Creates privacy standards for electronic health products and services; requires consent to be given for the collection and/or sharing of personal health information or other personal data.
STATE OF NEW YORK
________________________________________________________________________
1415
2025-2026 Regular Sessions
IN ASSEMBLY
January 9, 2025
___________
Introduced by M. of A. ROSENTHAL, GALLAGHER, KELLES, SIMON, OTIS -- read
once and referred to the Committee on Consumer Affairs and Protection
AN ACT to amend the general business law, in relation to electronic
health products and services
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The general business law is amended by adding a new article
2 42-A to read as follows:
3 ARTICLE 42-A
4 ELECTRONIC HEALTH PRODUCTS AND SERVICES
5 Section 1200. Definitions.
6 1201. Electronic health products and services; privacy.
7 1202. Private right of action.
8 1203. Actions that are HIPAA compliant.
9 § 1200. Definitions. For the purposes of this article, the following
10 terms shall have the following meanings:
11 1. "Consent" means an action which (a) clearly and conspicuously
12 communicates the individual's authorization of an act or practice; (b)
13 is made in the absence of any mechanism in the user interface that has
14 the purpose or substantial effect of obscuring, subverting, or impairing
15 decision making or choice to obtain consent; and (c) cannot be inferred
16 from inaction.
17 2. "Deactivation" means a user's deletion, removal, or other action
18 made to terminate their use of an electronic health product or service.
19 3. "Electronic health product or service" means any software or hard-
20 ware, including a mobile application, website, or other related product
21 or service, that is designed to maintain personal health information, in
22 order to make such personal health information available to a user or to
23 a health care provider at the request of such user or health care
24 provider, for the purposes of allowing such user to manage their infor-
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD04278-01-5
A. 1415 2
1 mation, or for the diagnosis, treatment, or management of a medical
2 condition.
3 4. "Health care provider" means:
4 (a) a hospital as defined in article twenty-eight of the public health
5 law, a home care services agency as defined in article thirty-six of the
6 public health law, a hospice as defined in article forty of the public
7 health law, a health maintenance organization as defined in article
8 forty-four of the public health law, or a shared health facility as
9 defined in article forty-seven of the public health law; or
10 (b) a person licensed under article one hundred thirty-one, one
11 hundred thirty-one-B, one hundred thirty-two, one hundred thirty-three,
12 one hundred thirty-six, one hundred thirty-nine, one hundred forty-one,
13 one hundred forty-three, one hundred forty-four, one hundred fifty-
14 three, one hundred fifty-four, one hundred fifty-six or one hundred
15 fifty-nine of the education law.
16 5. "Individually identifiable information" means any information that
17 identifies or could reasonably be linked, directly or indirectly, to a
18 particular consumer, household, or consumer device.
19 6. "Personal health information" means any individually identifiable
20 information about an individual's mental or physical condition provided
21 by such individual, or otherwise gained or inferred from monitoring such
22 individual's mental or physical condition.
23 7. "Other personal data" means any individually identifiable informa-
24 tion about an individual provided by such individual, or otherwise
25 gained or inferred from monitoring such individual, other than personal
26 health information.
27 8. "User" means an individual who has downloaded or uses an electronic
28 health product or service.
29 9. "Data processing" means any action or set of actions performed on
30 or with personal information, including but not limited to collection,
31 access, use, retention, sharing, monetizing, analysis, creation, gener-
32 ation, derivation, decision-making, recording, alternation, organiza-
33 tion, structuring, storage, disclosure, transmission, sale, licensing,
34 disposal, destruction, de-identifying, or other handling of personal
35 information.
36 10. "Covered organization" means an entity that offers an electronic
37 health product or service that is subject to the provisions of this
38 article.
39 § 1201. Electronic health products and services; privacy. 1. (a) It
40 shall be unlawful for a covered organization to engage in data process-
41 ing unless:
42 (i) the user to whom the information or data pertains has given affir-
43 mative express consent to such data processing; or
44 (ii) such data processing is strictly necessary and proportionate for
45 the purpose of:
46 (A) protecting against malicious, fraudulent, or illegal activity;
47 (B) detecting, responding to, or preventing security incidents or
48 threats; or
49 (C) the covered organization is compelled to do so by a warrant or
50 court order.
51 (b) The general nature of any data processing shall be conveyed by the
52 covered organization in a standalone document such as a data processing
53 addendum, and in clear and prominent terms in such a way that an ordi-
54 nary consumer would notice and understand such terms.
55 (c) A user may consent to data processing on behalf of their dependent
56 minors.
A. 1415 3
1 (d) A covered organization shall provide an effective mechanism for a
2 user to revoke their consent after it is given. After a user revokes
3 their consent, the covered organization shall cease all data processing
4 of such user's personal health information or other personal data as
5 soon as practicable, but not later than fifteen days after such user
6 revokes such consent. The covered organization shall also delete or
7 otherwise destroy any such user's personal health information or other
8 personal data per the terms of paragraph (a) of subdivision four of this
9 section.
10 2. In order to obtain consent in compliance with subdivision one of
11 this section, an entity offering an electronic health product or service
12 shall:
13 (a) disclose to the user all personal health information or other
14 personal data such electronic health product or service will collect
15 from the user upon obtaining consent;
16 (b) disclose to the user any third party with whom such user's
17 personal health information or other personal data may be shared by the
18 electronic health product or service upon obtaining consent;
19 (c) disclose to the user the purpose for collecting any personal
20 health information or other personal data; and
21 (d) allow the user to withdraw consent at any time.
22 3. No electronic health product or service shall collect any personal
23 health information or other personal data beyond which a user has
24 specifically consented to share with such electronic health product or
25 service under subdivision one of this section.
26 4. (a) An electronic health product or service shall delete or other-
27 wise destroy any personal health information or other personal data
28 collected from a user immediately upon such user's request, withdrawal
29 of consent; or upon such user's deactivation of their account.
30 (b) An entity that collects a user's personal health information or
31 other personal data shall limit its collection and sharing of that
32 information with third parties to what is reasonably necessary to
33 provide a service or conduct an activity that a user has requested or is
34 reasonably necessary for security or fraud prevention.
35 (c) An entity that collects a user's personal health information or
36 other personal data shall limit its use and retention of such informa-
37 tion to what is strictly necessary to provide a service or conduct an
38 activity that a user has requested or a related operational purpose,
39 provided that information collected or retained solely for security or
40 fraud prevention may not be used for operational purposes. Monetization
41 of personal health information or other personal data, including but not
42 limited to the use of targeted advertising, cross-context behavioral
43 advertising or marketing services, or the use of personal health infor-
44 mation for training or inclusion in machine learning models, beyond that
45 which a user has explicitly consented to shall not be considered strict-
46 ly necessary to provide a service or conduct an activity or a related
47 operational purpose.
48 (d) If a user deletes their personal health information or other
49 personal data collected by an entity, or requests the entity delete
50 their personal health information or other personal data, such entity
51 shall retain such user's personal health information or other personal
52 data on any server or data management system no longer than thirty days
53 after such deletion or request. The entity must give the user an oppor-
54 tunity to download a copy of such personal health information or
55 personal data prior to permanent deletion.
A. 1415 4
1 5. A covered organization shall not discriminate against a user
2 because the user exercised any of the user's rights under this article,
3 or did not agree to information processing for a separate product or
4 service, including, but not limited to, by:
5 (a) Denying goods or services to the user.
6 (b) Charging different prices or rates for goods or services, includ-
7 ing through the use of discounts or other benefits or imposing penal-
8 ties.
9 (c) Providing a different level or quality of goods or services to the
10 user.
11 (d) Suggesting that the consumer will receive a different price or
12 rate for goods or services or a different level or quality of goods or
13 services.
14 6. A covered organization shall implement and maintain reasonable
15 security procedures and practices, including administrative, physical,
16 and technical safeguards, appropriate to the nature of the information
17 and the purposes for which the personal health information or other
18 personal data will be used, to protect consumers' personal health infor-
19 mation or other personal data from unauthorized use, disclosure, access,
20 destruction, or modification.
21 § 1202. Private right of action. 1. Any person who has been injured by
22 reason of a violation of this article may bring an action in their own
23 name, or in the name of their minor child, to enjoin such unlawful act,
24 or to recover the greater of their actual damages or one thousand
25 dollars, or both such actions. The court shall award reasonable attor-
26 ney's fees to a prevailing plaintiff. Actions pursuant to this section
27 may be brought on a class-wide basis.
28 2. Any entity who violates this article is subject to an injunction
29 and liable for damages and a civil penalty. When calculating damages and
30 civil penalties, the court shall consider the number of affected indi-
31 viduals, the severity of the violation, and the size and revenues of the
32 covered entity. Each individual whose data was unlawfully processed
33 counts as a separate violation. Each provision of this article that was
34 violated counts as a separate violation.
35 § 1203. Actions that are HIPAA compliant. Nothing in this article
36 shall prohibit any action taken with respect to the health information
37 of an individual by a business associate or covered organization that is
38 permissible under the federal regulations concerning standards for
39 privacy of individually identifiable health information promulgated
40 under section 264(c) of the Health Insurance Portability and Account-
41 ability Act of 1996.
42 § 2. This act shall take effect on the sixtieth day after it shall
43 have become a law.