Creates privacy standards for electronic health products and services; requires consent to be given for the collection and/or sharing of personal health information or other personal data.
STATE OF NEW YORK
________________________________________________________________________
10704
IN ASSEMBLY
July 1, 2020
___________
Introduced by COMMITTEE ON RULES -- (at request of M. of A. L. Rosen-
thal) -- read once and referred to the Committee on Consumer Affairs
and Protection
AN ACT to amend the general business law, in relation to electronic
health products and services
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The general business law is amended by adding a new article
2 42 to read as follows:
3 ARTICLE 42
4 ELECTRONIC HEALTH PRODUCTS AND SERVICES
5 Section 1100. Definitions.
6 1101. Electronic health products and services; privacy.
7 § 1100. Definitions. For the purposes of this article, the following
8 terms shall have the following meanings:
9 1. "Deactivation" means a user's deletion, removal, or other action
10 made to terminate his or her use of an electronic health product or
11 service.
12 2. "Electronic health product or service" means any software or hard-
13 ware, including a mobile application, website, or other related product
14 or service, that is designed to maintain personal health information, in
15 order to make such personal health information available to a user or to
16 a health care provider at the request of such user or health care
17 provider, for the purposes of allowing such user to manage his or her
18 information, or for the diagnosis, treatment, or management of a medical
19 condition.
20 3. "Health care provider" means:
21 (a) a hospital as defined in article twenty-eight of the public health
22 law, a home care services agency as defined in article thirty-six of the
23 public health law, a hospice as defined in article forty of the public
24 health law, a health maintenance organization as defined in article
25 forty-four of the public health law, or a shared health facility as
26 defined in article forty-seven of the public health law; or
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD16757-01-0
A. 10704 2
1 (b) a person licensed under article one hundred thirty-one, one
2 hundred thirty-one-B, one hundred thirty-two, one hundred thirty-three,
3 one hundred thirty-six, one hundred thirty-nine, one hundred forty-one,
4 one hundred forty-three, one hundred forty-four, one hundred fifty-
5 three, one hundred fifty-four, one hundred fifty-six or one hundred
6 fifty-nine of the education law.
7 4. "Personal health information" means any individually identifiable
8 information about an individual's mental or physical condition provided
9 by such individual, or otherwise gained from monitoring such individ-
10 ual's mental or physical condition.
11 5. "Other personal data" means any individually identifiable informa-
12 tion about an individual provided by such individual, or otherwise
13 gained from monitoring such individual, other than personal health
14 information.
15 6. "User" means an individual who has downloaded or uses an electronic
16 health product or service.
17 § 1101. Electronic health products and services; privacy. 1. Any
18 entity that offers an electronic health product or service, shall obtain
19 consent from a user before collecting any personal health information or
20 any other personal data from such user.
21 2. In order to obtain consent in compliance with subdivision one of
22 this section, an entity offering an electronic health product or service
23 shall:
24 (a) disclose to the user all personal health information or other
25 personal data such electronic health product or service will collect
26 from the user upon obtaining consent;
27 (b) disclose to the user any third party with whom such user's
28 personal health information or other personal data may be shared by the
29 electronic health product or service upon obtaining consent;
30 (c) disclose to the user the purpose for collecting any personal
31 health information or other personal data; and
32 (d) allow the user to withdraw consent at any time.
33 3. No electronic health product or service shall collect any personal
34 health information or other personal data beyond which a user has
35 specifically consented to share with such electronic health product or
36 service under subdivision one of this section.
37 4. An electronic health product or service shall delete or otherwise
38 destroy any personal health information or other personal data collected
39 from a user immediately upon such user's request, withdrawal of consent;
40 or upon such user's deactivation of his or her account.
41 § 2. This act shall take effect on the sixtieth day after it shall
42 have become a law.