Creates privacy standards for electronic health products and services and permissible data brokering; requires consent to be given for the collection and/or sharing of personal health information or other personal data.
STATE OF NEW YORK
________________________________________________________________________
9599
IN SENATE
November 21, 2022
___________
Introduced by Sen. KRUEGER -- read twice and ordered printed, and when
printed to be committed to the Committee on Rules
AN ACT to amend the general business law, in relation to privacy stand-
ards for electronic health products and services and permissible data
brokering
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The general business law is amended by adding a new article
2 42 to read as follows:
3 ARTICLE 42
4 ELECTRONIC HEALTH PRODUCTS AND SERVICES
5 Section 1100. Definitions.
6 1101. Electronic health products and services; privacy.
7 1102. Private right of action.
8 1103. Actions that are HIPAA compliant.
9 § 1100. Definitions. For the purposes of this article, the following
10 terms shall have the following meanings:
11 1. "Consent" means an action which (a) clearly and conspicuously
12 communicates the individual's voluntary authorization of an act or prac-
13 tice; (b) is made in the absence of any mechanism in the user interface
14 that has the purpose or substantial effect of obscuring, subverting, or
15 impairing decision making or choice to obtain consent; and (c) cannot be
16 inferred from inaction. A request for consent shall be provided to the
17 individual in a clear and conspicuous disclosure, apart from any privacy
18 policy, terms of service, terms of use, general release, user agreement,
19 or other similar document, of all information material to the provision
20 of consent.
21 2. "Deactivation" means a user's deletion, removal, or other action
22 made to terminate his or her use of an electronic health product or
23 service.
24 3. "Electronic health product or service" means any software or hard-
25 ware, including a mobile application, website, or other related product
26 or service, that is designed to maintain personal health information,
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD16235-03-2
S. 9599 2
1 designed to diagnose or designed to infer a medical diagnosis, in order
2 to make such personal health information available to a user or to a
3 health care provider at the request of such user or health care provid-
4 er, for the purposes of allowing such user to manage his or her informa-
5 tion, or for the diagnosis, inferred diagnosis, treatment, or management
6 of a medical condition.
7 4. "Health care provider" means:
8 (a) a hospital as defined in article twenty-eight of the public health
9 law, a home care services agency as defined in article thirty-six of the
10 public health law, a hospice as defined in article forty of the public
11 health law, a health maintenance organization as defined in article
12 forty-four of the public health law, or a shared health facility as
13 defined in article forty-seven of the public health law; or
14 (b) a person licensed under article one hundred thirty-one, one
15 hundred thirty-one-B, one hundred thirty-two, one hundred thirty-three,
16 one hundred thirty-six, one hundred thirty-nine, one hundred forty-one,
17 one hundred forty-three, one hundred forty-four, one hundred fifty-
18 three, one hundred fifty-four, one hundred fifty-six or one hundred
19 fifty-nine of the education law.
20 5. "Personal health information" means any individually identifiable
21 information about an individual's mental or physical condition provided
22 by such individual, or otherwise gained from monitoring such individ-
23 ual's mental or physical condition.
24 6. "User" means an individual who has downloaded or uses an electronic
25 health product or service.
26 7. "Consumer data" means any information that identifies, relates to,
27 describes, is capable of being associated with, or could reasonably be
28 linked, either directly or indirectly, with a particular consumer
29 regardless if such data can be derived by the consumer, household, or
30 consumer device or derived from other sources such as an internet proto-
31 col address.
32 8. "Data processing" means the collection, use, disclosure, retention,
33 or processing of personal health information or other data.
34 9. "Covered organization" means an entity, including a data broker,
35 that offers an electronic health product or service that is subject to
36 the provisions of this article.
37 10. "Data broker" means a person or entity that collects, buys,
38 licenses, or infers data about individuals and then sells, licenses, or
39 trades that data.
40 11. "Digital advertiser" means any person, corporation, partnership or
41 association that delivers digital advertisements by electronic means.
42 12. "Digital advertisement" shall include any communication delivered
43 by electronic means that is intended to be used for the purposes of
44 marketing, solicitation, or dissemination of information related,
45 directly or indirectly, to goods or services provided by the digital
46 advertiser or a third party.
47 13. "Geofencing" means a technology that uses global positioning
48 system coordinates, cell tower connectivity, cellular data, radio
49 frequency identification, Wi-Fi data and/or any other form of location
50 detection, to establish a virtual boundary or "geofence" around a
51 particular location that allows a digital advertiser to track the
52 location of an individual user and electronically deliver targeted
53 digital advertisements directly to such user's mobile device upon such
54 user's entry into the geofenced area.
S. 9599 3
1 § 1101. Electronic health products and services; privacy. 1. (a) It
2 shall be unlawful for a covered organization to engage in data process-
3 ing, geofencing, or data brokering unless:
4 (i) the user to whom the information or data pertains has given affir-
5 mative express consent to such data processing and if such covered
6 organization will broker user data, the user must also give separate
7 affirmative consent to such data brokering; and
8 (ii) such data processing, geofencing or data brokering, is strictly
9 necessary and for the purpose of:
10 (A) protecting against malicious, fraudulent, or illegal activity;
11 (B) detecting, responding to, or preventing security incidents or
12 threats; or
13 (C) complying with a court order issued to the covered organization.
14 (b) The general nature of any data processing or data brokering shall
15 be conveyed by the covered organization in clear and prominent terms in
16 such a way that an ordinary consumer would notice and understand such
17 terms.
18 (c) A user may consent to data processing or data brokering on behalf
19 of his or her dependent minors.
20 (d) A covered organization shall provide an effective mechanism for a
21 user to revoke their consent after it is given. After a user revokes
22 their consent, the covered organization shall cease all data processing
23 and data brokering of such user's personal health information or other
24 data as soon as practicable, but not later than fifteen days after such
25 user revokes such consent.
26 2. In order to obtain consent in compliance with subdivision one of
27 this section, a covered organization offering an electronic health prod-
28 uct or service shall:
29 (a) disclose to the user all data, personal health information,
30 location data, and other personal data such electronic health product or
31 service will collect from the user upon obtaining consent;
32 (b) disclose to the user all third parties with whom such user's
33 personal health information or other personal data may be shared by the
34 electronic health product or service upon obtaining consent;
35 (c) disclose to the user the purpose for collecting any personal
36 health information or other personal data; and
37 (d) allow the user to withdraw consent at any time.
38 3. No electronic health product or service shall collect any personal
39 health information or other personal data beyond which a user has
40 specifically consented to share with such electronic health product or
41 service under subdivision one of this section.
42 4. (a) An electronic health product or service shall delete or other-
43 wise destroy any personal health information or other personal data
44 collected from a user immediately upon such user's request, withdrawal
45 of consent; or upon such user's deactivation of his or her account.
46 (b) A covered organization that collects a user's personal health
47 information or other data shall limit its collection and sharing of that
48 information with third parties to what is strictly necessary to provide
49 a service or conduct an activity that a user has requested or is strict-
50 ly necessary for security or fraud prevention.
51 (c) A covered organization that collects a user's personal health
52 information or other data shall limit its use and retention of such
53 information to what is reasonably necessary to provide a service or
54 conduct an activity that a user has requested or a related operational
55 purpose, provided that information collected or retained solely for
56 security or fraud prevention may not be used for operational purposes.
S. 9599 4
1 5. A covered organization shall not discriminate against a user
2 because the user exercised any of the user's rights under this title, or
3 did not agree to information processing for a separate product or
4 service, including, but not limited to, by:
5 (a) Denying goods or services to the user.
6 (b) Charging different prices or rates for goods or services, includ-
7 ing through the use of discounts or other benefits or imposing penal-
8 ties.
9 (c) Providing a different level or quality of goods or services to the
10 user.
11 (d) Suggesting that the consumer will receive a different price or
12 rate for goods or services or a different level or quality of goods or
13 services.
14 6. A covered organization shall implement and maintain reasonable
15 security procedures and practices, including administrative, physical,
16 and technical safeguards, appropriate to the nature of the information
17 and the purposes for which the personal health information or other data
18 will be used, to protect consumers' personal health information or other
19 data from unauthorized use, disclosure, access, destruction, or modifi-
20 cation.
21 7. (a) It shall be unlawful for any person, corporation, partnership
22 or association to deliver by electronic means any digital advertisement
23 to a user through the use of geofencing at any health care facility as
24 defined in subdivision one of this section.
25 (b) It shall be unlawful for any person, corporation, partnership or
26 association to establish a geofence or similar virtual boundary in or
27 around any health care facility for the purpose of delivering by elec-
28 tronic means a digital advertisement to a user within such health care
29 facility.
30 § 1102. Private right of action. 1. Any person who has been injured by
31 reason of a violation of this article may bring an action in his or her
32 own name, or in the name of his or her minor child, to seek declaratory
33 relief, to enjoin such unlawful act, to recover his or her actual
34 damages, to seek statutory damages as provided pursuant to this section,
35 or any combination of such actions. Any violation of this article
36 constitutes an injury-in-fact and a harm to any affected individual. The
37 court shall award reasonable attorney's fees to a prevailing plaintiff.
38 2. Any covered organization that violates this article is subject to
39 declaratory judgment, an injunction and liable for damages and a civil
40 penalty. When calculating damages and civil penalties, the court shall
41 consider the number of affected individuals, the severity of the
42 violation, and the size and revenues of the covered organization. Addi-
43 tionally, statutory damages shall be awarded in the amount of five
44 hundred dollars per violation. Each individual whose data was unlawfully
45 processed counts as a separate violation. Each provision of this article
46 that was violated counts as a separate violation.
47 § 1103. Actions that are HIPAA compliant. Nothing in this article
48 shall prohibit any action taken with respect to the health information
49 of an individual by a data broker that is a business associate or
50 covered organization that is permissible under the federal regulations
51 concerning standards for privacy of individually identifiable health
52 information promulgated under section 264(c) of the Health Insurance
53 Portability and Accountability Act of 1996 (42 U.S.C. 1320d- 20 2 note).
54 § 2. Severability. If any clause, sentence, paragraph, subdivision,
55 section or part of this act shall be adjudged by any court of competent
56 jurisdiction to be invalid, such judgment shall not affect, impair, or
S. 9599 5
1 invalidate the remainder thereof, but shall be confined in its operation
2 to the clause, sentence, paragraph, subdivision, section or part thereof
3 directly involved in the controversy in which such judgment shall have
4 been rendered. It is hereby declared to be the intent of the legislature
5 that this act would have been enacted even if such invalid provisions
6 had not been included herein.
7 § 3. This act shall take effect on the sixtieth day after it shall
8 have become a law.