STATE OF NEW YORK
________________________________________________________________________
7326
2021-2022 Regular Sessions
IN ASSEMBLY
May 5, 2021
___________
Introduced by M. of A. GOTTFRIED, BRABENEC, CYMBROWITZ, DICKENS, ENGLE-
BRIGHT, GALLAGHER, HEVESI, McDONALD, MONTESANO, OTIS, PAULIN, SIMON,
TAYLOR, THIELE, ZINERMAN -- read once and referred to the Committee on
Health
AN ACT to amend the public health law, in relation to protecting the
confidentiality of vaccine information
The People of the State of New York, represented in Senate and Assem-
bly, do enact as follows:
1 Section 1. Paragraph (d) of subdivision 4 of section 2168 of the
2 public health law, as amended by section 7 of part A chapter 58 of the
3 laws of 2009, is amended to read as follows:
4 (d) [A person, institution or agency to whom such immunization infor-
5 mation is furnished or to whom, access to records or information has
6 been given, shall not divulge any part thereof so as to disclose the
7 identity of such person to whom such information or record relates,
8 except insofar as such disclosure is necessary for the best interests of
9 the person or other persons, consistent with the purposes of this
10 section] Registry information is not (i) subject to discovery, subpoe-
11 na, warrant, or other means of legal compulsion for release to any
12 person or entity or (ii) admissible in any civil, administrative, crimi-
13 nal, or family court proceeding.
14 § 2. Subdivision 11 of section 2168 of the public health law, as
15 amended by chapter 154 of the laws of 2013, is amended to read as
16 follows:
17 11. The commissioner, or in the city of New York, the commissioner of
18 the department of health and mental hygiene, may provide registrant
19 specific immunization and lead test records to other state or city
20 registries and registries maintained by the Indian Health Service and
21 tribal nations recognized by the state or the United States pursuant to
22 a written agreement requiring that the other registry conform to
23 national standards for maintaining the integrity of the data and will
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD11016-01-1
A. 7326 2
1 [not] only be used for purposes [inconsistent] consistent with the
2 provisions of this section and provided that every effort shall be made
3 to limit disclosure of personal identifying information to the minimum
4 amount necessary to accomplish the provisions of this section.
5 § 3. Section 2168 of the public health law is amended by adding a new
6 subdivision 11-a to read as follows:
7 11-a. The commissioner, or in the city of New York, the commissioner
8 of the department of health and mental hygiene, may only share registry
9 information with the federal Centers for Disease Control and Prevention,
10 or successor agency, for public health purposes in summary, statistical,
11 aggregate, or other form such that no individual person can be identi-
12 fied.
13 § 4. The public health law is amended by adding a new section 2169 to
14 read as follows:
15 § 2169. Vaccine confidentiality. 1. As used in this section, unless
16 context requires otherwise:
17 (a) The term "individual" shall mean a natural person whom a vaccine
18 navigator or vaccine provider knows or has reason to know is located in
19 New York state.
20 (b) The term "immigration authority" means any entity, officer,
21 employee, or government employee or agent thereof charged with or
22 engaged in enforcement of the federal Immigration and Nationality Act,
23 including the United States Immigration and Customs Enforcement, United
24 States Department of Homeland Security, or United States Customs and
25 Border Protection, or agent, contractor, or employee thereof, or any
26 successor legislation or entity.
27 (c) The term "law enforcement agent or entity" means any governmental
28 entity or public servant, or agent, contractor or employee thereof,
29 authorized to investigate, prosecute, or make an arrest for a criminal
30 or civil offense, or engaged in any such activity, but shall not mean
31 the department, the commissioner, a health district, a county department
32 of health, a county health commissioner, a local board of health, a
33 local health officer, the department of health and mental hygiene of the
34 city of New York, or the commissioner of the department of health and
35 mental hygiene of the city of New York.
36 (d) The term "personal information" shall mean information that
37 directly or indirectly identifies, relates to, describes, is capable of
38 being associated with, or could reasonably be linked to a particular
39 individual, household, or personal device. Information is reasonably
40 linkable to an individual, household, or personal device if it can be
41 used on its own or in combination with other reasonably available infor-
42 mation, regardless of whether such other information is held by the
43 vaccine navigator or vaccine provider, to identify an individual, house-
44 hold, or a personal device.
45 (e) The term "process" shall mean any action or set of actions
46 performed on or with personal information, including but not limited to
47 collection, access, use, retention, sharing, monetizing, analysis,
48 creation, generation, derivation, decision-making, recording, alter-
49 ation, organization, structuring, storage, disclosure, transmission,
50 sale, licensing, disposal, destruction, de-identifying, or other handl-
51 ing of personal information.
52 (f) The term "vaccine navigator" shall mean any person that collects
53 personal information from an individual in order to register that indi-
54 vidual for immunization or to help that individual register for immuni-
55 zation.
A. 7326 3
1 (g) The term "vaccine provider" shall mean any person authorized by
2 law to administer an immunization.
3 2. (a) Absent freely given, specific, informed, and unambiguous opt-in
4 consent from the individual seeking immunization, or if the individual
5 lacks the capacity to make health care decisions, an individual author-
6 ized to consent to health care for the individual or the individual's
7 legal representative, a vaccine navigator shall not process personal
8 information beyond what is adequate, relevant, and necessary to schedule
9 an immunization appointment, send any appropriate reminders about exist-
10 ing immunization appointments or necessary booster immunization appoint-
11 ments, or arrange transportation to a vaccine provider.
12 (b) Absent freely given, specific, informed, and unambiguous opt-in
13 consent from the individual seeking immunization, or if the individual
14 lacks the capacity to make health care decisions, an individual author-
15 ized to consent to health care for the individual or the individual's
16 legal representative, a vaccine provider shall not process personal
17 information outside of a medical record protected under the federal
18 Health Insurance Portability and Accountability Act of 1996, its imple-
19 menting regulations, or section eighteen of this chapter or a record
20 included in the statewide immunization information system, or the city-
21 wide immunization registry in the city of New York, beyond what is
22 adequate, relevant, and necessary to schedule an immunization appoint-
23 ment, send any appropriate reminders about existing immunization
24 appointments or necessary booster immunization appointments, or arrange
25 transportation to a vaccine provider.
26 (c) A vaccine navigator or vaccine provider may request freely given,
27 specific, informed, and unambiguous opt-in consent from an individual,
28 or if the individual lacks the capacity to make health care decisions,
29 an individual authorized to consent to health care for the individual or
30 the individual's legal representative, to process the individual's
31 personal information for purposes other than scheduling an immunization
32 appointment, sending any appropriate reminders about existing immuniza-
33 tion appointments or necessary booster immunization appointments, or
34 arranging transportation to a vaccine provider provided that:
35 (i) a vaccine navigator or vaccine provider shall not refuse to sched-
36 ule an immunization appointment, send any appropriate reminders about
37 existing immunization appointments or necessary booster immunization
38 appointments, or arrange transportation to a vaccine provider for an
39 individual who does not approve of the processing of the individual's
40 personal information beyond what is necessary to schedule an immuniza-
41 tion appointment, send any appropriate reminders about existing immuni-
42 zation appointments or necessary booster immunization appointments, or
43 arrange transportation to a vaccine provider;
44 (ii) a vaccine navigator or vaccine provider shall not relate the
45 price or quality of scheduling an immunization appointment, sending any
46 appropriate reminders about existing immunization appointments or neces-
47 sary booster immunization appointments, or arranging transportation to a
48 vaccine provider to the privacy protections afforded the individual,
49 including by providing a discount or other incentive in exchange for the
50 opt-in consent of the individual to additional processing of the indi-
51 vidual's personal information; and
52 (iii) a vaccine navigator or vaccine provider shall clearly delineate
53 what personal information is adequate, relevant, and necessary to sched-
54 ule an immunization appointment, send any appropriate reminders about
55 existing immunization appointments or necessary booster immunization
56 appointments, or arrange transportation to a vaccine provider by clearly
A. 7326 4
1 and conspicuously indicating that all other requests for personal infor-
2 mation are optional.
3 (d) No vaccine navigator or vaccine provider may provide personal
4 information or otherwise make personal information accessible, directly
5 or indirectly, to a law enforcement agent or entity or immigration
6 authority under any circumstances. No vaccine navigator or vaccine
7 provider may provide personal information or otherwise make personal
8 information accessible, directly or indirectly, to any other individual
9 or entity, except as explicitly authorized by this title. Without
10 consent under this subdivision, personal information and any evidence
11 derived therefrom shall not be subject to or provided in response to any
12 legal process or be admissible for any purpose in any judicial or admin-
13 istrative action or proceeding.
14 (e) A vaccine navigator that maintains personal information shall
15 establish appropriate administrative, technical, and physical safe-
16 guards, policies, and procedures that ensure the security of that
17 personal information. The safeguards, policies, and procedures must
18 ensure that personal information is encrypted and protected at least as
19 much as or more than other confidential information in the vaccine
20 navigator's possession. The commissioner or, in the city of New York,
21 the commissioner of the department of health and mental hygiene shall
22 make regulations as reasonably necessary to require that personal infor-
23 mation possessed, used, or under the control of a vaccine navigator
24 shall be subject to technical safeguards, policies, and procedures for
25 storage, transmission, use, and protection of the information. The regu-
26 lations shall be at least as or more protective than the safeguards,
27 policies, and procedures the commissioner, or in the city of New York,
28 the commissioner of health and mental hygiene, provides for other confi-
29 dential information.
30 (f) A vaccine provider that maintains personal information outside of
31 a medical record protected under the federal Health Insurance Portabil-
32 ity and Accountability Act of 1996, its implementing regulations, or
33 section eighteen of this chapter or a record included in the statewide
34 immunization information system or the citywide immunization registry in
35 the city of New York, shall establish appropriate administrative, tech-
36 nical, and physical safeguards, policies, and procedures that ensure the
37 security of that personal information. The safeguards, policies, and
38 procedures must ensure that personal information is encrypted and
39 protected at least as much as or more than other confidential informa-
40 tion in the vaccine provider's possession. The commissioner, or in the
41 city of New York the commissioner of health and mental hygiene, shall
42 make regulations as reasonably necessary to require that personal infor-
43 mation possessed, used, or under the control of a vaccine provider shall
44 be subject to technical safeguards, policies, and procedures for stor-
45 age, transmission, use, and protection of the information. The regu-
46 lations shall be at least as or more protective than the safeguards,
47 policies, and procedures the commissioner or, in the city of New York,
48 the commissioner of health and mental hygiene provides for other confi-
49 dential information.
50 (g) Nothing in this section shall limit a vaccine navigator or vaccine
51 provider that has a pre-existing service provider-client, provider-pa-
52 tient, or familial relationship or a friendship with an individual from
53 processing that individual's personal information as previously agreed
54 to in the course of the pre-existing relationship.
55 § 5. Section 2180 of the public health law is amended by adding eight
56 new subdivisions 12, 13, 14, 15, 16, 17, 18 and 19 to read as follows:
A. 7326 5
1 12. "Covered entity" means a governmental entity or a place of public
2 accommodation, resort or amusement, as defined in section two hundred
3 ninety-two of the executive law.
4 13. "Governmental entity" means a department or agency of the state or
5 a political subdivision thereof, an individual acting for or on behalf
6 of the state or a political subdivision thereof, or any entity regulated
7 under the social services law.
8 14. "Immunity passport" means a credential, whether digital, electron-
9 ic, or physical, that identifies an individual as having received a
10 COVID-19 vaccine or a COVID-19 test result.
11 15. "Immunity passport provider" means a legal entity that develops,
12 maintains, distributes, or markets immunity passports in New York state.
13 16. "Individual" means a natural person whom the covered entity or
14 immunity passport provider knows or has reason to know is located in New
15 York state.
16 17. "Personal information" means information that directly or indi-
17 rectly identifies, relates to, describes, is capable of being associated
18 with, or could reasonably be linked to a particular individual or
19 personal device. Information is reasonably linkable to an individual or
20 personal device if it can be used on its own or in combination with
21 other reasonably available information, regardless of whether such other
22 information is held by the covered entity or immunity passport provider,
23 to identify an individual or a personal device.
24 18. "Physical immunity passport" means a credential that identifies an
25 individual as having received a COVID-19 vaccine or a COVID-19 test
26 result that does not rely on a digital or electronic device. Physical
27 immunity passports include, but are not limited to, pieces of paper
28 denoting immunity status.
29 19. "Process" means any action or set of actions performed on or with
30 personal information, including but not limited to collection, access,
31 use, retention, sharing, monetizing, analysis, creation, generation,
32 derivation, decision-making, recording, alteration, organization, struc-
33 turing, storage, disclosure, transmission, sale, licensing, disposal,
34 destruction, de-identifying, or other handling of personal information.
35 § 6. The public health law is amended by adding a new section 2183 to
36 read as follows:
37 § 2183. Immunity passports. 1. Any covered entity that requires proof
38 of COVID-19 immunization shall permit the use of physical immunity pass-
39 ports. No covered entity may require digital, electronic, or smart-
40 phone-based proof of immunity.
41 2. Any covered entity that requires the use of an immunity passport
42 shall delete any personal information processed about the individual to
43 whom the immunity passport pertains within twenty-four hours of process-
44 ing.
45 3. An immunity passport provider shall not process personal informa-
46 tion beyond what is adequate, relevant, and necessary to identify an
47 individual as having received a COVID-19 vaccine or a COVID-19 test
48 result and shall not process personal information pertaining to where or
49 when an individual uses an immunity passport.
50 4. No covered entity or immunity passport provider may provide
51 personal information or otherwise make personal information accessible,
52 directly or indirectly, to a law enforcement agent or entity or immi-
53 gration authority under any circumstances. No covered entity or immunity
54 passport provider may provide personal information or otherwise make
55 personal information accessible, directly or indirectly, to any other
56 individual or entity, except as explicitly authorized by this section.
A. 7326 6
1 Personal information and any evidence derived therefrom shall not be
2 subject to or provided in response to any legal process or be admissible
3 for any purpose in any judicial or administrative action or proceeding.
4 5. The commissioner shall make regulations as reasonably necessary to
5 ensure that individuals who are medically contraindicated from receiving
6 the COVID-19 vaccine are nonetheless able to access covered entities,
7 taking into account the health risks associated with each type of
8 covered entity and the fact that the accommodation required may vary
9 based on the type of covered entity.
10 6. Nothing in this section requires a covered entity to require proof
11 of COVID-19 immunity or to independently verify the information
12 contained in an immunity passport.
13 7. Nothing in this section shall be construed to limit a covered enti-
14 ty's obligations under the Americans with Disabilities Act, article
15 fifteen of the executive law, the civil rights law, or any other feder-
16 al, state, or local anti-discrimination law.
17 8. The commissioner shall make regulations as reasonably necessary to
18 implement this section.
19 § 7. Severability. If any provision of this act, or any application of
20 any provision of this act, is held to be invalid, that shall not affect
21 the validity or effectiveness of any other provision of this act, or of
22 any other application of any provision of this act, which can be given
23 effect without that provision or application; and to that end, the
24 provisions and applications of this act are severable.
25 § 8. This act shall take effect immediately.