Bill Text: NY S09599 | 2021-2022 | General Assembly | Introduced
Bill Title: Creates privacy standards for electronic health products and services and permissible data brokering; requires consent to be given for the collection and/or sharing of personal health information or other personal data.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Introduced - Dead) 2022-11-21 - REFERRED TO RULES [S09599 Detail]
Download: New_York-2021-S09599-Introduced.html
STATE OF NEW YORK ________________________________________________________________________ 9599 IN SENATE November 21, 2022 ___________ Introduced by Sen. KRUEGER -- read twice and ordered printed, and when printed to be committed to the Committee on Rules AN ACT to amend the general business law, in relation to privacy stand- ards for electronic health products and services and permissible data brokering The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. The general business law is amended by adding a new article 2 42 to read as follows: 3 ARTICLE 42 4 ELECTRONIC HEALTH PRODUCTS AND SERVICES 5 Section 1100. Definitions. 6 1101. Electronic health products and services; privacy. 7 1102. Private right of action. 8 1103. Actions that are HIPAA compliant. 9 § 1100. Definitions. For the purposes of this article, the following 10 terms shall have the following meanings: 11 1. "Consent" means an action which (a) clearly and conspicuously 12 communicates the individual's voluntary authorization of an act or prac- 13 tice; (b) is made in the absence of any mechanism in the user interface 14 that has the purpose or substantial effect of obscuring, subverting, or 15 impairing decision making or choice to obtain consent; and (c) cannot be 16 inferred from inaction. A request for consent shall be provided to the 17 individual in a clear and conspicuous disclosure, apart from any privacy 18 policy, terms of service, terms of use, general release, user agreement, 19 or other similar document, of all information material to the provision 20 of consent. 21 2. "Deactivation" means a user's deletion, removal, or other action 22 made to terminate his or her use of an electronic health product or 23 service. 24 3. "Electronic health product or service" means any software or hard- 25 ware, including a mobile application, website, or other related product 26 or service, that is designed to maintain personal health information, EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD16235-03-2S. 9599 2 1 designed to diagnose or designed to infer a medical diagnosis, in order 2 to make such personal health information available to a user or to a 3 health care provider at the request of such user or health care provid- 4 er, for the purposes of allowing such user to manage his or her informa- 5 tion, or for the diagnosis, inferred diagnosis, treatment, or management 6 of a medical condition. 7 4. "Health care provider" means: 8 (a) a hospital as defined in article twenty-eight of the public health 9 law, a home care services agency as defined in article thirty-six of the 10 public health law, a hospice as defined in article forty of the public 11 health law, a health maintenance organization as defined in article 12 forty-four of the public health law, or a shared health facility as 13 defined in article forty-seven of the public health law; or 14 (b) a person licensed under article one hundred thirty-one, one 15 hundred thirty-one-B, one hundred thirty-two, one hundred thirty-three, 16 one hundred thirty-six, one hundred thirty-nine, one hundred forty-one, 17 one hundred forty-three, one hundred forty-four, one hundred fifty- 18 three, one hundred fifty-four, one hundred fifty-six or one hundred 19 fifty-nine of the education law. 20 5. "Personal health information" means any individually identifiable 21 information about an individual's mental or physical condition provided 22 by such individual, or otherwise gained from monitoring such individ- 23 ual's mental or physical condition. 24 6. "User" means an individual who has downloaded or uses an electronic 25 health product or service. 26 7. "Consumer data" means any information that identifies, relates to, 27 describes, is capable of being associated with, or could reasonably be 28 linked, either directly or indirectly, with a particular consumer 29 regardless if such data can be derived by the consumer, household, or 30 consumer device or derived from other sources such as an internet proto- 31 col address. 32 8. "Data processing" means the collection, use, disclosure, retention, 33 or processing of personal health information or other data. 34 9. "Covered organization" means an entity, including a data broker, 35 that offers an electronic health product or service that is subject to 36 the provisions of this article. 37 10. "Data broker" means a person or entity that collects, buys, 38 licenses, or infers data about individuals and then sells, licenses, or 39 trades that data. 40 11. "Digital advertiser" means any person, corporation, partnership or 41 association that delivers digital advertisements by electronic means. 42 12. "Digital advertisement" shall include any communication delivered 43 by electronic means that is intended to be used for the purposes of 44 marketing, solicitation, or dissemination of information related, 45 directly or indirectly, to goods or services provided by the digital 46 advertiser or a third party. 47 13. "Geofencing" means a technology that uses global positioning 48 system coordinates, cell tower connectivity, cellular data, radio 49 frequency identification, Wi-Fi data and/or any other form of location 50 detection, to establish a virtual boundary or "geofence" around a 51 particular location that allows a digital advertiser to track the 52 location of an individual user and electronically deliver targeted 53 digital advertisements directly to such user's mobile device upon such 54 user's entry into the geofenced area.S. 9599 3 1 § 1101. Electronic health products and services; privacy. 1. (a) It 2 shall be unlawful for a covered organization to engage in data process- 3 ing, geofencing, or data brokering unless: 4 (i) the user to whom the information or data pertains has given affir- 5 mative express consent to such data processing and if such covered 6 organization will broker user data, the user must also give separate 7 affirmative consent to such data brokering; and 8 (ii) such data processing, geofencing or data brokering, is strictly 9 necessary and for the purpose of: 10 (A) protecting against malicious, fraudulent, or illegal activity; 11 (B) detecting, responding to, or preventing security incidents or 12 threats; or 13 (C) complying with a court order issued to the covered organization. 14 (b) The general nature of any data processing or data brokering shall 15 be conveyed by the covered organization in clear and prominent terms in 16 such a way that an ordinary consumer would notice and understand such 17 terms. 18 (c) A user may consent to data processing or data brokering on behalf 19 of his or her dependent minors. 20 (d) A covered organization shall provide an effective mechanism for a 21 user to revoke their consent after it is given. After a user revokes 22 their consent, the covered organization shall cease all data processing 23 and data brokering of such user's personal health information or other 24 data as soon as practicable, but not later than fifteen days after such 25 user revokes such consent. 26 2. In order to obtain consent in compliance with subdivision one of 27 this section, a covered organization offering an electronic health prod- 28 uct or service shall: 29 (a) disclose to the user all data, personal health information, 30 location data, and other personal data such electronic health product or 31 service will collect from the user upon obtaining consent; 32 (b) disclose to the user all third parties with whom such user's 33 personal health information or other personal data may be shared by the 34 electronic health product or service upon obtaining consent; 35 (c) disclose to the user the purpose for collecting any personal 36 health information or other personal data; and 37 (d) allow the user to withdraw consent at any time. 38 3. No electronic health product or service shall collect any personal 39 health information or other personal data beyond which a user has 40 specifically consented to share with such electronic health product or 41 service under subdivision one of this section. 42 4. (a) An electronic health product or service shall delete or other- 43 wise destroy any personal health information or other personal data 44 collected from a user immediately upon such user's request, withdrawal 45 of consent; or upon such user's deactivation of his or her account. 46 (b) A covered organization that collects a user's personal health 47 information or other data shall limit its collection and sharing of that 48 information with third parties to what is strictly necessary to provide 49 a service or conduct an activity that a user has requested or is strict- 50 ly necessary for security or fraud prevention. 51 (c) A covered organization that collects a user's personal health 52 information or other data shall limit its use and retention of such 53 information to what is reasonably necessary to provide a service or 54 conduct an activity that a user has requested or a related operational 55 purpose, provided that information collected or retained solely for 56 security or fraud prevention may not be used for operational purposes.S. 9599 4 1 5. A covered organization shall not discriminate against a user 2 because the user exercised any of the user's rights under this title, or 3 did not agree to information processing for a separate product or 4 service, including, but not limited to, by: 5 (a) Denying goods or services to the user. 6 (b) Charging different prices or rates for goods or services, includ- 7 ing through the use of discounts or other benefits or imposing penal- 8 ties. 9 (c) Providing a different level or quality of goods or services to the 10 user. 11 (d) Suggesting that the consumer will receive a different price or 12 rate for goods or services or a different level or quality of goods or 13 services. 14 6. A covered organization shall implement and maintain reasonable 15 security procedures and practices, including administrative, physical, 16 and technical safeguards, appropriate to the nature of the information 17 and the purposes for which the personal health information or other data 18 will be used, to protect consumers' personal health information or other 19 data from unauthorized use, disclosure, access, destruction, or modifi- 20 cation. 21 7. (a) It shall be unlawful for any person, corporation, partnership 22 or association to deliver by electronic means any digital advertisement 23 to a user through the use of geofencing at any health care facility as 24 defined in subdivision one of this section. 25 (b) It shall be unlawful for any person, corporation, partnership or 26 association to establish a geofence or similar virtual boundary in or 27 around any health care facility for the purpose of delivering by elec- 28 tronic means a digital advertisement to a user within such health care 29 facility. 30 § 1102. Private right of action. 1. Any person who has been injured by 31 reason of a violation of this article may bring an action in his or her 32 own name, or in the name of his or her minor child, to seek declaratory 33 relief, to enjoin such unlawful act, to recover his or her actual 34 damages, to seek statutory damages as provided pursuant to this section, 35 or any combination of such actions. Any violation of this article 36 constitutes an injury-in-fact and a harm to any affected individual. The 37 court shall award reasonable attorney's fees to a prevailing plaintiff. 38 2. Any covered organization that violates this article is subject to 39 declaratory judgment, an injunction and liable for damages and a civil 40 penalty. When calculating damages and civil penalties, the court shall 41 consider the number of affected individuals, the severity of the 42 violation, and the size and revenues of the covered organization. Addi- 43 tionally, statutory damages shall be awarded in the amount of five 44 hundred dollars per violation. Each individual whose data was unlawfully 45 processed counts as a separate violation. Each provision of this article 46 that was violated counts as a separate violation. 47 § 1103. Actions that are HIPAA compliant. Nothing in this article 48 shall prohibit any action taken with respect to the health information 49 of an individual by a data broker that is a business associate or 50 covered organization that is permissible under the federal regulations 51 concerning standards for privacy of individually identifiable health 52 information promulgated under section 264(c) of the Health Insurance 53 Portability and Accountability Act of 1996 (42 U.S.C. 1320d- 20 2 note). 54 § 2. Severability. If any clause, sentence, paragraph, subdivision, 55 section or part of this act shall be adjudged by any court of competent 56 jurisdiction to be invalid, such judgment shall not affect, impair, orS. 9599 5 1 invalidate the remainder thereof, but shall be confined in its operation 2 to the clause, sentence, paragraph, subdivision, section or part thereof 3 directly involved in the controversy in which such judgment shall have 4 been rendered. It is hereby declared to be the intent of the legislature 5 that this act would have been enacted even if such invalid provisions 6 had not been included herein. 7 § 3. This act shall take effect on the sixtieth day after it shall 8 have become a law.