EXTENT NECESSARY TO COMPLY  WITH  THE  REGULATED  ENTITY'S  LEGAL  OBLI-
 GATIONS; AND
   (II)  UNLESS  IT PROVES IMPOSSIBLE OR INVOLVES DISPROPORTIONATE EFFORT
 THAT IS DOCUMENTED IN WRITING BY THE REGULATED ENTITY, COMMUNICATE  SUCH
 REQUEST TO EACH SERVICE PROVIDER OR THIRD PARTY THAT PROCESSED THE INDI-
 VIDUAL'S  REGULATED  HEALTH INFORMATION IN CONNECTION WITH A TRANSACTION
 INVOLVING THE REGULATED ENTITY OCCURRING WITHIN ONE YEAR  PRECEDING  THE
 INDIVIDUAL'S REQUEST.
   (D)  ANY  SERVICE  PROVIDER  OR THIRD PARTY THAT RECEIVES NOTICE OF AN
 INDIVIDUAL'S DELETION REQUEST SHALL WITHIN THIRTY DAYS DELETE ALL  REGU-
 LATED   HEALTH   INFORMATION  ASSOCIATED  WITH  THE  INDIVIDUAL  IN  ITS
 POSSESSION OR CONTROL, EXCEPT TO THE EXTENT NECESSARY TO COMPLY WITH ITS
 LEGAL OBLIGATIONS.
   3. ANY RIGHT SET FORTH IN THIS SECTION MAY BE EXERCISED AT ANY TIME BY
 THE INDIVIDUAL WHO IS THE SUBJECT OF THE REGULATED HEALTH INFORMATION OR
 AN AGENT AUTHORIZED BY SUCH INDIVIDUAL.
   § 1104. SECURITY. 1. IN GENERAL, A  REGULATED  ENTITY  SHALL  DEVELOP,
 IMPLEMENT,  AND MAINTAIN REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYS-
 ICAL SAFEGUARDS TO PROTECT THE SECURITY, CONFIDENTIALITY, AND  INTEGRITY
 OF REGULATED HEALTH INFORMATION.
   2.  A  REGULATED ENTITY MUST SECURELY DISPOSE OF AN INDIVIDUAL'S REGU-
 LATED HEALTH INFORMATION PURSUANT  TO  A  PUBLICLY  AVAILABLE  RETENTION
 SCHEDULE  WITHIN  A  REASONABLE  TIME,  AND IN NO EVENT LATER THAN SIXTY
 DAYS, AFTER IT IS NO LONGER NECESSARY TO MAINTAIN  FOR  THE  PERMISSIBLE
 PURPOSE OR PURPOSES IDENTIFIED IN THE NOTICE OR FOR WHICH THE INDIVIDUAL
 PROVIDED VALID AUTHORIZATION.
   §  1105. SERVICE PROVIDERS. 1. IN GENERAL, ANY PROCESSING OF REGULATED
 HEALTH INFORMATION BY A SERVICE PROVIDER ON BEHALF OF A REGULATED ENTITY
 SHALL BE GOVERNED BY A WRITTEN, BINDING AGREEMENT. SUCH AGREEMENT  SHALL
 CLEARLY  SET FORTH INSTRUCTIONS FOR PROCESSING REGULATED HEALTH INFORMA-
 TION, THE NATURE AND PURPOSE OF PROCESSING, THE DURATION OF  PROCESSING,
 AND THE RIGHTS AND OBLIGATIONS OF BOTH PARTIES.
   2.  AN  AGREEMENT  PURSUANT  TO  SUBDIVISION ONE OF THIS SECTION SHALL
 REQUIRE THAT THE SERVICE PROVIDER:
   (A) ENSURE THAT EACH PERSON PROCESSING REGULATED HEALTH INFORMATION IS
 SUBJECT TO A DUTY OF CONFIDENTIALITY WITH RESPECT TO SUCH INFORMATION;
   (B) PROTECT REGULATED HEALTH INFORMATION IN A MANNER  CONSISTENT  WITH
 THE REQUIREMENTS OF THIS ARTICLE;
   (C)  PROCESS  REGULATED HEALTH INFORMATION ONLY WHEN AND TO THE EXTENT
 NECESSARY TO COMPLY WITH ITS OBLIGATIONS TO THE REGULATED ENTITY;
   (D) NOT COMBINE THE REGULATED HEALTH  INFORMATION  WHICH  THE  SERVICE
 PROVIDER  RECEIVES  FROM  OR  ON BEHALF OF THE REGULATED ENTITY WITH ANY
 OTHER PERSONAL INFORMATION WHICH THE SERVICE PROVIDER RECEIVES  FROM  OR
 ON  BEHALF  OF  ANOTHER PARTY OR COLLECTS FROM ITS OWN RELATIONSHIP WITH
 INDIVIDUALS;
   (E) COMPLY WITH ANY EXERCISES OF AN INDIVIDUAL'S RIGHTS UNDER  SECTION
 ELEVEN  HUNDRED  THREE OF THIS ARTICLE UPON THE REQUEST OF THE REGULATED
 S. 158--D                           7
 
 ENTITY AND NOTIFY ANY SERVICE PROVIDERS OR THIRD  PARTIES  TO  WHICH  IT
 DISCLOSED REGULATED HEALTH INFORMATION OF THE REQUEST;
   (F) DELETE OR RETURN ALL REGULATED HEALTH INFORMATION TO THE REGULATED
 ENTITY  AT THE END OF THE PROVISION OF SERVICES, UNLESS RETENTION OF THE
 REGULATED HEALTH INFORMATION IS REQUIRED BY LAW;
   (G) UPON THE REASONABLE REQUEST OF THE REGULATED ENTITY,  MAKE  AVAIL-
 ABLE  TO  THE  REGULATED  ENTITY ALL DATA IN ITS POSSESSION NECESSARY TO
 DEMONSTRATE THE SERVICE PROVIDER'S COMPLIANCE WITH  THE  OBLIGATIONS  IN
 THIS SECTION;
   (H) ALLOW, AND COOPERATE WITH, REASONABLE ASSESSMENTS BY THE REGULATED
 ENTITY  OR  THE  REGULATED  ENTITY'S DESIGNATED ASSESSOR FOR PURPOSES OF
 EVALUATING COMPLIANCE WITH THE OBLIGATIONS OF THIS ARTICLE; ALTERNATIVE-
 LY, THE SERVICE PROVIDER MAY ARRANGE FOR  A  QUALIFIED  AND  INDEPENDENT
 ASSESSOR  TO CONDUCT AN ASSESSMENT OF THE PROCESSOR'S POLICIES AND TECH-
 NICAL AND ORGANIZATIONAL MEASURES IN SUPPORT OF  THE  OBLIGATIONS  UNDER
 THIS  ARTICLE  USING  AN  APPROPRIATE  AND  ACCEPTED CONTROL STANDARD OR
 FRAMEWORK AND ASSESSMENT PROCEDURE FOR  SUCH  ASSESSMENTS.  THE  SERVICE
 PROVIDER  SHALL  PROVIDE  A  REPORT  OF SUCH ASSESSMENT TO THE REGULATED
 ENTITY UPON REQUEST;
   (I) A REASONABLE TIME IN ADVANCE  BEFORE  DISCLOSING  OR  TRANSFERRING
 REGULATED  HEALTH  INFORMATION  TO ANY FURTHER SERVICE PROVIDERS, NOTIFY
 THE REGULATED ENTITY OF SUCH A PROPOSED DISCLOSURE  OR  TRANSFER,  WHICH
 MAY  BE  IN  THE  FORM  OF  A  REGULARLY UPDATED LIST OF FURTHER SERVICE
 PROVIDERS THAT MAY ACCESS REGULATED HEALTH INFORMATION; AND
   (J) ENGAGE ANY FURTHER SERVICE PROVIDER PURSUANT TO A WRITTEN, BINDING
 AGREEMENT THAT INCLUDES THE CONTRACTUAL REQUIREMENTS  PROVIDED  IN  THIS
 SECTION,  CONTAINING  AT  MINIMUM  THE SAME OBLIGATIONS THAT THE SERVICE
 PROVIDER HAS ENTERED INTO WITH REGARD TO REGULATED HEALTH INFORMATION.
   § 1106. EXEMPTIONS. NOTHING IN THIS ARTICLE SHALL APPLY TO:
   1. INFORMATION PROCESSED BY LOCAL, STATE, AND FEDERAL GOVERNMENTS, AND
 MUNICIPAL CORPORATIONS;
   2. PROTECTED HEALTH INFORMATION THAT IS COLLECTED BY A COVERED  ENTITY
 OR  BUSINESS  ASSOCIATE  GOVERNED  BY  THE PRIVACY, SECURITY, AND BREACH
 NOTIFICATION RULES ISSUED BY THE UNITED STATES DEPARTMENT OF HEALTH  AND
 HUMAN  SERVICES,  PARTS  160  AND 164 OF TITLE 45 OF THE CODE OF FEDERAL
 REGULATIONS, ESTABLISHED PURSUANT TO THE  HEALTH  INSURANCE  PORTABILITY
 AND  ACCOUNTABILITY  ACT  OF  1996  (PUBLIC  LAW 104-191) AND THE HEALTH
 INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT (PUBLIC  LAW
 111-5);
   3.  ANY  COVERED  ENTITY GOVERNED BY THE PRIVACY, SECURITY, AND BREACH
 NOTIFICATION RULES ISSUED BY THE UNITED STATES DEPARTMENT OF HEALTH  AND
 HUMAN  SERVICES,  PARTS  160  AND 164 OF TITLE 45 OF THE CODE OF FEDERAL
 REGULATIONS, ESTABLISHED PURSUANT TO THE  HEALTH  INSURANCE  PORTABILITY
 AND  ACCOUNTABILITY  ACT OF 1996 (PUBLIC LAW 104-191), TO THE EXTENT THE
 COVERED ENTITY MAINTAINS PATIENT  INFORMATION  IN  THE  SAME  MANNER  AS
 PROTECTED  HEALTH  INFORMATION  AS  DESCRIBED IN SUBDIVISION TWO OF THIS
 SECTION;
   4. INFORMATION COLLECTED AS PART OF A CLINICAL TRIAL  SUBJECT  TO  THE
 FEDERAL  POLICY  FOR THE PROTECTION OF HUMAN SUBJECTS, ALSO KNOWN AS THE
 COMMON RULE, PURSUANT TO GOOD CLINICAL PRACTICE GUIDELINES ISSUED BY THE
 INTERNATIONAL COUNCIL FOR HARMONISATION OR  PURSUANT  TO  HUMAN  SUBJECT
 PROTECTION  REQUIREMENTS  OF  THE  UNITED  STATES FOOD AND DRUG ADMINIS-
 TRATION;
   5. INFORMATION PROCESSED PURSUANT TO THE  FEDERAL  FAMILY  EDUCATIONAL
 RIGHTS AND PRIVACY ACT (20 U.S.C. SEC. 1232G) AND ITS IMPLEMENTING REGU-
 LATIONS;
 S. 158--D                           8
 
   6.  INFORMATION  PROCESSED  PURSUANT TO SECTION TWO-D OF THE EDUCATION
 LAW; AND
   7.  INFORMATION  PROCESSED  PURSUANT  TO  THE FEDERAL DRIVER'S PRIVACY
 PROTECTION ACT OF 1994 (18 U.S.C.  SEC. 2721 ET SEQ).
   § 1107. ENFORCEMENT. 1. WHENEVER IT APPEARS TO THE  ATTORNEY  GENERAL,
 EITHER  UPON  COMPLAINT OR OTHERWISE, THAT ANY PERSON OR PERSONS, WITHIN
 OR OUTSIDE THE STATE, HAS ENGAGED IN OR IS ABOUT TO ENGAGE IN ANY OF THE
 ACTS OR PRACTICES STATED TO BE UNLAWFUL UNDER THIS ARTICLE, THE ATTORNEY
 GENERAL MAY BRING AN ACTION OR SPECIAL PROCEEDING IN  THE  NAME  AND  ON
 BEHALF OF THE PEOPLE OF THE STATE OF NEW YORK TO ENJOIN ANY VIOLATION OF
 THIS  ARTICLE,  TO OBTAIN RESTITUTION OF ANY MONEYS OR PROPERTY OBTAINED
 DIRECTLY OR INDIRECTLY BY ANY SUCH VIOLATION, TO OBTAIN DISGORGEMENT  OF
 ANY  PROFITS  OBTAINED  DIRECTLY OR INDIRECTLY BY ANY SUCH VIOLATION, TO
 OBTAIN CIVIL PENALTIES OF NOT MORE THAN  FIFTEEN  THOUSAND  DOLLARS  PER
 VIOLATION  OR TWENTY PERCENT OF REVENUE OBTAINED FROM NEW YORK CONSUMERS
 WITHIN THE PAST FISCAL YEAR, WHICHEVER IS GREATER,  AND  TO  OBTAIN  ANY
 SUCH  OTHER  AND  FURTHER RELIEF AS THE COURT MAY DEEM PROPER, INCLUDING
 PRELIMINARY RELIEF.
   2. THE REMEDIES PROVIDED BY THIS SECTION SHALL BE IN ADDITION  TO  ANY
 OTHER LAWFUL REMEDY AVAILABLE.
   3.  ANY  ACTION  OR SPECIAL PROCEEDING BROUGHT BY THE ATTORNEY GENERAL
 PURSUANT TO THIS SECTION MUST BE COMMENCED WITHIN SIX YEARS OF THE  DATE
 ON WHICH THE ATTORNEY GENERAL BECAME AWARE OF THE VIOLATION.
   4.  IN CONNECTION WITH ANY PROPOSED ACTION OR SPECIAL PROCEEDING UNDER
 THIS SECTION, THE ATTORNEY GENERAL IS AUTHORIZED TO TAKE PROOF AND  MAKE
 A DETERMINATION OF THE RELEVANT FACTS, AND TO ISSUE SUBPOENAS IN ACCORD-
 ANCE  WITH  THE  CIVIL  PRACTICE LAW AND RULES. THE ATTORNEY GENERAL MAY
 ALSO REQUIRE SUCH OTHER DATA AND INFORMATION AS HE OR SHE MAY DEEM RELE-
 VANT AND MAY REQUIRE WRITTEN RESPONSES TO  QUESTIONS  UNDER  OATH.  SUCH
 POWER OF SUBPOENA AND EXAMINATION SHALL NOT ABATE OR TERMINATE BY REASON
 OF  ANY  ACTION  OR  SPECIAL  PROCEEDING BROUGHT BY THE ATTORNEY GENERAL
 UNDER THIS ARTICLE.
   5. THIS SECTION SHALL APPLY TO ALL ACTS DECLARED  TO  BE  UNLAWFUL  IN
 THIS ARTICLE, WHETHER OR NOT SUBJECT TO ANY OTHER LAW OF THIS STATE, AND
 SHALL  NOT  SUPERSEDE, AMEND OR REPEAL ANY OTHER LAW OF THIS STATE UNDER
 WHICH THE ATTORNEY GENERAL IS AUTHORIZED TO TAKE ANY ACTION  OR  CONDUCT
 ANY INQUIRY.
   6.   THE ATTORNEY GENERAL MAY PROMULGATE SUCH RULES AND REGULATIONS AS
 ARE NECESSARY TO EFFECTUATE AND ENFORCE THE PROVISIONS OF THIS SECTION.
   § 2. Severability. If any clause,  sentence,  paragraph,  subdivision,
 section  or part of this act shall be adjudged by any court of competent
 jurisdiction to be invalid, such judgment shall not affect,  impair,  or
 invalidate the remainder thereof, but shall be confined in its operation
 to the clause, sentence, paragraph, subdivision, section or part thereof
 directly  involved  in the controversy in which such judgment shall have
 been rendered. It is hereby declared to be the intent of the legislature
 that this act would have been enacted even if  such  invalid  provisions
 had not been included herein.
   § 3. This act shall take effect July 1, 2025.

co-Sponsors

View additional co-sponsors

2023-S158E (ACTIVE) - Details

Law Section:: General Business Law
Laws Affected:: Add Art 42 §§1100 - 1103, Gen Bus L
Versions Introduced in 2025-2026 Legislative Session:: S929

2023-S158E (ACTIVE) - Summary

2023-S158E (ACTIVE) - Sponsor Memo

                                 
BILL NUMBER: S158E

SPONSOR: KRUEGER
 
TITLE OF BILL:

An act to amend the general business law, in relation to providing for
the protection of health information

 
PURPOSE OR GENERAL IDEA OF BILL:

This bill would govern companies that collect and sell healthcare infor-
mation and provides additional rights and protections to users related
to the sale and of their private health information.

 
SUMMARY OF SPECIFIC PROVISIONS:

Section one amends the general business law by adding a new article 42.
Section two provides a severatility clause. Section three establishes
the effective date.

 
JUSTIFICATION:

Most residents of the State are under the impression that HIPAA protects
them and their health data from being accessed by third parties and sold
by and to other organizations. Residents are generally unaware that
their technology is constantly tracking their movements, and geolocation
data is being sold to companies for the purposes of targeted advertise-
ments or tracking. Most users also do not have an understanding of how
much information is being collected, stored, and sold for the benefit of
third parties. For example, a mobile app to track menstruation cycles
was recently caught selling users' data to antiabortion advocacy organ-
izations.

This bill creates a legal framework for residents to reclaim and retain
control of their healthcare information. Electronic apps or websites,
that are designed to provide a diagnosis or retain health information
will be required to receive affirmative consent by the user to retain
such information and would provide users the ability to rescind such
consent. The bill also provides a legal remedy for those whose data was
improperly collected or used.

 
PRIOR LEGISLATIVE HISTORY:

New bill.

 
FISCAL IMPLICATIONS:

None to the State.

 
EFFECTIVE DATE:
One year.

2023-S158E (ACTIVE) - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                  158--E
     Cal. No. 76
 
                        2023-2024 Regular Sessions
 
                             I N  S E N A T E
 
                                (PREFILED)
 
                              January 4, 2023
                                ___________
 
 Introduced  by  Sens.  KRUEGER, BROUK, COMRIE, FERNANDEZ, HINCHEY, HOYL-
   MAN-SIGAL, JACKSON, LIU, MAY, WEBB -- read twice and ordered  printed,
   and  when  printed  to  be  committed to the Committee on Internet and
   Technology -- reported favorably from said committee, ordered to first
   and second report, ordered to a third  reading,  amended  and  ordered
   reprinted,  retaining its place in the order of third reading -- again
   amended and ordered reprinted, retaining its place  in  the  order  of
   third  reading -- recommitted to the Committee on Health in accordance
   with Senate Rule 6, sec. 8 -- reported favorably from said  committee,
   ordered  to first and second report, amended on second report, ordered
   to a third reading, and to be  reprinted  as  amended,  retaining  its
   place  in  the  order of third reading -- reported favorably from said
   committee to third reading, amended and ordered  reprinted,  retaining
   its place in the order of third reading -- passed by Senate and deliv-
   ered  to  the Assembly, recalled, vote reconsidered, restored to third
   reading, amended and ordered reprinted, retaining  its  place  in  the
   order of third reading
 
 AN  ACT  to amend the general business law, in relation to providing for
   the protection of health information
 
   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. The general business law is amended by adding a new article
 42 to read as follows:
                                ARTICLE 42
                  NEW YORK HEALTH INFORMATION PRIVACY ACT
 SECTION 1100. DEFINITIONS.
         1101. REQUIREMENTS FOR COMMUNICATIONS TO INDIVIDUALS.
         1102. LAWFULNESS OF PROCESSING REGULATED HEALTH INFORMATION.
         1103. INDIVIDUAL RIGHTS.
         1104. SECURITY.
         1105. SERVICE PROVIDERS.
         1106. EXEMPTIONS.

         1107. ENFORCEMENT.
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD01105-16-4
 S. 158--E                           2
 
         1108. CONTRACTS AND WAIVERS VOID AND UNENFORCEABLE.
   §  1100.  DEFINITIONS.  AS  USED  IN THIS ARTICLE, THE FOLLOWING TERMS
 SHALL HAVE THE FOLLOWING MEANINGS:
   1. "DEIDENTIFIED INFORMATION" MEANS INFORMATION THAT CANNOT REASONABLY
 BE USED TO INFER INFORMATION ABOUT, OR OTHERWISE BE LINKED TO A  PARTIC-
 ULAR INDIVIDUAL, HOUSEHOLD, OR DEVICE, PROVIDED THAT THE REGULATED ENTI-
 TY OR SERVICE PROVIDER THAT PROCESSES THE INFORMATION:
   (A)  IMPLEMENTS  REASONABLE  TECHNICAL  SAFEGUARDS  TO ENSURE THAT THE
 INFORMATION CANNOT BE  ASSOCIATED  WITH  AN  INDIVIDUAL,  HOUSEHOLD,  OR
 DEVICE;
   (B)  PUBLICLY  COMMITS TO PROCESS THE INFORMATION ONLY AS DEIDENTIFIED
 INFORMATION AND NOT ATTEMPT TO REIDENTIFY THE INFORMATION,  EXCEPT  THAT
 THE  REGULATED  ENTITY OR SERVICE PROVIDER MAY ATTEMPT TO REIDENTIFY THE
 INFORMATION SOLELY FOR THE PURPOSE OF DETERMINING  WHETHER  ITS  DEIDEN-
 TIFICATION PROCESSES SATISFY THE REQUIREMENTS OF THIS SECTION; AND
   (C) CONTRACTUALLY OBLIGATES ANY RECIPIENT OF THE DEIDENTIFIED INFORMA-
 TION TO COMPLY WITH ALL REQUIREMENTS OF THIS SECTION.
   2.  "REGULATED  HEALTH  INFORMATION"  MEANS  ANY  INFORMATION  THAT IS
 REASONABLY LINKABLE TO AN INDIVIDUAL, OR A DEVICE, AND IS  COLLECTED  OR
 PROCESSED  IN  CONNECTION WITH THE PHYSICAL OR MENTAL HEALTH OF AN INDI-
 VIDUAL. LOCATION OR PAYMENT INFORMATION THAT RELATES TO AN  INDIVIDUAL'S
 PHYSICAL  OR  MENTAL  HEALTH  OR ANY INFERENCE DRAWN OR DERIVED ABOUT AN
 INDIVIDUAL'S PHYSICAL OR MENTAL HEALTH THAT IS REASONABLY LINKABLE TO AN
 INDIVIDUAL, OR A DEVICE, SHALL BE CONSIDERED, WITHOUT LIMITATION,  REGU-
 LATED  HEALTH  INFORMATION.    REGULATED  HEALTH  INFORMATION  SHALL NOT
 INCLUDE DEIDENTIFIED INFORMATION.
   3. "PROCESS" OR "PROCESSING" MEANS AN OPERATION OR SET  OF  OPERATIONS
 PERFORMED  ON REGULATED HEALTH INFORMATION, INCLUDING BUT NOT LIMITED TO
 THE COLLECTION, USE,  ACCESS,  SHARING,  SALE,  MONETIZATION,  ANALYSIS,
 RETENTION,  CREATION,  GENERATION,  DERIVATION, RECORDING, ORGANIZATION,
 STRUCTURING, STORAGE,  DISCLOSURE,  TRANSMISSION,  DISPOSAL,  LICENSING,
 DESTRUCTION,  DELETION,  MODIFICATION,  OR DEIDENTIFICATION OF REGULATED
 HEALTH INFORMATION.
   4. "REGULATED ENTITY" MEANS ANY ENTITY THAT (A) CONTROLS THE  PROCESS-
 ING  OF  REGULATED HEALTH INFORMATION OF AN INDIVIDUAL WHO IS A NEW YORK
 RESIDENT, (B) CONTROLS THE PROCESSING OF REGULATED HEALTH INFORMATION OF
 AN INDIVIDUAL WHO IS PHYSICALLY PRESENT IN NEW YORK WHILE THAT  INDIVID-
 UAL IS IN NEW YORK, OR (C) IS LOCATED IN NEW YORK AND CONTROLS THE PROC-
 ESSING OF REGULATED HEALTH INFORMATION. A REGULATED ENTITY MAY ALSO BE A
 SERVICE  PROVIDER  DEPENDING  UPON THE CONTEXT IN WHICH REGULATED HEALTH
 INFORMATION IS PROCESSED.
   5. "SELL" MEANS TO SHARE REGULATED HEALTH INFORMATION FOR MONETARY  OR
 OTHER  VALUABLE  CONSIDERATION.  SELLING DOES NOT INCLUDE THE SHARING OF
 REGULATED HEALTH INFORMATION FOR MONETARY OR  OTHER  VALUABLE  CONSIDER-
 ATION  TO  A  THIRD PARTY AS AN ASSET THAT IS PART OF A MERGER, ACQUISI-
 TION, BANKRUPTCY, OR OTHER TRANSACTION IN WHICH THE THIRD PARTY  ASSUMES
 CONTROL OF ALL OR PART OF THE REGULATED ENTITY'S ASSETS.
   6.  "SERVICE PROVIDER" MEANS ANY PERSON OR ENTITY THAT PROCESSES REGU-
 LATED HEALTH INFORMATION ON BEHALF OF  A  REGULATED  ENTITY.  A  SERVICE
 PROVIDER  MAY  ALSO  BE A REGULATED ENTITY DEPENDING UPON THE CONTEXT IN
 WHICH REGULATED HEALTH INFORMATION IS PROCESSED.
   7. "THIRD PARTY" MEANS A PERSON OR ENTITY OTHER THAN  THE  INDIVIDUAL,
 REGULATED  ENTITY,  OR  SERVICE  PROVIDER  INVOLVED  IN A TRANSACTION OR
 OCCURRENCE THAT INVOLVES REGULATED HEALTH INFORMATION. A THIRD PARTY MAY
 ALSO BE A REGULATED  ENTITY  OR  SERVICE  PROVIDER  DEPENDING  UPON  THE
 CONTEXT IN WHICH REGULATED HEALTH INFORMATION IS PROCESSED.
 S. 158--E                           3
 
   §  1101.  REQUIREMENTS FOR COMMUNICATIONS TO INDIVIDUALS. ALL NOTICES,
 DISCLOSURES, FORMS, AND OTHER  COMMUNICATIONS  TO  INDIVIDUALS  PROVIDED
 PURSUANT TO THIS ARTICLE SHALL COMPLY WITH THE FOLLOWING:
   1.  IN  GENERAL,  ALL  COMMUNICATIONS SHALL USE PLAIN, STRAIGHTFORWARD
 LANGUAGE, AVOIDING TECHNICAL OR  LEGAL  JARGON,  AND  MUST  BE  PROVIDED
 THROUGH  AN  INTERFACE  THE INDIVIDUAL REGULARLY USES IN CONNECTION WITH
 THE REGULATED ENTITY'S PRODUCT OR SERVICE.
   2. ALL COMMUNICATIONS SHALL BE REASONABLY  ACCESSIBLE  TO  INDIVIDUALS
 WITH DISABILITIES, INCLUDING BY:
   (A) UTILIZING DIGITAL ACCESSIBILITY TOOLS;
   (B)  FOR  NOTICES, COMPLYING WITH GENERALLY RECOGNIZED INDUSTRY STAND-
 ARDS, INCLUDING, BUT NOT LIMITED TO, CURRENT STANDARDS SET BY  STANDARDS
 SETTING BODIES SUCH AS THE WORLD WEB CONSORTIUM, OR OTHER SIMILAR STAND-
 ARDS SETTING BODIES AS DETERMINED BY THE ATTORNEY GENERAL; AND
   (C) FOR OTHER COMMUNICATIONS, PROVIDING INFORMATION ABOUT HOW AN INDI-
 VIDUAL  WITH A DISABILITY MAY ACCESS THE COMMUNICATION IN AN ALTERNATIVE
 FORMAT.
   3. ALL COMMUNICATIONS SHALL BE AVAILABLE IN THE LANGUAGES IN WHICH THE
 REGULATED ENTITY PROVIDES INFORMATION VIA ITS WEBSITE AND SERVICES.  ANY
 DIRECT  COMMUNICATION TO AN INDIVIDUAL SHALL BE PROVIDED IN THE LANGUAGE
 IN WHICH THE INDIVIDUAL ORDINARILY INTERACTS WITH THE  REGULATED  ENTITY
 OR ITS SERVICE PROVIDER.
   4. A REGULATED ENTITY SHALL MAKE ANY NOTICE FOR PROCESSING PURSUANT TO
 A PERMISSIBLE PURPOSE, PURSUANT TO SUBPARAGRAPH (II) OF PARAGRAPH (B) OF
 SUBDIVISION  ONE  OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE, OR FORM
 FOR PROCESSING PURSUANT TO AUTHORIZATION, PURSUANT TO  SUBPARAGRAPH  (I)
 OF  PARAGRAPH  (B)  OF  SUBDIVISION ONE OF SECTION ELEVEN HUNDRED TWO OF
 THIS ARTICLE, PUBLICLY AVAILABLE ON ITS  WEBSITE.  IF  AN  AUTHORIZATION
 FORM IS CUSTOMIZED FOR EACH INDIVIDUAL, THE REGULATED ENTITY MAY INSTEAD
 PUBLICLY POST A SAMPLE AUTHORIZATION FORM ON ITS WEBSITE.
   §  1102. LAWFULNESS OF PROCESSING REGULATED HEALTH INFORMATION.  1. IN
 GENERAL, IT SHALL BE UNLAWFUL FOR A REGULATED ENTITY TO:
   (A) SELL AN INDIVIDUAL'S  REGULATED  HEALTH  INFORMATION  TO  A  THIRD
 PARTY; OR
   (B)  OTHERWISE  PROCESS  AN  INDIVIDUAL'S REGULATED HEALTH INFORMATION
 UNLESS:
   (I) THE INDIVIDUAL HAS PROVIDED VALID AUTHORIZATION FOR SUCH  PROCESS-
 ING AS SET FORTH IN PARAGRAPH (B) OF SUBDIVISION TWO OF THIS SECTION; OR
   (II)  PROCESSING  OF  AN  INDIVIDUAL'S REGULATED HEALTH INFORMATION IS
 STRICTLY NECESSARY FOR THE PURPOSE OF:
   (A) PROVIDING OR MAINTAINING A SPECIFIC PRODUCT OR  SERVICE  REQUESTED
 BY SUCH INDIVIDUAL;
   (B)  CONDUCTING  THE  REGULATED ENTITY'S INTERNAL BUSINESS OPERATIONS,
 WHICH EXCLUDE ANY ACTIVITIES RELATED TO MARKETING, ADVERTISING, RESEARCH
 AND DEVELOPMENT, OR PROVIDING PRODUCTS OR SERVICES TO THIRD PARTIES;
   (C) PROTECTING AGAINST MALICIOUS, FRAUDULENT, OR ILLEGAL ACTIVITY;
   (D) DETECTING, RESPONDING TO,  OR  PREVENTING  SECURITY  INCIDENTS  OR
 THREATS;
   (E) PROTECTING THE VITAL INTERESTS OF AN INDIVIDUAL;
   (F) INVESTIGATING, ESTABLISHING, EXERCISING, PREPARING FOR, OR DEFEND-
 ING LEGAL CLAIMS; OR
   (G) COMPLYING WITH THE REGULATED ENTITY'S LEGAL OBLIGATIONS.
   2.  UNLESS  PROCESSING OF AN INDIVIDUAL'S REGULATED HEALTH INFORMATION
 IS STRICTLY NECESSARY PURSUANT TO SUBPARAGRAPH (II) OF PARAGRAPH (B)  OF
 SUBDIVISION ONE OF THIS SECTION, A REGULATED ENTITY THAT PROCESSES REGU-
 LATED  HEALTH INFORMATION PURSUANT TO VALID AUTHORIZATION AS REQUIRED BY
 S. 158--E                           4
 
 SUBPARAGRAPH (I) OF PARAGRAPH (B) OF SUBDIVISION  ONE  OF  THIS  SECTION
 SHALL COMPLY WITH THE FOLLOWING:
   (A)  A  REQUEST FOR AUTHORIZATION TO PROCESS AN INDIVIDUAL'S REGULATED
 HEALTH INFORMATION SHALL:
   (I) BE MADE SEPARATELY FROM ANY OTHER TRANSACTION OR PART OF A  TRANS-
 ACTION;
   (II) BE MADE AT LEAST TWENTY-FOUR HOURS AFTER AN INDIVIDUAL CREATES AN
 ACCOUNT OR FIRST USES THE REQUESTED PRODUCT OR SERVICE;
   (III)  BE MADE IN THE ABSENCE OF ANY MECHANISM THAT HAS THE PURPOSE OR
 SUBSTANTIAL EFFECT OF OBSCURING, SUBVERTING, OR  IMPAIRING  AN  INDIVID-
 UAL'S DECISION-MAKING REGARDING AUTHORIZATION FOR PROCESSING;
   (IV) IF REQUESTING AUTHORIZATION FOR MULTIPLE CATEGORIES OF PROCESSING
 ACTIVITIES,  ALLOW  THE  INDIVIDUAL TO PROVIDE OR WITHHOLD AUTHORIZATION
 SEPARATELY FOR EACH CATEGORY OF PROCESSING ACTIVITY; AND
   (V) NOT INCLUDE ANY REQUEST FOR AUTHORIZATION FOR A PROCESSING  ACTIV-
 ITY FOR WHICH AN INDIVIDUAL HAS WITHHELD OR REVOKED AUTHORIZATION WITHIN
 THE PAST CALENDAR YEAR.
   (B) A VALID AUTHORIZATION SHALL INCLUDE:
   (I) THE TYPES OF REGULATED HEALTH INFORMATION TO BE PROCESSED;
   (II) THE NATURE OF THE PROCESSING ACTIVITY;
   (III) THE SPECIFIC PURPOSES FOR SUCH PROCESSING;
   (IV)  THE  NAMES  WHERE  READILY  AVAILABLE,  OR CATEGORIES OF SERVICE
 PROVIDERS AND THIRD PARTIES TO WHICH THE REGULATED ENTITY  MAY  DISCLOSE
 THE  INDIVIDUAL'S REGULATED HEALTH INFORMATION AND THE PURPOSES FOR SUCH
 DISCLOSURE, INCLUDING THE CIRCUMSTANCES UNDER WHICH THE REGULATED ENTITY
 MAY DISCLOSE REGULATED HEALTH INFORMATION TO LAW ENFORCEMENT;
   (V) ANY MONETARY OR OTHER VALUABLE CONSIDERATION THE REGULATED  ENTITY
 MAY  RECEIVE  IN  CONNECTION  WITH PROCESSING THE INDIVIDUAL'S REGULATED
 HEALTH INFORMATION, WHERE APPLICABLE;
   (VI) THAT FAILING TO PROVIDE AUTHORIZATION WILL NOT AFFECT  THE  INDI-
 VIDUAL'S   EXPERIENCE  OF  USING  THE  REGULATED  ENTITY'S  PRODUCTS  OR
 SERVICES;
   (VII) THE EXPIRATION DATE OF THE AUTHORIZATION, WHICH MAY BE UP TO ONE
 YEAR FROM THE DATE AUTHORIZATION WAS PROVIDED;
   (VIII) THE MECHANISM BY WHICH THE INDIVIDUAL MAY REVOKE  AUTHORIZATION
 PRIOR TO EXPIRATION;
   (IX)  THE  MECHANISM BY WHICH THE INDIVIDUAL MAY REQUEST ACCESS TO AND
 DELETION OF THEIR REGULATED HEALTH INFORMATION;
   (X) ANY OTHER INFORMATION MATERIAL TO AN INDIVIDUAL'S  DECISION-MAKING
 REGARDING AUTHORIZATION FOR PROCESSING; AND
   (XI)  THE SIGNATURE, WHICH MAY BE ELECTRONIC, OF THE INDIVIDUAL WHO IS
 THE SUBJECT OF THE REGULATED HEALTH INFORMATION, OR A PARENT OR GUARDIAN
 AUTHORIZED BY LAW TO TAKE ACTIONS OF LEGAL CONSEQUENCE ON BEHALF OF  THE
 INDIVIDUAL  WHO  IS THE SUBJECT OF THE REGULATED HEALTH INFORMATION, AND
 THE DATE.
   (C) (I) A REGULATED ENTITY THAT RECEIVES AUTHORIZATION FOR  PROCESSING
 SHALL  PROVIDE  AN  EFFECTIVE,  EFFICIENT,  AND EASY-TO-USE MECHANISM BY
 WHICH AN INDIVIDUAL MAY REVOKE AUTHORIZATION  AT  ANY  TIME  THROUGH  AN
 INTERFACE THE INDIVIDUAL REGULARLY USES IN CONNECTION WITH THE REGULATED
 ENTITY'S PRODUCT OR SERVICE.
   (II)  UPON  AN INDIVIDUAL'S REVOCATION OF AUTHORIZATION, THE REGULATED
 ENTITY SHALL IMMEDIATELY  CEASE  ALL  PROCESSING  ACTIVITIES  FOR  WHICH
 AUTHORIZATION WAS REVOKED, EXCEPT TO THE EXTENT NECESSARY TO COMPLY WITH
 THE REGULATED ENTITY'S LEGAL OBLIGATIONS.
   (III)  FOR  INDIVIDUALS  WHO HAVE AN ONLINE ACCOUNT WITH THE REGULATED
 ENTITY, THE REGULATED ENTITY MUST PROVIDE, IN A CONSPICUOUS  AND  EASILY
 S. 158--E                           5
 
 ACCESSIBLE  PLACE  WITHIN THE ACCOUNT SETTINGS, A LIST OF ALL PROCESSING
 ACTIVITIES FOR WHICH THE INDIVIDUAL HAS PROVIDED AUTHORIZATION AND,  FOR
 EACH  PROCESSING  ACTIVITY, ALLOW THE INDIVIDUAL TO REVOKE AUTHORIZATION
 IN THE SAME PLACE WITH ONE MOTION OR ACTION.
   (D)  UPON  OBTAINING VALID AUTHORIZATION FROM AN INDIVIDUAL, THE REGU-
 LATED ENTITY SHALL PROVIDE THAT INDIVIDUAL A COPY OF THE  AUTHORIZATION.
 THE AUTHORIZATION SHALL BE PROVIDED IN A MANNER THAT IS CAPABLE OF BEING
 RETAINED BY THE INDIVIDUAL.
   (E) THE REGULATED ENTITY SHALL LIMIT ITS PROCESSING TO WHAT WAS CLEAR-
 LY DISCLOSED TO AN INDIVIDUAL PURSUANT TO PARAGRAPH (B) OF THIS SUBDIVI-
 SION  WHEN THE REGULATED ENTITY RECEIVED AUTHORIZATION FROM THE INDIVID-
 UAL.
   (F) IF THE REGULATED ENTITY SEEKS TO MATERIALLY ALTER  ITS  PROCESSING
 ACTIVITIES  FOR  REGULATED  HEALTH  INFORMATION  COLLECTED  PURSUANT  TO
 AUTHORIZATION, THE REGULATED ENTITY SHALL OBTAIN A NEW AUTHORIZATION FOR
 THE NEW OR ALTERED PROCESSING ACTIVITY.
   (G) PROVIDING A PRODUCT OR SERVICE REQUESTED BY AN INDIVIDUAL MUST NOT
 BE MADE CONTINGENT ON PROVIDING AUTHORIZATION. THE REGULATED ENTITY MUST
 NOT DISCRIMINATE AGAINST AN INDIVIDUAL  FOR  WITHHOLDING  AUTHORIZATION,
 SUCH  AS BY CHARGING DIFFERENT PRICES OR RATES FOR PRODUCTS OR SERVICES,
 INCLUDING THROUGH THE USE  OF  DISCOUNTS  OR  OTHER  BENEFITS,  IMPOSING
 PENALTIES,  OR  PROVIDING  A  DIFFERENT  LEVEL OR QUALITY OF SERVICES OR
 GOODS TO THE INDIVIDUAL.
   3. A REGULATED ENTITY  THAT  PROCESSES  REGULATED  HEALTH  INFORMATION
 PURSUANT TO A PERMISSIBLE PURPOSE PURSUANT TO SUBPARAGRAPH (II) OF PARA-
 GRAPH  (B)  OF  SUBDIVISION  ONE  OF  THIS SECTION SHALL COMPLY WITH THE
 FOLLOWING:
   (A) A REGULATED ENTITY SHALL PROVIDE CLEAR AND CONSPICUOUS NOTICE THAT
 DESCRIBES:
   (I) THE TYPES OF REGULATED HEALTH INFORMATION TO BE PROCESSED;
   (II) THE NATURE OF THE PROCESSING ACTIVITY;
   (III) THE SPECIFIC PURPOSES FOR SUCH PROCESSING;
   (IV) THE NAMES WHERE  READILY  AVAILABLE,  OR  CATEGORIES  OF  SERVICE
 PROVIDERS  AND  THIRD PARTIES TO WHICH THE REGULATED ENTITY MAY DISCLOSE
 THE INDIVIDUAL'S REGULATED HEALTH INFORMATION AND THE PURPOSES FOR  SUCH
 DISCLOSURE, INCLUDING THE CIRCUMSTANCES UNDER WHICH THE REGULATED ENTITY
 MAY DISCLOSE REGULATED HEALTH INFORMATION TO LAW ENFORCEMENT; AND
   (V)  THE  MECHANISM  BY WHICH THE INDIVIDUAL MAY REQUEST ACCESS TO AND
 DELETION OF THEIR REGULATED HEALTH INFORMATION.
   (B) IF THE REGULATED ENTITY MATERIALLY ALTERS  ITS  PROCESSING  ACTIV-
 ITIES FOR REGULATED HEALTH INFORMATION COLLECTED PURSUANT TO A PERMISSI-
 BLE  PURPOSE,  THE REGULATED ENTITY MUST PROVIDE A CLEAR AND CONSPICUOUS
 NOTICE IN PLAIN LANGUAGE, SEPARATE  FROM  A  PRIVACY  POLICY,  TERMS  OF
 SERVICE, OR SIMILAR DOCUMENT, THAT DESCRIBES ANY MATERIAL CHANGES TO THE
 PROCESSING  ACTIVITIES AND PROVIDE THE INDIVIDUAL WITH AN OPPORTUNITY TO
 REQUEST DELETION OF THEIR REGULATED HEALTH INFORMATION.
   § 1103. INDIVIDUAL RIGHTS. 1. (A) A REGULATED ENTITY SHALL MAKE AVAIL-
 ABLE AN EFFECTIVE,  EFFICIENT,  AND  EASY-TO-USE  MECHANISM  THROUGH  AN
 INTERFACE THE INDIVIDUAL REGULARLY USES IN CONNECTION WITH THE REGULATED
 ENTITY'S PRODUCT OR SERVICE BY WHICH AN INDIVIDUAL MAY REQUEST ACCESS TO
 THEIR REGULATED HEALTH INFORMATION.
   (B)  WITHIN  THIRTY DAYS OF RECEIVING AN ACCESS REQUEST, THE REGULATED
 ENTITY SHALL MAKE AVAILABLE A COPY OF ALL REGULATED  HEALTH  INFORMATION
 ABOUT THE INDIVIDUAL THAT THE REGULATED ENTITY MAINTAINS OR THAT SERVICE
 PROVIDERS MAINTAIN ON BEHALF OF THE REGULATED ENTITY.
 S. 158--E                           6
 
   2.  (A)  A  REGULATED  ENTITY SHALL MAKE AVAILABLE AN EFFECTIVE, EFFI-
 CIENT, AND EASY-TO-USE MECHANISM THROUGH  AN  INTERFACE  THE  INDIVIDUAL
 REGULARLY  USES  IN  CONNECTION  WITH  THE REGULATED ENTITY'S PRODUCT OR
 SERVICE BY WHICH AN INDIVIDUAL MAY REQUEST THE DELETION OF  THEIR  REGU-
 LATED HEALTH INFORMATION.
   (B)  AN  INDIVIDUAL'S REQUEST TO DELETE OR CANCEL THEIR ONLINE ACCOUNT
 SHALL BE TREATED AS A  REQUEST  TO  DELETE  THE  INDIVIDUAL'S  REGULATED
 HEALTH INFORMATION.
   (C)  WITHIN THIRTY DAYS OF RECEIVING A DELETION REQUEST, THE REGULATED
 ENTITY SHALL:
   (I) DELETE ALL REGULATED HEALTH INFORMATION ASSOCIATED WITH THE  INDI-
 VIDUAL  IN  THE  REGULATED ENTITY'S POSSESSION OR CONTROL, EXCEPT TO THE
 EXTENT NECESSARY TO COMPLY  WITH  THE  REGULATED  ENTITY'S  LEGAL  OBLI-
 GATIONS; AND
   (II)  UNLESS  IT PROVES IMPOSSIBLE OR INVOLVES DISPROPORTIONATE EFFORT
 THAT IS DOCUMENTED IN WRITING BY THE REGULATED ENTITY, COMMUNICATE  SUCH
 REQUEST TO EACH SERVICE PROVIDER OR THIRD PARTY THAT PROCESSED THE INDI-
 VIDUAL'S  REGULATED  HEALTH INFORMATION IN CONNECTION WITH A TRANSACTION
 INVOLVING THE REGULATED ENTITY OCCURRING WITHIN ONE YEAR  PRECEDING  THE
 INDIVIDUAL'S REQUEST.
   (D)  ANY  SERVICE  PROVIDER  OR THIRD PARTY THAT RECEIVES NOTICE OF AN
 INDIVIDUAL'S DELETION REQUEST SHALL WITHIN THIRTY DAYS DELETE ALL  REGU-
 LATED   HEALTH   INFORMATION  ASSOCIATED  WITH  THE  INDIVIDUAL  IN  ITS
 POSSESSION OR CONTROL, EXCEPT TO THE EXTENT NECESSARY TO COMPLY WITH ITS
 LEGAL OBLIGATIONS.
   3. ANY RIGHT SET FORTH IN THIS SECTION MAY BE EXERCISED AT ANY TIME BY
 THE INDIVIDUAL WHO IS THE SUBJECT OF THE REGULATED HEALTH INFORMATION OR
 AN AGENT AUTHORIZED BY SUCH INDIVIDUAL.
   § 1104. SECURITY. 1. IN GENERAL, A  REGULATED  ENTITY  SHALL  DEVELOP,
 IMPLEMENT,  AND MAINTAIN REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYS-
 ICAL SAFEGUARDS TO PROTECT THE SECURITY, CONFIDENTIALITY, AND  INTEGRITY
 OF REGULATED HEALTH INFORMATION.
   2.  A  REGULATED ENTITY MUST SECURELY DISPOSE OF AN INDIVIDUAL'S REGU-
 LATED HEALTH INFORMATION PURSUANT  TO  A  PUBLICLY  AVAILABLE  RETENTION
 SCHEDULE  WITHIN  A  REASONABLE  TIME,  AND IN NO EVENT LATER THAN SIXTY
 DAYS, AFTER IT IS NO LONGER NECESSARY TO MAINTAIN  FOR  THE  PERMISSIBLE
 PURPOSE OR PURPOSES IDENTIFIED IN THE NOTICE OR FOR WHICH THE INDIVIDUAL
 PROVIDED VALID AUTHORIZATION.
   §  1105. SERVICE PROVIDERS. 1. IN GENERAL, ANY PROCESSING OF REGULATED
 HEALTH INFORMATION BY A SERVICE PROVIDER ON BEHALF OF A REGULATED ENTITY
 SHALL BE GOVERNED BY A WRITTEN, BINDING AGREEMENT. SUCH AGREEMENT  SHALL
 CLEARLY  SET FORTH INSTRUCTIONS FOR PROCESSING REGULATED HEALTH INFORMA-
 TION, THE NATURE AND PURPOSE OF PROCESSING, THE DURATION OF  PROCESSING,
 AND THE RIGHTS AND OBLIGATIONS OF BOTH PARTIES.
   2.  AN  AGREEMENT  PURSUANT  TO  SUBDIVISION ONE OF THIS SECTION SHALL
 REQUIRE THAT THE SERVICE PROVIDER:
   (A) ENSURE THAT EACH PERSON PROCESSING REGULATED HEALTH INFORMATION IS
 SUBJECT TO A DUTY OF CONFIDENTIALITY WITH RESPECT TO SUCH INFORMATION;
   (B) PROTECT REGULATED HEALTH INFORMATION IN A MANNER  CONSISTENT  WITH
 THE REQUIREMENTS OF THIS ARTICLE;
   (C)  PROCESS  REGULATED HEALTH INFORMATION ONLY WHEN AND TO THE EXTENT
 NECESSARY TO COMPLY WITH ITS OBLIGATIONS TO THE REGULATED ENTITY;
   (D) NOT COMBINE THE REGULATED HEALTH  INFORMATION  WHICH  THE  SERVICE
 PROVIDER  RECEIVES  FROM  OR  ON BEHALF OF THE REGULATED ENTITY WITH ANY
 OTHER PERSONAL INFORMATION WHICH THE SERVICE PROVIDER RECEIVES  FROM  OR
 S. 158--E                           7
 
 ON  BEHALF  OF  ANOTHER PARTY OR COLLECTS FROM ITS OWN RELATIONSHIP WITH
 INDIVIDUALS;
   (E)  COMPLY WITH ANY EXERCISES OF AN INDIVIDUAL'S RIGHTS UNDER SECTION
 ELEVEN HUNDRED THREE OF THIS ARTICLE UPON THE REQUEST OF  THE  REGULATED
 ENTITY  AND  NOTIFY  ANY  SERVICE PROVIDERS OR THIRD PARTIES TO WHICH IT
 DISCLOSED REGULATED HEALTH INFORMATION OF THE REQUEST;
   (F) DELETE OR RETURN ALL REGULATED HEALTH INFORMATION TO THE REGULATED
 ENTITY AT THE END OF THE PROVISION OF SERVICES, UNLESS RETENTION OF  THE
 REGULATED HEALTH INFORMATION IS REQUIRED BY LAW;
   (G)  UPON  THE REASONABLE REQUEST OF THE REGULATED ENTITY, MAKE AVAIL-
 ABLE TO THE REGULATED ENTITY ALL DATA IN  ITS  POSSESSION  NECESSARY  TO
 DEMONSTRATE  THE  SERVICE  PROVIDER'S COMPLIANCE WITH THE OBLIGATIONS IN
 THIS SECTION;
   (H) ALLOW, AND COOPERATE WITH, REASONABLE ASSESSMENTS BY THE REGULATED
 ENTITY OR THE REGULATED ENTITY'S DESIGNATED  ASSESSOR  FOR  PURPOSES  OF
 EVALUATING  COMPLIANCE  WITH  THE OBLIGATIONS OF THIS ARTICLE.  ALTERNA-
 TIVELY, THE SERVICE PROVIDER MAY ARRANGE FOR A QUALIFIED AND INDEPENDENT
 ASSESSOR TO CONDUCT AN ASSESSMENT OF THE SERVICE PROVIDER'S POLICIES AND
 TECHNICAL AND ORGANIZATIONAL MEASURES  IN  SUPPORT  OF  THE  OBLIGATIONS
 UNDER THIS ARTICLE USING AN APPROPRIATE AND ACCEPTED CONTROL STANDARD OR
 FRAMEWORK  AND  ASSESSMENT  PROCEDURE  FOR SUCH ASSESSMENTS. THE SERVICE
 PROVIDER SHALL PROVIDE A REPORT OF  SUCH  ASSESSMENT  TO  THE  REGULATED
 ENTITY UPON REQUEST;
   (I)  NOTIFY  THE  REGULATED ENTITY A REASONABLE TIME IN ADVANCE BEFORE
 DISCLOSING OR TRANSFERRING REGULATED HEALTH INFORMATION TO  ANY  FURTHER
 SERVICE  PROVIDERS, WHICH MAY BE IN THE FORM OF A REGULARLY UPDATED LIST
 OF FURTHER SERVICE PROVIDERS THAT MAY ACCESS REGULATED  HEALTH  INFORMA-
 TION; AND
   (J) ENGAGE ANY FURTHER SERVICE PROVIDER PURSUANT TO A WRITTEN, BINDING
 AGREEMENT  THAT  INCLUDES  THE CONTRACTUAL REQUIREMENTS PROVIDED IN THIS
 SECTION, CONTAINING AT MINIMUM THE SAME  OBLIGATIONS  THAT  THE  SERVICE
 PROVIDER HAS ENTERED INTO WITH REGARD TO REGULATED HEALTH INFORMATION.
   § 1106. EXEMPTIONS. NOTHING IN THIS ARTICLE SHALL APPLY TO:
   1. INFORMATION PROCESSED BY LOCAL, STATE, AND FEDERAL GOVERNMENTS, AND
 MUNICIPAL CORPORATIONS;
   2.  PROTECTED HEALTH INFORMATION THAT IS COLLECTED BY A COVERED ENTITY
 OR BUSINESS ASSOCIATE GOVERNED BY  THE  PRIVACY,  SECURITY,  AND  BREACH
 NOTIFICATION  RULES ISSUED BY THE UNITED STATES DEPARTMENT OF HEALTH AND
 HUMAN SERVICES, PARTS 160 AND 164 OF TITLE 45 OF  THE  CODE  OF  FEDERAL
 REGULATIONS,  ESTABLISHED  PURSUANT  TO THE HEALTH INSURANCE PORTABILITY
 AND ACCOUNTABILITY ACT OF 1996  (PUBLIC  LAW  104-191)  AND  THE  HEALTH
 INFORMATION  TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT (PUBLIC LAW
 111-5);
   3. ANY COVERED ENTITY GOVERNED BY THE PRIVACY,  SECURITY,  AND  BREACH
 NOTIFICATION  RULES ISSUED BY THE UNITED STATES DEPARTMENT OF HEALTH AND
 HUMAN SERVICES, PARTS 160 AND 164 OF TITLE 45 OF  THE  CODE  OF  FEDERAL
 REGULATIONS,  ESTABLISHED  PURSUANT  TO THE HEALTH INSURANCE PORTABILITY
 AND ACCOUNTABILITY ACT OF 1996 (PUBLIC LAW 104-191), TO THE  EXTENT  THE
 COVERED  ENTITY  MAINTAINS  PATIENT  INFORMATION  IN  THE SAME MANNER AS
 PROTECTED HEALTH INFORMATION AS DESCRIBED IN  SUBDIVISION  TWO  OF  THIS
 SECTION; AND
   4.  INFORMATION  COLLECTED  AS PART OF A CLINICAL TRIAL SUBJECT TO THE
 FEDERAL POLICY FOR THE PROTECTION OF HUMAN SUBJECTS, ALSO KNOWN  AS  THE
 COMMON RULE, PURSUANT TO GOOD CLINICAL PRACTICE GUIDELINES ISSUED BY THE
 INTERNATIONAL  COUNCIL  FOR  HARMONISATION  OR PURSUANT TO HUMAN SUBJECT
 S. 158--E                           8
 
 PROTECTION REQUIREMENTS OF THE UNITED  STATES  FOOD  AND  DRUG  ADMINIS-
 TRATION.
   §  1107.  ENFORCEMENT. 1. WHENEVER IT APPEARS TO THE ATTORNEY GENERAL,
 EITHER UPON COMPLAINT OR OTHERWISE, THAT ANY PERSON OR  PERSONS,  WITHIN
 OR OUTSIDE THE STATE, HAS ENGAGED IN OR IS ABOUT TO ENGAGE IN ANY OF THE
 ACTS OR PRACTICES STATED TO BE UNLAWFUL UNDER THIS ARTICLE, THE ATTORNEY
 GENERAL  MAY  BRING  AN  ACTION OR SPECIAL PROCEEDING IN THE NAME AND ON
 BEHALF OF THE PEOPLE OF THE STATE OF NEW YORK TO ENJOIN ANY VIOLATION OF
 THIS ARTICLE, TO OBTAIN RESTITUTION OF ANY MONEYS OR  PROPERTY  OBTAINED
 DIRECTLY  OR INDIRECTLY BY ANY SUCH VIOLATION, TO OBTAIN DISGORGEMENT OF
 ANY PROFITS OBTAINED DIRECTLY OR INDIRECTLY BY ANY  SUCH  VIOLATION,  TO
 OBTAIN  CIVIL  PENALTIES  OF  NOT MORE THAN FIFTEEN THOUSAND DOLLARS PER
 VIOLATION OR TWENTY PERCENT OF REVENUE OBTAINED FROM NEW YORK  CONSUMERS
 WITHIN  THE  PAST  FISCAL  YEAR, WHICHEVER IS GREATER, AND TO OBTAIN ANY
 SUCH OTHER AND FURTHER RELIEF AS THE COURT MAY  DEEM  PROPER,  INCLUDING
 PRELIMINARY RELIEF.
   2.  THE  REMEDIES PROVIDED BY THIS SECTION SHALL BE IN ADDITION TO ANY
 OTHER LAWFUL REMEDY AVAILABLE.
   3. ANY ACTION OR SPECIAL PROCEEDING BROUGHT BY  THE  ATTORNEY  GENERAL
 PURSUANT  TO THIS SECTION MUST BE COMMENCED WITHIN SIX YEARS OF THE DATE
 ON WHICH THE ATTORNEY GENERAL BECAME AWARE OF THE VIOLATION.
   4. IN CONNECTION WITH ANY PROPOSED ACTION OR SPECIAL PROCEEDING  UNDER
 THIS  SECTION, THE ATTORNEY GENERAL IS AUTHORIZED TO TAKE PROOF AND MAKE
 A DETERMINATION OF THE RELEVANT FACTS, AND TO ISSUE SUBPOENAS IN ACCORD-
 ANCE WITH THE CIVIL PRACTICE LAW AND RULES.  THE  ATTORNEY  GENERAL  MAY
 ALSO  REQUIRE  SUCH OTHER DATA AND INFORMATION AS THEY MAY DEEM RELEVANT
 AND MAY REQUIRE WRITTEN RESPONSES TO QUESTIONS UNDER OATH. SUCH POWER OF
 SUBPOENA AND EXAMINATION SHALL NOT ABATE OR TERMINATE BY REASON  OF  ANY
 ACTION  OR SPECIAL PROCEEDING BROUGHT BY THE ATTORNEY GENERAL UNDER THIS
 ARTICLE.
   5. THIS SECTION SHALL APPLY TO ALL ACTS DECLARED  TO  BE  UNLAWFUL  IN
 THIS ARTICLE, WHETHER OR NOT SUBJECT TO ANY OTHER LAW OF THIS STATE, AND
 SHALL  NOT  SUPERSEDE, AMEND OR REPEAL ANY OTHER LAW OF THIS STATE UNDER
 WHICH THE ATTORNEY GENERAL IS AUTHORIZED TO TAKE ANY ACTION  OR  CONDUCT
 ANY INQUIRY.
   6.  THE  ATTORNEY GENERAL MAY PROMULGATE SUCH RULES AND REGULATIONS AS
 ARE NECESSARY TO EFFECTUATE AND ENFORCE THE PROVISIONS OF THIS SECTION.
   § 1108. CONTRACTS AND WAIVERS VOID AND UNENFORCEABLE.  1. ANY CONTRAC-
 TUAL PROVISION INCONSISTENT WITH THIS ARTICLE SHALL BE  VOID  AND  UNEN-
 FORCEABLE.
   2.  ANY  WAIVER  BY  ANY  INDIVIDUAL OF THE PROVISIONS OF THIS ARTICLE
 SHALL BE VOID AND UNENFORCEABLE.
   § 2. Severability. If any clause,  sentence,  paragraph,  subdivision,
 section  or part of this act shall be adjudged by any court of competent
 jurisdiction to be invalid, such judgment shall not affect,  impair,  or
 invalidate the remainder thereof, but shall be confined in its operation
 to the clause, sentence, paragraph, subdivision, section or part thereof
 directly  involved  in the controversy in which such judgment shall have
 been rendered. It is hereby declared to be the intent of the legislature
 that this act would have been enacted even if  such  invalid  provisions
 had not been included herein.
   §  3. This act shall take effect one year after it shall have become a
 law. Effective immediately, the addition, amendment and/or repeal of any
 rule or regulation necessary for the implementation of this act  on  its
 effective date are authorized to be made and completed on or before such
 effective date.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Do you support this bill?

Get Status Alerts for 2023-S158

Senate Bill S158

Share this bill

Sponsored By

Archive: Last Bill Status - On Floor Calendar

Actions

Votes

Bill Amendments

co-Sponsors

2023-S158 - Details

2023-S158 - Summary

2023-S158 - Sponsor Memo

2023-S158 - Bill Text download pdf

co-Sponsors

2023-S158A - Details

2023-S158A - Summary

2023-S158A - Sponsor Memo

2023-S158A - Bill Text download pdf

co-Sponsors

2023-S158B - Details

2023-S158B - Summary

2023-S158B - Sponsor Memo

2023-S158B - Bill Text download pdf

co-Sponsors

2023-S158C - Details

2023-S158C - Summary

2023-S158C - Sponsor Memo

2023-S158C - Bill Text download pdf

co-Sponsors

2023-S158D - Details

2023-S158D - Summary

2023-S158D - Sponsor Memo

2023-S158D - Bill Text download pdf

co-Sponsors

2023-S158E (ACTIVE) - Details

2023-S158E (ACTIVE) - Summary

2023-S158E (ACTIVE) - Sponsor Memo

2023-S158E (ACTIVE) - Bill Text download pdf

Comments