Bill Text: NY A01415 | 2025-2026 | General Assembly | Introduced
Bill Title: Creates privacy standards for electronic health products and services; requires consent to be given for the collection and/or sharing of personal health information or other personal data.
Spectrum: Partisan Bill (Democrat 5-0)
Status: (Introduced) 2025-01-09 - referred to consumer affairs and protection [A01415 Detail]
Download: New_York-2025-A01415-Introduced.html
STATE OF NEW YORK ________________________________________________________________________ 1415 2025-2026 Regular Sessions IN ASSEMBLY January 9, 2025 ___________ Introduced by M. of A. ROSENTHAL, GALLAGHER, KELLES, SIMON, OTIS -- read once and referred to the Committee on Consumer Affairs and Protection AN ACT to amend the general business law, in relation to electronic health products and services The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. The general business law is amended by adding a new article 2 42-A to read as follows: 3 ARTICLE 42-A 4 ELECTRONIC HEALTH PRODUCTS AND SERVICES 5 Section 1200. Definitions. 6 1201. Electronic health products and services; privacy. 7 1202. Private right of action. 8 1203. Actions that are HIPAA compliant. 9 § 1200. Definitions. For the purposes of this article, the following 10 terms shall have the following meanings: 11 1. "Consent" means an action which (a) clearly and conspicuously 12 communicates the individual's authorization of an act or practice; (b) 13 is made in the absence of any mechanism in the user interface that has 14 the purpose or substantial effect of obscuring, subverting, or impairing 15 decision making or choice to obtain consent; and (c) cannot be inferred 16 from inaction. 17 2. "Deactivation" means a user's deletion, removal, or other action 18 made to terminate their use of an electronic health product or service. 19 3. "Electronic health product or service" means any software or hard- 20 ware, including a mobile application, website, or other related product 21 or service, that is designed to maintain personal health information, in 22 order to make such personal health information available to a user or to 23 a health care provider at the request of such user or health care 24 provider, for the purposes of allowing such user to manage their infor- EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD04278-01-5A. 1415 2 1 mation, or for the diagnosis, treatment, or management of a medical 2 condition. 3 4. "Health care provider" means: 4 (a) a hospital as defined in article twenty-eight of the public health 5 law, a home care services agency as defined in article thirty-six of the 6 public health law, a hospice as defined in article forty of the public 7 health law, a health maintenance organization as defined in article 8 forty-four of the public health law, or a shared health facility as 9 defined in article forty-seven of the public health law; or 10 (b) a person licensed under article one hundred thirty-one, one 11 hundred thirty-one-B, one hundred thirty-two, one hundred thirty-three, 12 one hundred thirty-six, one hundred thirty-nine, one hundred forty-one, 13 one hundred forty-three, one hundred forty-four, one hundred fifty- 14 three, one hundred fifty-four, one hundred fifty-six or one hundred 15 fifty-nine of the education law. 16 5. "Individually identifiable information" means any information that 17 identifies or could reasonably be linked, directly or indirectly, to a 18 particular consumer, household, or consumer device. 19 6. "Personal health information" means any individually identifiable 20 information about an individual's mental or physical condition provided 21 by such individual, or otherwise gained or inferred from monitoring such 22 individual's mental or physical condition. 23 7. "Other personal data" means any individually identifiable informa- 24 tion about an individual provided by such individual, or otherwise 25 gained or inferred from monitoring such individual, other than personal 26 health information. 27 8. "User" means an individual who has downloaded or uses an electronic 28 health product or service. 29 9. "Data processing" means any action or set of actions performed on 30 or with personal information, including but not limited to collection, 31 access, use, retention, sharing, monetizing, analysis, creation, gener- 32 ation, derivation, decision-making, recording, alternation, organiza- 33 tion, structuring, storage, disclosure, transmission, sale, licensing, 34 disposal, destruction, de-identifying, or other handling of personal 35 information. 36 10. "Covered organization" means an entity that offers an electronic 37 health product or service that is subject to the provisions of this 38 article. 39 § 1201. Electronic health products and services; privacy. 1. (a) It 40 shall be unlawful for a covered organization to engage in data process- 41 ing unless: 42 (i) the user to whom the information or data pertains has given affir- 43 mative express consent to such data processing; or 44 (ii) such data processing is strictly necessary and proportionate for 45 the purpose of: 46 (A) protecting against malicious, fraudulent, or illegal activity; 47 (B) detecting, responding to, or preventing security incidents or 48 threats; or 49 (C) the covered organization is compelled to do so by a warrant or 50 court order. 51 (b) The general nature of any data processing shall be conveyed by the 52 covered organization in a standalone document such as a data processing 53 addendum, and in clear and prominent terms in such a way that an ordi- 54 nary consumer would notice and understand such terms. 55 (c) A user may consent to data processing on behalf of their dependent 56 minors.A. 1415 3 1 (d) A covered organization shall provide an effective mechanism for a 2 user to revoke their consent after it is given. After a user revokes 3 their consent, the covered organization shall cease all data processing 4 of such user's personal health information or other personal data as 5 soon as practicable, but not later than fifteen days after such user 6 revokes such consent. The covered organization shall also delete or 7 otherwise destroy any such user's personal health information or other 8 personal data per the terms of paragraph (a) of subdivision four of this 9 section. 10 2. In order to obtain consent in compliance with subdivision one of 11 this section, an entity offering an electronic health product or service 12 shall: 13 (a) disclose to the user all personal health information or other 14 personal data such electronic health product or service will collect 15 from the user upon obtaining consent; 16 (b) disclose to the user any third party with whom such user's 17 personal health information or other personal data may be shared by the 18 electronic health product or service upon obtaining consent; 19 (c) disclose to the user the purpose for collecting any personal 20 health information or other personal data; and 21 (d) allow the user to withdraw consent at any time. 22 3. No electronic health product or service shall collect any personal 23 health information or other personal data beyond which a user has 24 specifically consented to share with such electronic health product or 25 service under subdivision one of this section. 26 4. (a) An electronic health product or service shall delete or other- 27 wise destroy any personal health information or other personal data 28 collected from a user immediately upon such user's request, withdrawal 29 of consent; or upon such user's deactivation of their account. 30 (b) An entity that collects a user's personal health information or 31 other personal data shall limit its collection and sharing of that 32 information with third parties to what is reasonably necessary to 33 provide a service or conduct an activity that a user has requested or is 34 reasonably necessary for security or fraud prevention. 35 (c) An entity that collects a user's personal health information or 36 other personal data shall limit its use and retention of such informa- 37 tion to what is strictly necessary to provide a service or conduct an 38 activity that a user has requested or a related operational purpose, 39 provided that information collected or retained solely for security or 40 fraud prevention may not be used for operational purposes. Monetization 41 of personal health information or other personal data, including but not 42 limited to the use of targeted advertising, cross-context behavioral 43 advertising or marketing services, or the use of personal health infor- 44 mation for training or inclusion in machine learning models, beyond that 45 which a user has explicitly consented to shall not be considered strict- 46 ly necessary to provide a service or conduct an activity or a related 47 operational purpose. 48 (d) If a user deletes their personal health information or other 49 personal data collected by an entity, or requests the entity delete 50 their personal health information or other personal data, such entity 51 shall retain such user's personal health information or other personal 52 data on any server or data management system no longer than thirty days 53 after such deletion or request. The entity must give the user an oppor- 54 tunity to download a copy of such personal health information or 55 personal data prior to permanent deletion.A. 1415 4 1 5. A covered organization shall not discriminate against a user 2 because the user exercised any of the user's rights under this article, 3 or did not agree to information processing for a separate product or 4 service, including, but not limited to, by: 5 (a) Denying goods or services to the user. 6 (b) Charging different prices or rates for goods or services, includ- 7 ing through the use of discounts or other benefits or imposing penal- 8 ties. 9 (c) Providing a different level or quality of goods or services to the 10 user. 11 (d) Suggesting that the consumer will receive a different price or 12 rate for goods or services or a different level or quality of goods or 13 services. 14 6. A covered organization shall implement and maintain reasonable 15 security procedures and practices, including administrative, physical, 16 and technical safeguards, appropriate to the nature of the information 17 and the purposes for which the personal health information or other 18 personal data will be used, to protect consumers' personal health infor- 19 mation or other personal data from unauthorized use, disclosure, access, 20 destruction, or modification. 21 § 1202. Private right of action. 1. Any person who has been injured by 22 reason of a violation of this article may bring an action in their own 23 name, or in the name of their minor child, to enjoin such unlawful act, 24 or to recover the greater of their actual damages or one thousand 25 dollars, or both such actions. The court shall award reasonable attor- 26 ney's fees to a prevailing plaintiff. Actions pursuant to this section 27 may be brought on a class-wide basis. 28 2. Any entity who violates this article is subject to an injunction 29 and liable for damages and a civil penalty. When calculating damages and 30 civil penalties, the court shall consider the number of affected indi- 31 viduals, the severity of the violation, and the size and revenues of the 32 covered entity. Each individual whose data was unlawfully processed 33 counts as a separate violation. Each provision of this article that was 34 violated counts as a separate violation. 35 § 1203. Actions that are HIPAA compliant. Nothing in this article 36 shall prohibit any action taken with respect to the health information 37 of an individual by a business associate or covered organization that is 38 permissible under the federal regulations concerning standards for 39 privacy of individually identifiable health information promulgated 40 under section 264(c) of the Health Insurance Portability and Account- 41 ability Act of 1996. 42 § 2. This act shall take effect on the sixtieth day after it shall 43 have become a law.
