Legislation
SECTION 2169
Vaccine confidentiality
Public Health (PBH) CHAPTER 45, ARTICLE 21, TITLE 6
§ 2169. Vaccine confidentiality. 1. As used in this section, unless
context requires otherwise:
(a) The term "consent" shall mean informed, affirmative, and voluntary
authorization.
(b) The term "de-identified" shall mean that the information cannot
identify or be made to identify or be associated with a particular
individual, directly or indirectly, and is subject to technical
safeguards and policies and procedures that prevent re-identification,
whether intentionally or unintentionally, of any individual.
(c) The term "disclosure" shall mean release, transfer, provision of,
access to, or divulging in any other manner of information outside the
entity holding the information.
(d) The term "immigration authority" means any entity, officer,
employee, or government employee or agent thereof charged with or
engaged in enforcement of the federal Immigration and Nationality Act,
including the United States Immigration and Customs Enforcement, United
States Department of Homeland Security, or United States Customs and
Border Protection, or agent, contractor, or employee thereof, or any
successor legislation or entity.
(e) The term "law enforcement agent or entity" means any governmental
entity or public servant, or agent, contractor or employee thereof,
authorized to investigate, prosecute, or make an arrest for a criminal
or civil offense, or engaged in any such activity, but shall not mean
the department, the commissioner, a health district, a county department
of health, a county health commissioner, a local board of health, a
local health officer, the department of health and mental hygiene of the
city of New York, or the commissioner of the department of health and
mental hygiene of the city of New York.
(f) The term "personal information" shall mean information obtained
from or about an individual, in connection with their registering for a
vaccination, that directly or indirectly identifies, relates to,
describes, is capable of being associated with, or could reasonably be
linked to a particular individual, household, or personal device.
Information is reasonably linkable to an individual, household, or
personal device if it can be used on its own or in combination with
other reasonably available information, when such information is held by
the vaccine navigator, to identify an individual, household, or a
personal device.
(g) The term "service attendant to the delivery of immunization" shall
mean facilitating an immunization appointment, sending reminders about
immunization, arranging transportation to or from a vaccine provider, or
reporting to the department, the New York City department of health and
mental hygiene, or other local health agency on whose behalf such
vaccine navigator is performing such services.
(h) The term "use" shall mean, with respect to personal information,
the sharing, employment, application, utilization, examination or
analysis of such information within an entity that maintains such
information.
(i) The term "vaccine navigator" shall mean any person that collects
personal information from an individual in order to register that
individual for immunization or to help that individual register for
immunization, provided the department, a local public health agency, or
a person that administers vaccines or their designees are not vaccine
navigators.
2. (a) Except as provided in paragraph (d) of this subdivision, absent
consent from the individual seeking immunization, or if the individual
lacks the capacity to make health care decisions, an individual
authorized to consent to health care for the individual or the
individual's legal representative, a vaccine navigator shall not use,
disclose, or maintain personal information except as necessary to
provide services attendant to the delivery of immunization.
(b) A vaccine navigator may request consent from an individual, or if
the individual lacks the capacity to make health care decisions, an
individual authorized to consent to health care for the individual or
the individual's legal representative, to use, disclose, or maintain the
individual's personal information for purposes other than services
attendant to the delivery of immunization provided that:
(i) a vaccine navigator shall not refuse to provide a service
attendant to the delivery of immunization for an individual who does not
provide such consent;
(ii) a vaccine navigator shall not relate the price or quality of any
service attendant to the delivery of immunization to the privacy
protections afforded the individual, including by providing a discount
or other incentive in exchange for such consent, provided that this
paragraph does not prohibit the offering of incentives to individuals to
get vaccinated; provided that such incentives shall not be conditioned
on an individual's consent to additional uses, disclosures, or
maintenance of their personal information except as necessary to provide
the incentive; and
(iii) a vaccine navigator shall clearly delineate what personal
information is adequate, relevant, and necessary to provide a service
attendant to the delivery of immunization by clearly and conspicuously
indicating in any solicitation for the information that all other
requests for personal information are optional.
(c) Except as provided in paragraph (d) of this subdivision:
(i) No vaccine navigator may provide personal information or otherwise
make personal information accessible, directly or indirectly, to a law
enforcement agent or entity or immigration authority;
(ii) No vaccine navigator may provide personal information or
otherwise make personal information accessible, directly or indirectly,
to any other individual or entity, except as explicitly authorized by
this title; and
(iii) Without consent under this subdivision, personal information and
any evidence derived therefrom shall not be subject to or provided in
response to any legal process or be admissible for any purpose in any
judicial or administrative action or proceeding unless provided in
response pursuant to warrants, court-ordered subpoenas, administrative
subpoenas, or grand jury subpoenas.
(d) (i) This section does not bar otherwise lawful disclosure,
possession or use of information pertaining to services attendant to the
delivery of immunization, including aggregate information, that is
de-identified. Disclosure, possession or use under this subparagraph
shall only be for a public health or public health research purposes.
(ii) A vaccine navigator may only possess or use de-identified
information pertaining to services attendant to the delivery of
immunization if the vaccine navigator maintains technical safeguards and
policies and procedures that prevent re-identification, whether
intentional or unintentional, of any individual, as may be required by
the commissioner (or the New York city commissioner of health and mental
hygiene, in the case of information collected by or under authority of
the New York city department of health and mental hygiene. The
commissioner (or the New York city commissioner as the case may be)
shall require safeguards, policies and procedures under this paragraph
as the commissioner deems practicable.
(iii) Disclosure, possession and use of de-identified information
under this subdivision shall be only pursuant to approval by the
commissioner (or the New York city commissioner of health and mental
hygiene in the case of information collected by or under authority of
the New York city department of health and mental hygiene) specifying
the purpose, nature and scope of the disclosure, possession and use and
measures to ensure that it will comply with this section and the terms
of the approval.
(e) A vaccine navigator that maintains personal information shall
establish appropriate administrative, technical, and physical
safeguards, policies, and procedures that ensure the security of that
personal information. The safeguards, policies, and procedures must be
appropriate to the volume and nature of the personal information
maintained and the size, revenue, and sophistication of the vaccine
navigator and must ensure that personal information is encrypted and
protected at least as much as or more than other confidential
information in the vaccine navigator's possession. The commissioner or,
in the city of New York, the commissioner of the department of health
and mental hygiene may make regulations as reasonably necessary to
require that personal information possessed, used, or under the control
of a vaccine navigator shall be subject to technical safeguards,
policies, and procedures for storage, transmission, use, and protection
of the information. The regulations must take into account the different
sizes, revenues and sophistications of different vaccine navigators, as
well as the volume and nature of the personal information they maintain.
(f) Nothing in this section shall limit a vaccine navigator that has a
pre-existing service provider-client, provider-patient, or familial
relationship or a friendship with an individual from processing that
individual's personal information as previously agreed to in the course
of the pre-existing relationship.
3. Vaccine providers. A vaccine provider shall not delay or condition
the provision of any service attendant to the delivery of immunization
by inviting or requiring an individual seeking vaccination to complete
an application for a customer discount card or account or share personal
information that will be stored outside of a record protected under the
federal Health Insurance Portability and Accountability Act of 1996, its
implementing regulations, or section eighteen of this chapter for
purposes other than services attendant to the delivery of immunization,
or by engaging in any other activity unrelated to the provision of such
a service that the commissioner designates by regulation.
context requires otherwise:
(a) The term "consent" shall mean informed, affirmative, and voluntary
authorization.
(b) The term "de-identified" shall mean that the information cannot
identify or be made to identify or be associated with a particular
individual, directly or indirectly, and is subject to technical
safeguards and policies and procedures that prevent re-identification,
whether intentionally or unintentionally, of any individual.
(c) The term "disclosure" shall mean release, transfer, provision of,
access to, or divulging in any other manner of information outside the
entity holding the information.
(d) The term "immigration authority" means any entity, officer,
employee, or government employee or agent thereof charged with or
engaged in enforcement of the federal Immigration and Nationality Act,
including the United States Immigration and Customs Enforcement, United
States Department of Homeland Security, or United States Customs and
Border Protection, or agent, contractor, or employee thereof, or any
successor legislation or entity.
(e) The term "law enforcement agent or entity" means any governmental
entity or public servant, or agent, contractor or employee thereof,
authorized to investigate, prosecute, or make an arrest for a criminal
or civil offense, or engaged in any such activity, but shall not mean
the department, the commissioner, a health district, a county department
of health, a county health commissioner, a local board of health, a
local health officer, the department of health and mental hygiene of the
city of New York, or the commissioner of the department of health and
mental hygiene of the city of New York.
(f) The term "personal information" shall mean information obtained
from or about an individual, in connection with their registering for a
vaccination, that directly or indirectly identifies, relates to,
describes, is capable of being associated with, or could reasonably be
linked to a particular individual, household, or personal device.
Information is reasonably linkable to an individual, household, or
personal device if it can be used on its own or in combination with
other reasonably available information, when such information is held by
the vaccine navigator, to identify an individual, household, or a
personal device.
(g) The term "service attendant to the delivery of immunization" shall
mean facilitating an immunization appointment, sending reminders about
immunization, arranging transportation to or from a vaccine provider, or
reporting to the department, the New York City department of health and
mental hygiene, or other local health agency on whose behalf such
vaccine navigator is performing such services.
(h) The term "use" shall mean, with respect to personal information,
the sharing, employment, application, utilization, examination or
analysis of such information within an entity that maintains such
information.
(i) The term "vaccine navigator" shall mean any person that collects
personal information from an individual in order to register that
individual for immunization or to help that individual register for
immunization, provided the department, a local public health agency, or
a person that administers vaccines or their designees are not vaccine
navigators.
2. (a) Except as provided in paragraph (d) of this subdivision, absent
consent from the individual seeking immunization, or if the individual
lacks the capacity to make health care decisions, an individual
authorized to consent to health care for the individual or the
individual's legal representative, a vaccine navigator shall not use,
disclose, or maintain personal information except as necessary to
provide services attendant to the delivery of immunization.
(b) A vaccine navigator may request consent from an individual, or if
the individual lacks the capacity to make health care decisions, an
individual authorized to consent to health care for the individual or
the individual's legal representative, to use, disclose, or maintain the
individual's personal information for purposes other than services
attendant to the delivery of immunization provided that:
(i) a vaccine navigator shall not refuse to provide a service
attendant to the delivery of immunization for an individual who does not
provide such consent;
(ii) a vaccine navigator shall not relate the price or quality of any
service attendant to the delivery of immunization to the privacy
protections afforded the individual, including by providing a discount
or other incentive in exchange for such consent, provided that this
paragraph does not prohibit the offering of incentives to individuals to
get vaccinated; provided that such incentives shall not be conditioned
on an individual's consent to additional uses, disclosures, or
maintenance of their personal information except as necessary to provide
the incentive; and
(iii) a vaccine navigator shall clearly delineate what personal
information is adequate, relevant, and necessary to provide a service
attendant to the delivery of immunization by clearly and conspicuously
indicating in any solicitation for the information that all other
requests for personal information are optional.
(c) Except as provided in paragraph (d) of this subdivision:
(i) No vaccine navigator may provide personal information or otherwise
make personal information accessible, directly or indirectly, to a law
enforcement agent or entity or immigration authority;
(ii) No vaccine navigator may provide personal information or
otherwise make personal information accessible, directly or indirectly,
to any other individual or entity, except as explicitly authorized by
this title; and
(iii) Without consent under this subdivision, personal information and
any evidence derived therefrom shall not be subject to or provided in
response to any legal process or be admissible for any purpose in any
judicial or administrative action or proceeding unless provided in
response pursuant to warrants, court-ordered subpoenas, administrative
subpoenas, or grand jury subpoenas.
(d) (i) This section does not bar otherwise lawful disclosure,
possession or use of information pertaining to services attendant to the
delivery of immunization, including aggregate information, that is
de-identified. Disclosure, possession or use under this subparagraph
shall only be for a public health or public health research purposes.
(ii) A vaccine navigator may only possess or use de-identified
information pertaining to services attendant to the delivery of
immunization if the vaccine navigator maintains technical safeguards and
policies and procedures that prevent re-identification, whether
intentional or unintentional, of any individual, as may be required by
the commissioner (or the New York city commissioner of health and mental
hygiene, in the case of information collected by or under authority of
the New York city department of health and mental hygiene. The
commissioner (or the New York city commissioner as the case may be)
shall require safeguards, policies and procedures under this paragraph
as the commissioner deems practicable.
(iii) Disclosure, possession and use of de-identified information
under this subdivision shall be only pursuant to approval by the
commissioner (or the New York city commissioner of health and mental
hygiene in the case of information collected by or under authority of
the New York city department of health and mental hygiene) specifying
the purpose, nature and scope of the disclosure, possession and use and
measures to ensure that it will comply with this section and the terms
of the approval.
(e) A vaccine navigator that maintains personal information shall
establish appropriate administrative, technical, and physical
safeguards, policies, and procedures that ensure the security of that
personal information. The safeguards, policies, and procedures must be
appropriate to the volume and nature of the personal information
maintained and the size, revenue, and sophistication of the vaccine
navigator and must ensure that personal information is encrypted and
protected at least as much as or more than other confidential
information in the vaccine navigator's possession. The commissioner or,
in the city of New York, the commissioner of the department of health
and mental hygiene may make regulations as reasonably necessary to
require that personal information possessed, used, or under the control
of a vaccine navigator shall be subject to technical safeguards,
policies, and procedures for storage, transmission, use, and protection
of the information. The regulations must take into account the different
sizes, revenues and sophistications of different vaccine navigators, as
well as the volume and nature of the personal information they maintain.
(f) Nothing in this section shall limit a vaccine navigator that has a
pre-existing service provider-client, provider-patient, or familial
relationship or a friendship with an individual from processing that
individual's personal information as previously agreed to in the course
of the pre-existing relationship.
3. Vaccine providers. A vaccine provider shall not delay or condition
the provision of any service attendant to the delivery of immunization
by inviting or requiring an individual seeking vaccination to complete
an application for a customer discount card or account or share personal
information that will be stored outside of a record protected under the
federal Health Insurance Portability and Accountability Act of 1996, its
implementing regulations, or section eighteen of this chapter for
purposes other than services attendant to the delivery of immunization,
or by engaging in any other activity unrelated to the provision of such
a service that the commissioner designates by regulation.