§ 394-h. Electronic health information protections. 1. For the
purposes of this section, the following terms shall have the following
meanings:

a. Electronic health information. The term "electronic health
information" means any information in any electronic format or media
that relates to an individual or a device that is reasonably linkable to
an individual or individuals in connection with any past, present, or
future disability, physical health condition, or mental health
condition; the search for or attempt to obtain health care services; any
past, present, or future treatment or other health care services for a
disability, physical health condition, or mental health condition;
location information associated with a health care facility; or the
past, present, or future payment for health care services. For the
avoidance of doubt, any inference drawn or data derived about an
individual or a device that is reasonably linkable to an individual or
individuals that relates to any of these topics in any electronic format
or media is considered electronic health information. Electronic health
information does not include deidentified information.

b. Law enforcement agency. The term "law enforcement agency" shall
have the same meaning as in subdivision four of section 705.00 of the
criminal procedure law.

c. Law enforcement officer. The term "law enforcement officer" means a
police officer or peace officer as defined in section 1.20 of the
criminal procedure law.

2. Prohibition on access to electronic health information.
Notwithstanding any other law, law enforcement agencies and law
enforcement officers shall be prohibited from purchasing or obtaining
electronic health information without a warrant.

3. Exemptions. Nothing in this article shall apply to:

a. Information processed by local, state, and federal governments, and
municipal corporations;

b. Protected health information that is collected by a covered entity
or business associate governed by the privacy, security, and breach
notification rules issued by the United States Department of Health and
Human Services, Parts 160 and 164 of Title 45 of the Code of Federal
Regulations, established pursuant to the Health Insurance Portability
and Accountability Act of 1996 (Public Law 104-191) and the Health
Information Technology for Economic and Clinical Health Act (Public Law
111-5);

c. Any covered entity governed by the privacy, security, and breach
notification rules issued by the United States Department of Health and
Human Services, Parts 160 and 164 of Title 45 of the Code of Federal
Regulations, established pursuant to the Health Insurance Portability
and Accountability Act of 1996 (Public Law 104-191), to the extent the
covered entity maintains patient information in the same manner as
protected health information as described in paragraph b of this
subdivision;

d. Information collected as part of a clinical trial subject to the
Federal Policy for the Protection of Human Subjects, also known as the
Common Rule, pursuant to good clinical practice guidelines issued by the
International Council for Harmonisation or pursuant to human subject
protection requirements of the United States Food and Drug
Administration;

e. Information processed pursuant to the federal Family Educational
Rights and Privacy Act (20 U.S.C. Sec. 1232g) and its implementing
regulations;

f. Information processed pursuant to section two-d of the education
law; and

g. Information processed pursuant to the federal Driver's Privacy
Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq).