Provides for the protection of health information; establishes requirements for communications to individuals about their health information; requires either written consent or a designated necessary purpose for the processing of an individual's health information.
STATE OF NEW YORK
________________________________________________________________________
10357
IN ASSEMBLY
February 26, 2026
___________
Introduced by M. of A. ROSENTHAL, REYES, DINOWITZ, SIMON, GLICK,
CUNNINGHAM, TAPIA, SHIMSKY, BICHOTTE HERMELYN, BURDICK, BRAUNSTEIN,
LUCAS, SEAWRIGHT, STIRPE, KIM, DILAN, TAYLOR, SEPTIMO, GONZALEZ-ROJAS,
LEVENBERG, MITAYNES, RAMOS, OTIS, WEPRIN, KELLES, LEE, O'PHARROW,
PHEFFER AMATO, GALLAGHER, ROMERO -- read once and referred to the
Committee on Science and Technology
AN ACT to amend the general business law, in relation to providing for
the protection of health information
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The general business law is amended by adding a new article
2 42-A to read as follows:
3 ARTICLE 42-A
4 NEW YORK HEALTH INFORMATION PRIVACY ACT
5 Section 1120. Definitions.
6 1121. Requirements for communications to individuals.
7 1122. Lawfulness of processing regulated health information.
8 1123. Individual rights.
9 1124. Security.
10 1125. Service providers.
11 1126. Exemptions.
12 1127. Enforcement.
13 1128. Contracts and waivers void and unenforceable.
14 1129. Construction.
15 § 1120. Definitions. As used in this article, the following terms
16 shall have the following meanings:
17 1. "Deidentified information" means information that cannot reasonably
18 be used to infer information about, or otherwise be linked to an identi-
19 fied or identifiable individual, household, or device, provided that the
20 regulated entity or service provider that processes the information:
21 (a) Implements reasonable technical safeguards to ensure that the
22 information cannot be associated with an individual, household, or
23 device;
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD01741-06-6
A. 10357 2
1 (b) Publicly commits to process the information only as deidentified
2 information and not attempt to reidentify the information, except that
3 the regulated entity or service provider may attempt to reidentify the
4 information solely for the purpose of determining whether its deiden-
5 tification processes satisfy the requirements of this section;
6 (c) Contractually obligates any recipient of the deidentified informa-
7 tion to comply with all requirements of this section; and
8 (d) Any deidentified information not otherwise exempt under this arti-
9 cle, once subsequently reidentified shall not be considered deidenti-
10 fied.
11 2. "Regulated health information" means any information that:
12 (a) is reasonably linkable, directly or indirectly, to one or more
13 identified or identifiable individuals, including by for example and
14 without limitation, any data associated with a persistent unique identi-
15 fier, such as a cookie ID, an IP address, a device identifier or any
16 other form of persistent unique identifier; and
17 (b) is collected or processed in connection with an identified or
18 identifiable individual's past, present, or future physical or mental
19 health status. Such status includes but is not limited to:
20 (i) individual health conditions, treatments, diseases, or diagnoses;
21 (ii) social, psychological, behavioral, and medical interventions;
22 (iii) surgeries or medical procedures;
23 (iv) use or purchase of medication;
24 (v) bodily functions, vital signs, symptoms, or measurements of the
25 information;
26 (vi) diagnoses or diagnostic testing, treatment, or medication;
27 (vii) gender-affirming care information;
28 (viii) reproductive or sexual health information;
29 (ix) biometric data;
30 (x) genetic data;
31 (xi) precise location information that could reasonably indicate an
32 individual's attempt to acquire or receive health services or supplies;
33 (xii) data that identifies an individual seeking health care services;
34 and
35 (xiii) any information that a regulated entity or their processor,
36 processes to associate or identify an individual with a physical or
37 mental health status, that is derived or extrapolated from nonhealth
38 information (such as proxy, derivative, inferred, or emergent data by
39 any means, including algorithms or machine learning).
40 Regulated health information shall not include deidentified informa-
41 tion.
42 3. "Process" or "processing" means an operation or set of operations
43 performed on regulated health information, including but not limited to
44 the collection, use, access, sharing, sale, monetization, analysis,
45 retention, creation, generation, derivation, recording, organization,
46 structuring, storage, disclosure, transmission, licensing, or modifica-
47 tion of regulated health information.
48 4. "Regulated entity" means any entity that controls the processing of
49 regulated health information of an individual (a) who is a New York
50 resident or (b) is physically present in New York while that individual
51 is in New York or (c) is seeking or receiving services in New York if
52 the entity is located in New York.
53 5. "Sell" means to share regulated health information for monetary or
54 other valuable consideration. Selling does not include the sharing of
55 regulated health information for monetary or other valuable consider-
56 ation to a third party as an asset that is part of a merger, acquisi-
A. 10357 3
1 tion, bankruptcy, or other transaction in which the third party assumes
2 control of all or part of the regulated entity's assets.
3 6. "Service provider" means any person or entity that processes regu-
4 lated health information on behalf of a regulated entity. A service
5 provider may also be a regulated entity depending upon the context in
6 which regulated health information is processed.
7 7. "Third party" means a person or entity other than the individual,
8 regulated entity, or service provider involved in a transaction or
9 occurrence that involves regulated health information. A third party may
10 also be a regulated entity or service provider depending upon the
11 context in which regulated health information is processed.
12 8. "Individual" means a natural person acting in an individual or
13 household context.
14 9. "Verifiable" means to use reasonable means to determine that a
15 request to exercise any of the rights afforded in this act is being made
16 by, or on behalf of, the individual who is entitled to exercise such
17 rights with respect to the regulated health information at issue;
18 provided that any additional personal information a regulated entity
19 requests for the purpose of verification must be strictly necessary for
20 the purpose of confirming the identity of such individual and shall not
21 be processed or used for any purpose other than verifying the identity
22 of the individual and shall be deleted immediately upon verification or
23 failure to verify the individual. Such verification shall not extend the
24 maximum allowable time within which the regulated entity may satisfy a
25 request by an individual.
26 § 1121. Requirements for communications to individuals. All notices,
27 disclosures, forms, and other communications to individuals provided
28 pursuant to this article shall comply with the following:
29 1. All communications shall use plain, straightforward language,
30 avoiding technical or legal jargon, and must be provided through an
31 interface the individual regularly uses in connection with the regulated
32 entity's product or service.
33 2. All communications shall be reasonably accessible to individuals
34 with disabilities, including by:
35 (a) utilizing digital accessibility tools;
36 (b) for notices, complying with generally recognized industry stand-
37 ards, including, but not limited to, current standards set by standards
38 setting bodies such as the World Web Consortium, or other similar stand-
39 ards setting bodies as determined by the attorney general; and
40 (c) for other communications, providing information about how an indi-
41 vidual with a disability may access the communication in an alternative
42 format.
43 3. All communications shall be available in the languages in which the
44 regulated entity provides information via its website and services. Any
45 direct communication to an individual shall be provided in the language
46 in which the individual ordinarily interacts with the regulated entity
47 or its service provider.
48 4. A regulated entity shall make any notice for processing pursuant to
49 a permissible purpose, pursuant to subparagraph (ii) of paragraph (b) of
50 subdivision one of section eleven hundred twenty-two of this article, or
51 form for processing pursuant to authorization, pursuant to subparagraph
52 (i) of paragraph (b) of subdivision one of section eleven hundred twen-
53 ty-two of this article, publicly available on its website. If an author-
54 ization form is customized for each individual, the regulated entity may
55 instead publicly post a sample authorization form on its website.
A. 10357 4
1 § 1122. Lawfulness of processing regulated health information. 1. It
2 shall be unlawful for a regulated entity to:
3 (a) sell an individual's regulated health information to a third
4 party; or
5 (b) otherwise process an individual's regulated health information
6 unless:
7 (i) The individual has provided valid authorization for such process-
8 ing as set forth in paragraph (b) of subdivision two of this section; or
9 (ii) Processing of an individual's regulated health information is
10 strictly necessary for the purpose of:
11 (A) providing, maintaining, developing, improving, or repairing a
12 specific product, feature, or service requested by such individual, or
13 functionality thereof;
14 (B) conducting the regulated entity's internal business operations,
15 which exclude any activities related to marketing, advertising, research
16 and development, or providing products or services to third parties;
17 (C) protecting against malicious, fraudulent, or illegal activity;
18 (D) detecting, responding to, or preventing security incidents or
19 threats;
20 (E) protecting the vital interests of an individual;
21 (F) investigating, establishing, exercising, preparing for, or defend-
22 ing legal claims; or
23 (G) complying with the regulated entity's legal obligations pursuant
24 to federal, state or local law or regulation.
25 2. Unless processing of an individual's regulated health information
26 is strictly necessary pursuant to subparagraph (ii) of paragraph (b) of
27 subdivision one of this section, a regulated entity that processes regu-
28 lated health information pursuant to valid authorization as required by
29 subparagraph (i) of paragraph (b) of subdivision one of this section
30 shall comply with the following:
31 (a) A request for authorization to process an individual's regulated
32 health information shall:
33 (i) be made separately from any other transaction or part of a trans-
34 action;
35 (ii) be written in plain language and in no less than twelve point
36 font;
37 (iii) clearly and conspicuously state that the processing for which
38 the consent is requested is not strictly necessary, and that the user
39 may decline without preventing continued use of the website, online
40 service, online application, mobile device, connected device, or any
41 other service the user is requesting or signing up for;
42 (iv) be made in the absence of any mechanism that has the purpose or
43 substantial effect of obscuring, subverting, or impairing an individ-
44 ual's decision-making regarding authorization for processing;
45 (v) if requesting authorization for multiple categories of processing
46 activities, allow the individual to provide or withhold authorization
47 separately for each category of processing activity; and
48 (vi) not include any request for authorization for a processing activ-
49 ity for which an individual has withheld or revoked authorization within
50 the past nine months.
51 (b) A valid authorization shall include:
52 (i) the types of regulated health information to be processed;
53 (ii) the nature of the processing activity;
54 (iii) the specific purposes for such processing;
55 (iv) the names where readily available, or categories of service
56 providers and third parties to which the regulated entity may disclose
A. 10357 5
1 the individual's regulated health information and the purposes for such
2 disclosure, including the circumstances under which the regulated entity
3 may disclose regulated health information to law enforcement;
4 (v) any monetary or other valuable consideration the regulated entity
5 may receive in connection with processing the individual's regulated
6 health information, where applicable;
7 (vi) that failing to provide authorization will not affect the indi-
8 vidual's experience of using the regulated entity's products or
9 services;
10 (vii) the expiration date of the authorization, which may be up to one
11 year from the date authorization was provided;
12 (viii) the mechanism by which the individual may revoke authorization
13 prior to expiration;
14 (ix) the mechanism by which the individual may request access to and
15 deletion of their regulated health information;
16 (x) any other information material to an individual's decision-making
17 regarding authorization for processing; and
18 (xi) the signature or other form of unambiguous affirmative consent,
19 which may be electronic, of the individual who is the subject of the
20 regulated health information, or a parent or guardian authorized by law
21 to take actions of legal consequence on behalf of the individual who is
22 the subject of the regulated health information, and the date.
23 (c) (i) A regulated entity that receives authorization for processing
24 shall provide an effective, efficient, and easy-to-use mechanism by
25 which an individual may revoke authorization at any time through an
26 interface the individual regularly uses in connection with the regulated
27 entity's product or service.
28 (ii) Upon an individual's verifiable revocation of authorization, the
29 regulated entity shall immediately cease all processing activities for
30 which authorization was revoked, except to the extent necessary to
31 comply with the regulated entity's legal obligations.
32 (iii) For individuals who have an online account with the regulated
33 entity, the regulated entity must provide, in a conspicuous and easily
34 accessible place within the account settings, a list of all processing
35 activities for which the individual has provided authorization and, for
36 each processing activity, allow the individual to revoke authorization
37 in the same place with one motion or action.
38 (d) Upon obtaining valid authorization from an individual, the regu-
39 lated entity shall provide that individual a copy of the authorization.
40 The authorization shall be provided in a manner that is capable of being
41 retained by the individual.
42 (e) The regulated entity shall limit its processing to what was clear-
43 ly disclosed to an individual pursuant to paragraph (b) of this subdivi-
44 sion when the regulated entity received authorization from the individ-
45 ual.
46 (f) If the regulated entity seeks to materially alter its processing
47 activities for regulated health information collected pursuant to
48 authorization, the regulated entity shall obtain a new authorization for
49 the new or altered processing activity.
50 (g) Providing a product or service requested by an individual must not
51 be made contingent on providing authorization. The regulated entity must
52 not discriminate against an individual for withholding authorization,
53 such as by charging different prices or rates for products or services,
54 including through the use of discounts or other benefits, imposing
55 penalties, or providing a different level or quality of services or
56 goods to the individual.
A. 10357 6
1 3. A regulated entity that processes regulated health information
2 pursuant to a permissible purpose pursuant to subparagraph (ii) of para-
3 graph (b) of subdivision one of this section shall comply with the
4 following:
5 (a) A regulated entity shall provide clear and conspicuous notice that
6 describes:
7 (i) the types of regulated health information to be processed;
8 (ii) the nature of the processing activity;
9 (iii) the specific purposes for such processing;
10 (iv) the names where readily available, or categories of service
11 providers and third parties to which the regulated entity may disclose
12 the individual's regulated health information and the purposes for such
13 disclosure, including the circumstances under which the regulated entity
14 may disclose regulated health information to law enforcement; and
15 (v) the mechanism by which the individual may request access to and
16 deletion of their regulated health information.
17 (b) If the regulated entity materially alters its processing activ-
18 ities for regulated health information collected pursuant to a permissi-
19 ble purpose, the regulated entity must provide a clear and conspicuous
20 notice in plain language, separate from a privacy policy, terms of
21 service, or similar document, that describes any material changes to the
22 processing activities and provide the individual with an opportunity to
23 request deletion of their regulated health information.
24 § 1123. Individual rights. 1. (a) A regulated entity shall make avail-
25 able an effective, efficient, and easy-to-use mechanism through an
26 interface the individual regularly uses in connection with the regulated
27 entity's product or service by which an individual may make verifiable
28 requests under this section.
29 (b) The regulated entity shall, without undue delay and no later than
30 within thirty days of receiving a verifiable access request, make avail-
31 able a copy of all regulated health information about the individual
32 that the regulated entity maintains or that service providers maintain
33 on behalf of the regulated entity. A regulated entity may extend the
34 period within which to make available such copy one time by thirty addi-
35 tional days when reasonably necessary, as long as the regulated entity
36 provides notice of such extension to the individual during the original
37 thirty day period.
38 2. (a) A regulated entity shall make available an effective, effi-
39 cient, and easy-to-use mechanism through an interface the individual
40 regularly uses in connection with the regulated entity's product or
41 service by which an individual may request the deletion of their regu-
42 lated health information.
43 (b) An individual's request to delete or cancel their online account
44 shall be treated as a request to delete the individual's regulated
45 health information.
46 (c) The regulated entity shall, without undue delay and no later than
47 within thirty days of receiving a verifiable deletion request:
48 (i) Delete all regulated health information associated with the indi-
49 vidual in the regulated entity's possession or control, except to the
50 extent necessary to comply with the regulated entity's legal obli-
51 gations; and
52 (ii) Unless it proves impossible or involves disproportionate effort
53 that is documented in writing by the regulated entity, communicate such
54 request to each service provider or third party that processed the indi-
55 vidual's regulated health information in connection with a transaction
A. 10357 7
1 involving the regulated entity occurring within one year preceding the
2 individual's request.
3 (d) Any service provider or third party that receives notice of an
4 individual's deletion request shall within thirty days delete all regu-
5 lated health information associated with the individual in its
6 possession or control, except to the extent necessary to comply with its
7 legal obligations.
8 3. Any right set forth in this section may be exercised at any time by
9 the individual who is the subject of the regulated health information or
10 an agent authorized by such individual.
11 § 1124. Security. 1. A regulated entity shall develop, implement, and
12 maintain reasonable administrative, technical, and physical safeguards
13 to protect the security, confidentiality, and integrity of regulated
14 health information.
15 2. A regulated entity must securely dispose of an individual's regu-
16 lated health information pursuant to a publicly available retention
17 schedule within a reasonable time, and in no event later than sixty
18 days, after it is no longer necessary to maintain for the permissible
19 purpose or purposes identified in the notice or for which the individual
20 provided valid authorization.
21 § 1125. Service providers. 1. Any processing of regulated health
22 information by a service provider on behalf of a regulated entity shall
23 be governed by a written, binding agreement. Such agreement shall clear-
24 ly set forth instructions for processing regulated health information,
25 the nature and purpose of processing, the duration of processing, and
26 the rights and obligations of both parties.
27 2. An agreement pursuant to subdivision one of this section shall
28 require that the service provider:
29 (a) ensure that each person processing regulated health information is
30 subject to a duty of confidentiality with respect to such information;
31 (b) protect regulated health information in a manner consistent with
32 the requirements of this article;
33 (c) process regulated health information only when and to the extent
34 necessary to comply with its obligations to the regulated entity;
35 (d) not combine the regulated health information which the service
36 provider receives from or on behalf of the regulated entity with any
37 other personal information which the service provider receives from or
38 on behalf of another party or collects from its own relationship with
39 individuals;
40 (e) comply with any exercises of an individual's rights under section
41 eleven hundred twenty-three of this article upon the request of the
42 regulated entity and notify any service providers or third parties to
43 which it disclosed regulated health information of the request;
44 (f) delete or return all regulated health information to the regulated
45 entity at the end of the provision of services, unless retention of the
46 regulated health information is required by law;
47 (g) upon the reasonable request of the regulated entity, make avail-
48 able to the regulated entity all data in its possession necessary to
49 demonstrate the service provider's compliance with the obligations in
50 this section;
51 (h) allow, and cooperate with, reasonable assessments by the regulated
52 entity or the regulated entity's designated assessor for purposes of
53 evaluating compliance with the obligations of this article. Alterna-
54 tively, the service provider may arrange for a qualified and independent
55 assessor to conduct an assessment of the service provider's policies and
56 technical and organizational measures in support of the obligations
A. 10357 8
1 under this article using an appropriate and accepted control standard or
2 framework and assessment procedure for such assessments. The service
3 provider shall provide a report of such assessment to the regulated
4 entity upon request;
5 (i) notify the regulated entity a reasonable time in advance before
6 disclosing or transferring regulated health information to any further
7 service providers, which may be in the form of a regularly updated list
8 of further service providers that may access regulated health informa-
9 tion; and
10 (j) engage any further service provider pursuant to a written, binding
11 agreement that includes the contractual requirements provided in this
12 section, containing at minimum the same obligations that the service
13 provider has entered into with regard to regulated health information.
14 § 1126. Exemptions. Nothing in this article shall apply to the follow-
15 ing, and the attorney general may promulgate rules and regulations spec-
16 ifying additional exceptions for regulated health information that is
17 subject to and processed in compliance with any federal law that is as
18 protective or more protective of individual privacy than this chapter:
19 1. local, state, or federal governments and their agencies, authori-
20 ties or public corporations as defined in section sixty-six of the
21 general construction law or information processed by or on behalf of
22 such governmental entities provided that the information is only proc-
23 essed for governmental purposes;
24 2. information that meets the definition of protected health informa-
25 tion for purposes of the Health Insurance Portability and Accountability
26 Act of 1996 (Public Law 104-191) and implementing regulations as well as
27 the Health Information Technology for Economic and Clinical Health Act
28 (Public Law 111-5) and implementing regulations;
29 3. any covered entity governed by the privacy, security, and breach
30 notification rules issued by the United States Department of Health and
31 Human Services, Parts 160 and 164 of Title 45 of the Code of Federal
32 Regulations (CFR), established pursuant to the Health Insurance Porta-
33 bility and Accountability Act of 1996 (Public Law 104-191);
34 4. any business associate governed by the privacy, security, and
35 breach notification rules issued by the United States Department of
36 Health and Human Services, Parts 160 and 164 of Title 45 of the Code of
37 Federal Regulations (CFR), established pursuant to the Health Insurance
38 Portability and Accountability Act of 1996 (Public Law 104-191) to the
39 extent the business associate maintains the information in the same
40 manner as described in subdivision two of this section for protected
41 health information or deidentifies such information in accordance with
42 requirements for deidentification set forth in section eleven hundred
43 twenty of this article;
44 5. a program or qualified service organization or records subject to
45 42 USC Section 290dd-2 and 42 CFR Part 2;
46 6. information collected as part of a clinical trial subject to the
47 Federal Policy for the Protection of Human Subjects, also known as the
48 Common Rule, pursuant to good clinical practice guidelines issued by the
49 International Council for Harmonisation or pursuant to human subject
50 protection requirements of the United States Food and Drug Adminis-
51 tration;
52 7. information and documents lawfully subject to the federal Health
53 Care Quality Improvement Act of 1986 (42 USC Sections 11101 - 11152),
54 and implementing federal regulations;
55 8. patient safety work product subject to 42 CFR Part 3, established
56 pursuant to 42 USC Sections 299b-21 through 299b-26;
A. 10357 9
1 9. deidentified protected health information, as defined in the Health
2 Insurance Portability and Accountability Act of 1996 (Public Law
3 104-191), that is deidentified in accordance with the requirements for
4 deidentification set forth in 45 CFR Section 164.514;
5 10. identifiable private information for purposes of the federal poli-
6 cy for the protection of human subjects, 45 C.F.R. Part 46; identifiable
7 private information that is otherwise information collected as part of
8 human subjects research pursuant to the good clinical practice guide-
9 lines issued by the international council for harmonisation; the
10 protection of human subjects under 21 C.F.R. Parts 50 and 56; data used
11 or shared in research, as defined in 45 CFR 164.501, and subject to 45
12 CFR 164.512(i); or data used or shared in research conducted in accord-
13 ance with one or more of the requirements set forth in this section;
14 11. data used or disclosed only for one or more of the following:
15 (a) product registration and tracking consistent with applicable
16 United States Food and Drug Administration regulations and guidance;
17 (b) public health activities and purposes as described in and subject
18 to 45 CFR Section 164.512;
19 (c) part of a limited data set, as defined, and is used, disclosed,
20 and maintained in the manner required by 45 CFR Section 164.514; or
21 (d) activities related to quality, safety, or effectiveness regulated
22 by the United States Food and Drug Administration;
23 12. information subject to the Trusted Exchange Framework and Common
24 Agreement (TEFCA) created by the U.S. Department of Health & Human
25 Services Assistant Secretary for Technology Policy (ASTP), or through
26 other networks that exchange information about individuals, including
27 but not limited to health information or social services information,
28 and are approved in accordance with the statewide common participation
29 agreement and policies and procedures adopted pursuant to 10 NYCRR Part
30 300;
31 13. information specifically for a quality assurance committee, peer
32 review committee, or quality improvement committee for purposes of
33 section twenty-eight hundred five-j, twenty-eight hundred five-k, or
34 twenty-eight hundred five-l of the public health law;
35 14. health information collected, used, or disclosed subject to
36 section eighteen of the public health law;
37 15. directory information subject to the Family Educational Rights and
38 Privacy Act, 20 U.S.C. §§ 1232g et seq., as amended from time to time;
39 16. personal information subject to the Fair Credit Reporting Act (15
40 U.S.C. 1681 et seq.) and implementing regulations when used for the
41 purpose of furnishing a consumer credit report under the Fair Credit
42 Reporting Act (15 U.S.C. 1681 et seq.) and implementing regulations;
43 17. data used for research and development only if deidentified in
44 accordance with the requirements for deidentification set forth in
45 section eleven hundred twenty of this article, and reviewed and approved
46 by an Institutional Review Board;
47 18. any other information, which may be deemed to be regulated health
48 information under this section, but which is subject to, and which is
49 processed in compliance with, any other privacy laws or regulations that
50 are as or more protective of individual privacy than this chapter;
51 19. information that:
52 (a) is collected by a business about an individual in the course of
53 the individual acting as a job applicant to, an employee of, owner of,
54 director of, officer of, medical staff member of, or independent
55 contractor of, that business to the extent that the individual's
56 personal information is collected and used by the business solely within
A. 10357 10
1 the context of the individual's role or former role as a job applicant
2 to, an employee of, owner of, director of, officer of, medical staff
3 member of, or an independent contractor of, that business;
4 (b) is collected by a business that is emergency contact information
5 of the individual acting as a job applicant to, an employee of, owner
6 of, director of, officer of, medical staff member of, or independent
7 contractor of, that business to the extent that the information is
8 collected and used solely within the context of having an emergency
9 contact on file; or
10 (c) is necessary for the business to retain to administer benefits for
11 another individual relating to the individual acting as a job applicant
12 to, an employee of, owner of, director of, officer of, medical staff
13 member of, or independent contractor of, that business to the extent
14 that the information is collected and used solely within the context of
15 administering those benefits;
16 20. information collected, created or maintained pursuant to sections
17 33.13 and 33.16 of the mental hygiene law; or
18 21. entities licensed, registered or certified by the office of chil-
19 dren and family services, which are required to process information by
20 the regulations of such office.
21 § 1127. Enforcement. 1. Whenever it appears to the attorney general,
22 either upon complaint or otherwise, that any person or persons, within
23 or outside the state, has engaged in or is about to engage in any of the
24 acts or practices stated to be unlawful under this article, the attorney
25 general may bring an action or special proceeding in the name and on
26 behalf of the people of the state of New York to enjoin any violation of
27 this article, to obtain restitution of any moneys or property obtained
28 directly or indirectly by any such violation, to obtain disgorgement of
29 any profits obtained directly or indirectly by any such violation, to
30 obtain civil penalties of not more than fifteen thousand dollars per
31 violation and to obtain any such other and further relief as the court
32 may deem proper, including preliminary relief. In determining the
33 penalty, the court shall consider the severity of the violation and the
34 regulated entity's good faith effort to comply with the requirements of
35 this article.
36 2. The remedies provided by this section shall be in addition to any
37 other lawful remedy available.
38 3. Any action or special proceeding brought by the attorney general
39 pursuant to this section must be commenced within six years of the date
40 on which the attorney general became aware of the violation.
41 4. In connection with any proposed action or special proceeding under
42 this section, the attorney general is authorized to take proof and make
43 a determination of the relevant facts, and to issue subpoenas in accord-
44 ance with the civil practice law and rules. The attorney general may
45 also require such other data and information as they may deem relevant
46 and may require written responses to questions under oath. Such power of
47 subpoena and examination shall not abate or terminate by reason of any
48 action or special proceeding brought by the attorney general under this
49 article.
50 5. This section shall apply to all acts declared to be unlawful in
51 this article, whether or not subject to any other law of this state, and
52 shall not supersede, amend or repeal any other law of this state under
53 which the attorney general is authorized to take any action or conduct
54 any inquiry.
55 6. The attorney general may promulgate such rules and regulations as
56 are necessary to effectuate and enforce the provisions of this section.
A. 10357 11
1 § 1128. Contracts and waivers void and unenforceable. 1. Any contrac-
2 tual provision inconsistent with this article shall be void and unen-
3 forceable.
4 2. Any waiver by any individual of the provisions of this article
5 shall be void and unenforceable.
6 § 1129. Construction. Nothing in this article shall be construed to
7 restrict, invalidate or limit the authority, power, or procedures estab-
8 lished under any law providing for the reporting of disease or injury,
9 child abuse, birth, or death, public health surveillance, or disclosures
10 to the New York State Department of Health for public health activities,
11 or health oversight activities, including, but not limited to, any
12 disclosures permitted by 45 CFR 164.512(b) and (d).
13 § 2. Severability. If any clause, sentence, paragraph, subdivision,
14 section or part of this act shall be adjudged by any court of competent
15 jurisdiction to be invalid, such judgment shall not affect, impair, or
16 invalidate the remainder thereof, but shall be confined in its operation
17 to the clause, sentence, paragraph, subdivision, section or part thereof
18 directly involved in the controversy in which such judgment shall have
19 been rendered. It is hereby declared to be the intent of the legislature
20 that this act would have been enacted even if such invalid provisions
21 had not been included herein.
22 § 3. This act shall take effect 6 months after it shall have become a
23 law. Effective immediately, the addition, amendment and/or repeal of any
24 rule or regulation necessary for the implementation of this act on its
25 effective date are authorized to be made and completed on or before such
26 effective date.
