Amd §§2168 & 2180, add §§2169 & 2183, Pub Health L
 
Restricts vaccine registry information from discovery and other process; requires the commissioner of health and the New York City commissioner of health and mental hygiene to develop regulations to protect patient vaccine information from disclosure.
STATE OF NEW YORK
________________________________________________________________________
7326--A
Cal. No. 239
2021-2022 Regular Sessions
IN ASSEMBLY
May 5, 2021
___________
Introduced by M. of A. GOTTFRIED, BRABENEC, CYMBROWITZ, DICKENS, ENGLE-
BRIGHT, GALLAGHER, HEVESI, McDONALD, MONTESANO, OTIS, PAULIN, SIMON,
TAYLOR, THIELE, ZINERMAN, LAVINE, DAVILA, FORREST, FERNANDEZ, GONZA-
LEZ-ROJAS, GOODELL, SEAWRIGHT -- read once and referred to the Commit-
tee on Health -- ordered to a third reading -- passed by Assembly and
delivered to the Senate, recalled from the Senate, vote reconsidered,
bill amended, ordered reprinted, retaining its place on the order of
third reading
AN ACT to amend the public health law, in relation to protecting the
confidentiality of vaccine information
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. Subdivision 11 of section 2168 of the public health law,
2 as amended by chapter 154 of the laws of 2013, is amended to read as
3 follows:
4 11. The commissioner, or in the city of New York, the commissioner of
5 the department of health and mental hygiene, may provide registrant
6 specific immunization and lead test records to the federal centers for
7 disease control and prevention or its successor agency, to other state
8 or city registries and registries maintained by the Indian Health
9 Service and tribal nations recognized by the state or the United States
10 pursuant to a written agreement requiring that the other registry
11 conform to national standards for maintaining the integrity of the data
12 and that the data will [not] only be used for purposes [inconsistent]
13 consistent with the provisions of this section and provided that disclo-
14 sure of identifiable registrant information shall be limited to the
15 minimum amount necessary to accomplish the purposes consistent with the
16 provisions of this section as determined by the commissioner, or in the
17 city of New York, the commissioner of the department of health and
18 mental hygiene.
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD11016-03-2
A. 7326--A 2
1 § 2. Section 2168 of the public health law is amended by adding a new
2 subdivision 11-a to read as follows:
3 11-a. The commissioner, or in the city of New York, the commissioner
4 of the department of health and mental hygiene, may only share registry
5 information with the federal Centers for Disease Control and Prevention,
6 or successor agency, for public health purposes in summary, statistical,
7 aggregate, or other form such that no individual person can be identi-
8 fied, except that either such commissioner may disclose identifiable
9 registrant information to the federal Centers for Disease Control and
10 Prevention, or its successor agency, when the commissioner has deter-
11 mined that the disclosure is in the best interests of the registrant or
12 will contribute to the protection of public health, that the objective
13 of the disclosure cannot be served by disclosure limited to de-identi-
14 fied information, and the federal health officials have committed in
15 writing not to redisclose to or share registrant information with any
16 other federal agency, including but not limited to the department of
17 homeland security, immigration and customs enforcement, customs and
18 border protection, or any successor agency, or any law enforcement agen-
19 cy; provided that either such commissioner may forgo the written commit-
20 ment if requiring written commitment would result in the actual with-
21 holding of federal funds.
22 § 3. Paragraph (d) of subdivision 4 of section 2168 of the public
23 health law, as amended by section 7 of part A of chapter 58 of the laws
24 of 2009, is amended to read as follows:
25 (d) [A person, institution or agency to whom such immunization infor-
26 mation is furnished or to whom, access to records or information has
27 been given, shall not divulge any part thereof so as to disclose the
28 identity of such person to whom such information or record relates,
29 except insofar as such disclosure is necessary for the best interests of
30 the person or other persons, consistent with the purposes of this
31 section] (i) Identifiable registrant information is not (1) subject to
32 discovery, subpoena, warrant, or other means of legal compulsion for
33 release to any person or (2) admissible in any civil, administrative,
34 criminal, or family court proceeding, except for the purposes of inves-
35 tigations and prosecutions of allegations of computer tampering or bill-
36 ing fraud related to vaccination records, fraudulent statements related
37 to an individual's vaccination status, an act of violence or attempted
38 violence occurring at the site of a vaccination provider's or vaccine
39 navigator's business, or medical malpractice. Disclosure for these
40 purposes shall be subject to in camera review and approval by the court
41 and, if the use is initiated by a party other than the individual whose
42 registry information is sought, the information must be highly material
43 and relevant for the purpose.
44 (ii) Nothing in this section shall be construed to limit commissioners
45 of local social services districts or the commissioner of the office of
46 children and family services from accessing identifiable registrant
47 information under paragraph (d) of subdivision eight of this section.
48 § 4. Subparagraph (i) of paragraph (b) of subdivision 8 of section
49 2168 of the public health law, as amended by section 7 of part A of
50 chapter 58 of the laws of 2009, is amended to read as follows:
51 (i) The commissioner may use the statewide immunization information
52 system and the blood lead information in such system for purposes of
53 outreach, quality improvement and accountability, including professional
54 responsibility proceedings of the office of professional medical conduct
55 and the state education department, research, epidemiological studies
56 and disease control, and to obtain blood lead test results from physi-
A. 7326--A 3
1 cian office laboratories for the statewide registry of lead levels of
2 children established pursuant to subdivision two of section thirteen
3 hundred seventy-a of this chapter; (ii) the commissioner of health and
4 mental hygiene for the city of New York may use the immunization regis-
5 try and the blood lead information in such system for purposes of
6 outreach, quality improvement and accountability, research, epidemiolog-
7 ical studies and disease control; (iii) local health departments shall
8 have access to the immunization information system and the blood lead
9 information in such system for purposes of outreach, quality improvement
10 and accountability, epidemiological studies and disease control within
11 their county; and
12 § 5. Paragraph (c) of subdivision 8 of section 2168 of the public
13 health law, as amended by chapter 420 of the laws of 2014, is amended to
14 read as follows:
15 (c) health care providers and their designees, registered professional
16 nurses, and pharmacists authorized to administer immunizations pursuant
17 to subdivision two of section sixty-eight hundred one of the education
18 law shall have access to the statewide immunization information system
19 and the blood lead information in such system only for purposes of
20 submission of information about vaccinations received by a specific
21 registrant, determination of the immunization status of a specific
22 registrant, determination of the blood lead testing status of a specific
23 registrant, submission of the results from a blood lead analysis of a
24 sample obtained from a specific registrant in accordance with paragraph
25 (h) of subdivision two of this section, review of practice coverage,
26 generation of reminder notices, quality improvement and accountability,
27 including professional responsibility proceedings of the office of
28 professional medical conduct and the state education department, and
29 printing a copy of the immunization or lead testing record for the
30 registrant's medical record, for the registrant's parent or guardian, or
31 other person in parental or custodial relation to a child, or for a
32 registrant upon reaching eighteen years of age.
33 § 6. The public health law is amended by adding a new section 2169 to
34 read as follows:
35 § 2169. Vaccine confidentiality. 1. As used in this section, unless
36 context requires otherwise:
37 (a) The term "consent" shall mean informed, affirmative, and voluntary
38 authorization.
39 (b) The term "de-identified" shall mean that the information cannot
40 identify or be made to identify or be associated with a particular indi-
41 vidual, directly or indirectly, and is subject to technical safeguards
42 and policies and procedures that prevent re-identification, whether
43 intentionally or unintentionally, of any individual.
44 (c) The term "disclosure" shall mean release, transfer, provision of,
45 access to, or divulging in any other manner of information outside the
46 entity holding the information.
47 (d) The term "immigration authority" means any entity, officer,
48 employee, or government employee or agent thereof charged with or
49 engaged in enforcement of the federal Immigration and Nationality Act,
50 including the United States Immigration and Customs Enforcement, United
51 States Department of Homeland Security, or United States Customs and
52 Border Protection, or agent, contractor, or employee thereof, or any
53 successor legislation or entity.
54 (e) The term "law enforcement agent or entity" means any governmental
55 entity or public servant, or agent, contractor or employee thereof,
56 authorized to investigate, prosecute, or make an arrest for a criminal
A. 7326--A 4
1 or civil offense, or engaged in any such activity, but shall not mean
2 the department, the commissioner, a health district, a county department
3 of health, a county health commissioner, a local board of health, a
4 local health officer, the department of health and mental hygiene of the
5 city of New York, or the commissioner of the department of health and
6 mental hygiene of the city of New York.
7 (f) The term "personal information" shall mean information obtained
8 from or about an individual, in connection with their registering for or
9 receiving a vaccination, that directly or indirectly identifies, relates
10 to, describes, is capable of being associated with, or could reasonably
11 be linked to a particular individual, household, or personal device.
12 Information is reasonably linkable to an individual, household, or
13 personal device if it can be used on its own or in combination with
14 other reasonably available information, regardless of whether such other
15 information is held by the vaccine navigator or vaccine provider, to
16 identify an individual, household, or a personal device.
17 (g) The term "service attendant to the delivery of immunization" shall
18 mean scheduling and billing for an immunization appointment, sending
19 reminders about immunization, arranging transportation to or from a
20 vaccine provider, or reporting to the department, the New York City
21 department of health and mental hygiene, or other local health agency on
22 whose behalf such vaccine navigator is performing such services.
23 (h) The term "use" shall mean, with respect to personal information,
24 the sharing, employment, application, utilization, examination or analy-
25 sis of such information within an entity that maintains such informa-
26 tion.
27 (i) The term "vaccine navigator" shall mean any person that collects
28 personal information from an individual in order to register that indi-
29 vidual for immunization or to help that individual register for immuni-
30 zation, provided the department, a local public health agency, or a
31 person that administers vaccines are not vaccine navigators if they only
32 store vaccine recipient personal information in medical records
33 protected under the federal Health Insurance Portability and Account-
34 ability Act of 1996, its implementing regulations, or section eighteen
35 of this chapter.
36 2. (a) Except as provided in paragraph (d) of this subdivision, absent
37 consent from the individual seeking immunization, or if the individual
38 lacks the capacity to make health care decisions, an individual author-
39 ized to consent to health care for the individual or the individual's
40 legal representative, a vaccine navigator shall not use, disclose, or
41 maintain personal information except as necessary to provide services
42 attendant to the delivery of immunization.
43 (b) A vaccine navigator may request consent from an individual, or if
44 the individual lacks the capacity to make health care decisions, an
45 individual authorized to consent to health care for the individual or
46 the individual's legal representative, to use, disclose, or maintain the
47 individual's personal information for purposes other than services
48 attendant to the delivery of immunization provided that:
49 (i) a vaccine navigator shall not refuse to provide a service attend-
50 ant to the delivery of immunization for an individual who does not
51 provide such consent;
52 (ii) a vaccine navigator shall not relate the price or quality of any
53 service attendant to the delivery of immunization to the privacy
54 protections afforded the individual, including by providing a discount
55 or other incentive in exchange for such consent, provided that this
56 paragraph does not prohibit the offering of incentives to individuals to
A. 7326--A 5
1 get vaccinated; provided that such incentives shall not be conditioned
2 on an individual's consent to additional uses, disclosures, or mainte-
3 nance of their personal information except as necessary to provide the
4 incentive; and
5 (iii) a vaccine navigator shall clearly delineate what personal infor-
6 mation is adequate, relevant, and necessary to provide a service attend-
7 ant to the delivery of immunization by clearly and conspicuously indi-
8 cating in any solicitation for the information that all other requests
9 for personal information are optional.
10 (c) Except as provided in paragraph (d) of this subdivision:
11 (i) No vaccine navigator may provide personal information or otherwise
12 make personal information accessible, directly or indirectly, to a law
13 enforcement agent or entity or immigration authority;
14 (ii) No vaccine navigator may provide personal information or other-
15 wise make personal information accessible, directly or indirectly, to
16 any other individual or entity, except as explicitly authorized by this
17 title; and
18 (iii) Without consent under this subdivision, personal information and
19 any evidence derived therefrom shall not be subject to or provided in
20 response to any legal process or be admissible for any purpose in any
21 judicial or administrative action or proceeding.
22 (d) (i) This section does not bar otherwise lawful disclosure,
23 possession or use of information pertaining to services attendant to the
24 delivery of immunization, including aggregate information, that is de-i-
25 dentified. Disclosure, possession or use under this subparagraph shall
26 only be for a public health or public health research purposes.
27 (ii) A person may only possess or use de-identified information
28 pertaining to services attendant to the delivery of immunization if the
29 person maintains technical safeguards and policies and procedures that
30 prevent re-identification, whether intentional or unintentional, of any
31 individual, as may be required by the commissioner (or the New York city
32 commissioner of health and mental hygiene, in the case of information
33 collected by or under authority of the New York city department of
34 health and mental hygiene. The commissioner (or the New York city
35 commissioner as the case may be) shall require safeguards, policies and
36 procedures under this paragraph as the commissioner deems practicable.
37 (iii) Disclosure, possession and use of de-identified information
38 under this subdivision shall be only pursuant to approval by the commis-
39 sioner (or the New York city commissioner of health and mental hygiene
40 in the case of information collected by or under authority of the New
41 York city department of health and mental hygiene) specifying the
42 purpose, nature and scope of the disclosure, possession and use and
43 measures to ensure that it will comply with this section and the terms
44 of the approval.
45 (iv) This section does not prevent disclosure of personal information
46 sought for the purposes of investigations and prosecutions of allega-
47 tions of computer tampering or billing fraud related to vaccination
48 records, fraudulent statements related to an individual's vaccination
49 status, an act of violence or attempted violence occurring at the site
50 of a vaccination provider's or vaccine navigator's business, or medical
51 malpractice, professional discipline, or defense of any claim brought
52 against a vaccine navigator or provider. Disclosure for these purposes
53 shall be subject to in camera review and approval by the court and, if
54 the use is initiated by a party other than the individual whose registry
55 information is sought, the information must be highly material and rele-
56 vant for the purpose.
A. 7326--A 6
1 (e) A vaccine navigator that maintains personal information shall
2 establish appropriate administrative, technical, and physical safe-
3 guards, policies, and procedures that ensure the security of that
4 personal information. The safeguards, policies, and procedures must be
5 appropriate to the volume and nature of the personal information main-
6 tained and the size, revenue, and sophistication of the vaccine naviga-
7 tor and must ensure that personal information is encrypted and protected
8 at least as much as or more than other confidential information in the
9 vaccine navigator's possession. The commissioner or, in the city of New
10 York, the commissioner of the department of health and mental hygiene
11 shall make regulations as reasonably necessary to require that personal
12 information possessed, used, or under the control of a vaccine navigator
13 shall be subject to technical safeguards, policies, and procedures for
14 storage, transmission, use, and protection of the information. The regu-
15 lations must take into account the different sizes, revenues and sophis-
16 tications of different vaccine navigators, as well as the volume and
17 nature of the personal information they maintain.
18 (f) Nothing in this section shall limit a vaccine navigator that has a
19 pre-existing service provider-client, provider-patient, or familial
20 relationship or a friendship with an individual from processing that
21 individual's personal information as previously agreed to in the course
22 of the pre-existing relationship.
23 3. Vaccine providers. A vaccine provider shall not delay or condition
24 the provision of any service attendant to the delivery of immunization
25 by inviting or requiring an individual seeking vaccination to complete
26 an application for a customer discount card or account or share personal
27 information that will be stored outside of a medical record protected
28 under the federal Health Insurance Portability and Accountability Act of
29 1996, its implementing regulations, or section eighteen of this chapter
30 for purposes other than services attendant to the delivery of immuniza-
31 tion, or by engaging in any other activity unrelated to the provision of
32 such a service that the commissioner designates by regulation.
33 § 7. Section 2180 of the public health law is amended by adding nine
34 new subdivisions 12, 13, 14, 15, 16, 17, 18, 19 and 20 to read as
35 follows:
36 12. "Covered entity" means a governmental entity or a place of public
37 accommodation, resort or amusement, as defined in section two hundred
38 ninety-two of the executive law.
39 13. "Derived from an immunity passport" means any information
40 contained in or retrieved from an immunity passport, as well as any
41 metadata associated with the use of the immunity passport, including the
42 time and location the immunity passport was used, as well as any infer-
43 ences made based on the information contained in an immunity passport or
44 an immunity passport's usage.
45 14. "Disclose" means the release, transfer, provision of, access to,
46 or divulging in any other manner of information outside the entity hold-
47 ing the information.
48 15. "Governmental entity" means a department or agency of the state or
49 a political subdivision thereof, an individual acting for or on behalf
50 of the state or a political subdivision thereof, or any entity regulated
51 under the social services law.
52 16. "Immunity passport" means a credential, whether digital, electron-
53 ic, or physical, that identifies an individual as having received a
54 COVID-19 vaccine or a COVID-19 test result.
55 17. "Immunity passport provider" means a legal entity that develops,
56 maintains, distributes, or markets immunity passports in New York state.
A. 7326--A 7
1 18. "Personal information" means information that directly or indi-
2 rectly identifies, relates to, describes, is capable of being associated
3 with, or could reasonably be linked to a particular individual or
4 personal device. Information is reasonably linkable to an individual or
5 personal device if it can be used on its own or in combination with
6 other reasonably available information, regardless of whether such other
7 information is held by the covered entity or immunity passport provider,
8 to identify an individual or a personal device.
9 19. "Physical immunity passport" means a credential that identifies an
10 individual as having received a COVID-19 vaccine or a COVID-19 test
11 result that does not rely on a digital or electronic device. Physical
12 immunity passports include, but are not limited to, pieces of paper
13 denoting immunity status.
14 20. "Use" means, with respect to personal information, the sharing,
15 employment, application, utilization, examination, or analysis of such
16 information within an entity that maintains such information.
17 § 8. The public health law is amended by adding a new section 2183 to
18 read as follows:
19 § 2183. Immunity passports. 1. Any covered entity that requires proof
20 of COVID-19 immunization shall permit the use of physical immunity pass-
21 ports. No covered entity may require digital, electronic, or smart-
22 phone-based proof of immunity.
23 2. Any covered entity that requires the use of an immunity passport
24 shall delete any personal information derived from the immunity passport
25 about the individual to whom the immunity passport pertains within twen-
26 ty-four hours of receiving it, except that where a covered entity has an
27 ongoing relationship with an individual, the covered entity may store
28 the fact that the individual has received a COVID-19 vaccine, as well as
29 a copy of the individual's immunity passport, provided that:
30 (a) the covered entity first obtains the individual's informed, affir-
31 mative, and voluntary consent to store such information, and
32 (b) the covered entity stores any copy of an individual's immunity
33 passport and any personal information derived from the immunity passport
34 as if they were subject to the confidentiality requirements of title I
35 of the Americans with Disabilities Act 42 U.S.C. 12112(d) and its imple-
36 menting regulations, 29 CFR 1630.14.
37 3. An immunity passport provider shall not use or disclose personal
38 information derived from an immunity passport beyond what is adequate,
39 relevant, and necessary to identify an individual as having received a
40 COVID-19 vaccine or a COVID-19 test result and shall not collect,
41 access, receive, capture, store, maintain, use, or disclose personal
42 information pertaining to where or when an individual uses an immunity
43 passport.
44 4. (a) Except as provided in this subdivision, no covered entity or
45 immunity passport provider may:
46 (i) provide personal information derived from an immunity passport or
47 otherwise make such personal information accessible, directly or indi-
48 rectly, to a law enforcement agent or entity or immigration authority;
49 (ii) provide such personal information or otherwise make such personal
50 information accessible, directly or indirectly, to any other individual
51 or entity except as explicitly authorized by this section.
52 (b) Except as provided in this subdivision, personal information
53 derived from an immunity passport, and any evidence derived therefrom,
54 shall not be subject to or provided in response to any legal process or
55 be admissible for any purpose in any judicial or administrative action
56 or proceeding.
A. 7326--A 8
1 (c) Personal information derived from an immunity passport, and any
2 evidence derived therefrom, may be disclosed for the purposes of inves-
3 tigations and prosecutions of allegations of computer tampering or frau-
4 dulent statements related to an individual's vaccination status.
5 Disclosure for these purposes shall be subject to in camera review and
6 approval by the court and, if the use is initiated by a party other than
7 the individual whose personal information is sought, the information
8 must be highly material and relevant for the purpose.
9 5. The commissioner shall make regulations as reasonably necessary to
10 ensure that individuals who are medically contraindicated from receiving
11 the COVID-19 vaccine are nonetheless able to obtain reasonable accommo-
12 dations to enable them to access the services of a covered entity, in a
13 manner that does not impose an undue hardship on the covered entity or
14 present a direct threat that cannot be addressed by a reasonable accom-
15 modation.
16 6. Nothing in this section requires a covered entity to require proof
17 of COVID-19 immunity or to independently verify the information
18 contained in an immunity passport.
19 7. Nothing in this section shall be construed to limit a covered enti-
20 ty's obligations under the Americans with Disabilities Act, article
21 fifteen of the executive law, the civil rights law, or any other feder-
22 al, state, or local anti-discrimination law.
23 8. Nothing in this section shall be construed to affect the practices
24 of a health care provider, as defined in section eighteen of this chap-
25 ter, a hospital or nursing home as defined in article twenty-eight of
26 this chapter, a health practitioner as defined in section twenty-one
27 hundred sixty-four of this chapter, a facility, as defined in section
28 33.13 of the mental hygiene law, or a correctional health service
29 governed by the department of corrections and community supervision, the
30 rules of the board of correction in the city of New York, or a county
31 board of correction, with respect to records concerning their patients'
32 vaccinations.
33 § 9. Severability. If any provision of this act, or any application of
34 any provision of this act, is held to be invalid, that shall not affect
35 the validity or effectiveness of any other provision of this act, or of
36 any other application of any provision of this act, which can be given
37 effect without that provision or application; and to that end, the
38 provisions and applications of this act are severable.
39 § 10. This act shall take effect immediately.