NY State Assembly Bill 2021-A6656

Archive: Last Bill Status - In Assembly Committee

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

	Assembly Actions - Lowercase Senate Actions - UPPERCASE
Jan 05, 2022	referred to consumer affairs and protection
Mar 23, 2021	referred to consumer affairs and protection

co-Sponsors

View additional co-sponsors

2021-A6656 (ACTIVE) - Details

Current Committee:: Assembly Consumer Affairs And Protection
Law Section:: General Business Law
Laws Affected:: Add Art 42 §§1100 - 1102, Gen Bus L
Versions Introduced in Other Legislative Sessions:: 2019-2020: A10704
2023-2024: A3285

2021-A6656 (ACTIVE) - Summary

Creates privacy standards for electronic health products and services; requires consent to be given for the collection and/or sharing of personal health information or other personal data.

2021-A6656 (ACTIVE) - Bill Text download pdf

                            
 
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   6656
 
                        2021-2022 Regular Sessions
 
                           I N  A S S E M B L Y
 
                              March 23, 2021
                                ___________
 
 Introduced  by  M.  of  A. L. ROSENTHAL -- read once and referred to the
   Committee on Consumer Affairs and Protection
 
 AN ACT to amend the general business  law,  in  relation  to  electronic
   health products and services
 
   THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
 BLY, DO ENACT AS FOLLOWS:

   Section 1. The general business law is amended by adding a new article
 42 to read as follows:
                                ARTICLE 42
                  ELECTRONIC HEALTH PRODUCTS AND SERVICES
 
 SECTION 1100. DEFINITIONS.
         1101. ELECTRONIC HEALTH PRODUCTS AND SERVICES; PRIVACY.
         1102. PRIVATE RIGHT OF ACTION.
   § 1100. DEFINITIONS. FOR THE PURPOSES OF THIS ARTICLE,  THE  FOLLOWING
 TERMS SHALL HAVE THE FOLLOWING MEANINGS:
   1.  "CONSENT"  MEANS  AN  ACTION  WHICH  (A) CLEARLY AND CONSPICUOUSLY
 COMMUNICATES THE INDIVIDUAL'S AUTHORIZATION OF AN ACT OR  PRACTICE;  (B)
 IS  MADE  IN THE ABSENCE OF ANY MECHANISM IN THE USER INTERFACE THAT HAS
 THE PURPOSE OR SUBSTANTIAL EFFECT OF OBSCURING, SUBVERTING, OR IMPAIRING
 DECISION MAKING OR CHOICE TO OBTAIN CONSENT; AND (C) CANNOT BE  INFERRED
 FROM INACTION.
   2.  "DEACTIVATION"  MEANS  A USER'S DELETION, REMOVAL, OR OTHER ACTION
 MADE TO TERMINATE HIS OR HER USE OF  AN  ELECTRONIC  HEALTH  PRODUCT  OR
 SERVICE.
   3.  "ELECTRONIC HEALTH PRODUCT OR SERVICE" MEANS ANY SOFTWARE OR HARD-
 WARE, INCLUDING A MOBILE APPLICATION, WEBSITE, OR OTHER RELATED  PRODUCT
 OR SERVICE, THAT IS DESIGNED TO MAINTAIN PERSONAL HEALTH INFORMATION, IN
 ORDER TO MAKE SUCH PERSONAL HEALTH INFORMATION AVAILABLE TO A USER OR TO
 A  HEALTH  CARE  PROVIDER  AT  THE  REQUEST  OF SUCH USER OR HEALTH CARE
 PROVIDER, FOR THE PURPOSES OF ALLOWING SUCH USER TO MANAGE  HIS  OR  HER

  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.

                                                            LBD10359-01-1

 A. 6656                             2
 
 INFORMATION, OR FOR THE DIAGNOSIS, TREATMENT, OR MANAGEMENT OF A MEDICAL
 CONDITION.
   4. "HEALTH CARE PROVIDER" MEANS:
   (A) A HOSPITAL AS DEFINED IN ARTICLE TWENTY-EIGHT OF THE PUBLIC HEALTH
 LAW, A HOME CARE SERVICES AGENCY AS DEFINED IN ARTICLE THIRTY-SIX OF THE
 PUBLIC  HEALTH  LAW, A HOSPICE AS DEFINED IN ARTICLE FORTY OF THE PUBLIC
 HEALTH LAW, A HEALTH MAINTENANCE  ORGANIZATION  AS  DEFINED  IN  ARTICLE
 FORTY-FOUR  OF  THE  PUBLIC  HEALTH  LAW, OR A SHARED HEALTH FACILITY AS
 DEFINED IN ARTICLE FORTY-SEVEN OF THE PUBLIC HEALTH LAW; OR
   (B) A PERSON  LICENSED  UNDER  ARTICLE  ONE  HUNDRED  THIRTY-ONE,  ONE
 HUNDRED  THIRTY-ONE-B, ONE HUNDRED THIRTY-TWO, ONE HUNDRED THIRTY-THREE,
 ONE HUNDRED THIRTY-SIX, ONE HUNDRED THIRTY-NINE, ONE HUNDRED  FORTY-ONE,
 ONE  HUNDRED  FORTY-THREE,  ONE  HUNDRED  FORTY-FOUR, ONE HUNDRED FIFTY-
 THREE, ONE HUNDRED FIFTY-FOUR, ONE  HUNDRED  FIFTY-SIX  OR  ONE  HUNDRED
 FIFTY-NINE OF THE EDUCATION LAW.
   5.  "INDIVIDUALLY IDENTIFIABLE INFORMATION" MEANS ANY INFORMATION THAT
 IDENTIFIES OR COULD REASONABLY BE LINKED, DIRECTLY OR INDIRECTLY,  TO  A
 PARTICULAR CONSUMER, HOUSEHOLD, OR CONSUMER DEVICE.
   6.  "PERSONAL  HEALTH INFORMATION" MEANS ANY INDIVIDUALLY IDENTIFIABLE
 INFORMATION ABOUT AN INDIVIDUAL'S MENTAL OR PHYSICAL CONDITION  PROVIDED
 BY  SUCH  INDIVIDUAL,  OR OTHERWISE GAINED FROM MONITORING SUCH INDIVID-
 UAL'S MENTAL OR PHYSICAL CONDITION.
   7. "OTHER PERSONAL DATA" MEANS ANY INDIVIDUALLY IDENTIFIABLE  INFORMA-
 TION  ABOUT  AN  INDIVIDUAL  PROVIDED  BY  SUCH INDIVIDUAL, OR OTHERWISE
 GAINED FROM MONITORING  SUCH  INDIVIDUAL,  OTHER  THAN  PERSONAL  HEALTH
 INFORMATION.
   8. "USER" MEANS AN INDIVIDUAL WHO HAS DOWNLOADED OR USES AN ELECTRONIC
 HEALTH PRODUCT OR SERVICE.
   9.  "DATA  PROCESSING" MEANS THE COLLECTION, USE, DISCLOSURE, OR PROC-
 ESSING OF PERSONAL HEALTH INFORMATION OR OTHER DATA.
   10. "COVERED ORGANIZATION" MEANS AN ENTITY THAT OFFERS  AN  ELECTRONIC
 HEALTH  PRODUCT  OR  SERVICE  THAT  IS SUBJECT TO THE PROVISIONS OF THIS
 ARTICLE.
   § 1101. ELECTRONIC HEALTH PRODUCTS AND SERVICES; PRIVACY. 1.   (A)  IT
 SHALL  BE UNLAWFUL FOR A COVERED ORGANIZATION TO ENGAGE IN DATA PROCESS-
 ING UNLESS:
   (I) THE USER TO WHOM THE INFORMATION OR DATA PERTAINS HAS GIVEN AFFIR-
 MATIVE EXPRESS CONSENT TO SUCH DATA PROCESSING; AND
   (II) SUCH DATA PROCESSING IS NECESSARY AND FOR THE PURPOSE OF:
   (A) PROTECTING AGAINST MALICIOUS, DECEPTIVE,  FRAUDULENT,  OR  ILLEGAL
 ACTIVITY;
   (B)  DETECTING,  RESPONDING  TO,  OR  PREVENTING SECURITY INCIDENTS OR
 THREATS; OR
   (C) THE COVERED ORGANIZATION IS COMPELLED TO DO SO BY  A  LEGAL  OBLI-
 GATION.
   (B) THE GENERAL NATURE OF ANY DATA PROCESSING SHALL BE CONVEYED BY THE
 COVERED  ORGANIZATION IN CLEAR AND PROMINENT TERMS IN SUCH A WAY THAT AN
 ORDINARY CONSUMER WOULD NOTICE AND UNDERSTAND SUCH TERMS.
   (C) A USER MAY CONSENT TO DATA PROCESSING ON  BEHALF  OF  HIS  OR  HER
 DEPENDENT MINORS.
   (D)  A COVERED ORGANIZATION SHALL PROVIDE AN EFFECTIVE MECHANISM FOR A
 USER TO REVOKE THEIR CONSENT AFTER IT IS GIVEN.  AFTER  A  USER  REVOKES
 THEIR  CONSENT, THE COVERED ORGANIZATION SHALL CEASE ALL DATA PROCESSING
 OF SUCH USER'S PERSONAL HEALTH INFORMATION OR  OTHER  DATA  AS  SOON  AS
 PRACTICABLE,  BUT  NOT  LATER  THAN FIFTEEN DAYS AFTER SUCH USER REVOKES
 SUCH CONSENT.

 A. 6656                             3
 
   2. IN ORDER TO OBTAIN CONSENT IN COMPLIANCE WITH  SUBDIVISION  ONE  OF
 THIS SECTION, AN ENTITY OFFERING AN ELECTRONIC HEALTH PRODUCT OR SERVICE
 SHALL:
   (A)  DISCLOSE  TO  THE  USER  ALL PERSONAL HEALTH INFORMATION OR OTHER
 PERSONAL DATA SUCH ELECTRONIC HEALTH PRODUCT  OR  SERVICE  WILL  COLLECT
 FROM THE USER UPON OBTAINING CONSENT;
   (B)  DISCLOSE  TO  THE  USER  ANY  THIRD  PARTY  WITH WHOM SUCH USER'S
 PERSONAL HEALTH INFORMATION OR OTHER PERSONAL DATA MAY BE SHARED BY  THE
 ELECTRONIC HEALTH PRODUCT OR SERVICE UPON OBTAINING CONSENT;
   (C)  DISCLOSE  TO  THE  USER  THE  PURPOSE FOR COLLECTING ANY PERSONAL
 HEALTH INFORMATION OR OTHER PERSONAL DATA; AND
   (D) ALLOW THE USER TO WITHDRAW CONSENT AT ANY TIME.
   3. NO ELECTRONIC HEALTH PRODUCT OR SERVICE SHALL COLLECT ANY  PERSONAL
 HEALTH  INFORMATION  OR  OTHER  PERSONAL  DATA  BEYOND  WHICH A USER HAS
 SPECIFICALLY CONSENTED TO SHARE WITH SUCH ELECTRONIC HEALTH  PRODUCT  OR
 SERVICE UNDER SUBDIVISION ONE OF THIS SECTION.
   4.  (A) AN ELECTRONIC HEALTH PRODUCT OR SERVICE SHALL DELETE OR OTHER-
 WISE DESTROY ANY PERSONAL HEALTH  INFORMATION  OR  OTHER  PERSONAL  DATA
 COLLECTED  FROM  A USER IMMEDIATELY UPON SUCH USER'S REQUEST, WITHDRAWAL
 OF CONSENT; OR UPON SUCH USER'S DEACTIVATION OF HIS OR HER ACCOUNT.
   (B) AN ENTITY THAT COLLECTS A USER'S PERSONAL  HEALTH  INFORMATION  OR
 OTHER  DATA  SHALL  LIMIT ITS COLLECTION AND SHARING OF THAT INFORMATION
 WITH THIRD PARTIES TO WHAT IS REASONABLY NECESSARY TO PROVIDE A  SERVICE
 OR CONDUCT AN ACTIVITY THAT A USER HAS REQUESTED OR IS REASONABLY NECES-
 SARY  FOR  SECURITY  OR FRAUD PREVENTION. MONETIZATION OF INFORMATION OR
 DATA SHALL BE CONSIDERED REASONABLY NECESSARY TO PROVIDE  A  SERVICE  OR
 CONDUCT  AN  ACTIVITY  THAT A USER HAS REQUESTED OR REASONABLY NECESSARY
 FOR SECURITY OR FRAUD PREVENTION.
   (C) AN ENTITY THAT COLLECTS A USER'S PERSONAL  HEALTH  INFORMATION  OR
 OTHER DATA SHALL LIMIT ITS USE AND RETENTION OF SUCH INFORMATION TO WHAT
 IS REASONABLY NECESSARY TO PROVIDE A SERVICE OR CONDUCT AN ACTIVITY THAT
 A  USER  HAS  REQUESTED  OR A RELATED OPERATIONAL PURPOSE, PROVIDED THAT
 INFORMATION  COLLECTED  OR  RETAINED  SOLELY  FOR  SECURITY   OR   FRAUD
 PREVENTION MAY NOT BE USED FOR OPERATIONAL PURPOSES.
   5.  A  COVERED  ORGANIZATION  SHALL  NOT  DISCRIMINATE  AGAINST A USER
 BECAUSE THE USER EXERCISED ANY OF THE USER'S RIGHTS UNDER THIS TITLE, OR
 DID NOT AGREE TO  INFORMATION  PROCESSING  FOR  A  SEPARATE  PRODUCT  OR
 SERVICE, INCLUDING, BUT NOT LIMITED TO, BY:
   (A) DENYING GOODS OR SERVICES TO THE USER.
   (B)  CHARGING DIFFERENT PRICES OR RATES FOR GOODS OR SERVICES, INCLUD-
 ING THROUGH THE USE OF DISCOUNTS OR OTHER BENEFITS  OR  IMPOSING  PENAL-
 TIES.
   (C) PROVIDING A DIFFERENT LEVEL OR QUALITY OF GOODS OR SERVICES TO THE
 USER.
   (D)  SUGGESTING  THAT  THE  CONSUMER WILL RECEIVE A DIFFERENT PRICE OR
 RATE FOR GOODS OR SERVICES OR A DIFFERENT LEVEL OR QUALITY OF  GOODS  OR
 SERVICES.
   6.  A  COVERED  ORGANIZATION  SHALL  IMPLEMENT AND MAINTAIN REASONABLE
 SECURITY PROCEDURES AND PRACTICES, INCLUDING  ADMINISTRATIVE,  PHYSICAL,
 AND  TECHNICAL  SAFEGUARDS, APPROPRIATE TO THE NATURE OF THE INFORMATION
 AND THE PURPOSES FOR WHICH THE PERSONAL HEALTH INFORMATION OR OTHER DATA
 WILL BE USED, TO PROTECT CONSUMERS' PERSONAL HEALTH INFORMATION OR OTHER
 DATA FROM UNAUTHORIZED USE, DISCLOSURE, ACCESS, DESTRUCTION, OR  MODIFI-
 CATION.
   § 1102. PRIVATE RIGHT OF ACTION. 1. ANY PERSON WHO HAS BEEN INJURED BY
 REASON  OF A VIOLATION OF THIS ARTICLE MAY BRING AN ACTION IN HIS OR HER

 A. 6656                             4
 
 OWN NAME, OR IN THE NAME OF HIS OR  HER  MINOR  CHILD,  TO  ENJOIN  SUCH
 UNLAWFUL  ACT,  OR  TO  RECOVER  HIS OR HER ACTUAL DAMAGES, OR BOTH SUCH
 ACTIONS. THE COURT MAY AWARD REASONABLE ATTORNEY'S FEES TO A  PREVAILING
 PLAINTIFF.
   2.  ANY  ENTITY  WHO VIOLATES THIS ARTICLE IS SUBJECT TO AN INJUNCTION
 AND LIABLE FOR DAMAGES AND A CIVIL PENALTY. WHEN CALCULATING DAMAGES AND
 CIVIL PENALTIES, THE COURT SHALL CONSIDER THE NUMBER OF  AFFECTED  INDI-
 VIDUALS, THE SEVERITY OF THE VIOLATION, AND THE SIZE AND REVENUES OF THE
 COVERED  ENTITY.  EACH  INDIVIDUAL  WHOSE  DATA WAS UNLAWFULLY PROCESSED
 COUNTS AS A SEPARATE VIOLATION. EACH PROVISION OF THIS ARTICLE THAT  WAS
 VIOLATED COUNTS AS A SEPARATE VIOLATION.
   §  2.  This  act  shall take effect on the sixtieth day after it shall
 have become a law.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Assembly Bill A6656

Sponsored By

Archive: Last Bill Status - In Assembly Committee

co-Sponsors

2021-A6656 (ACTIVE) - Details

2021-A6656 (ACTIVE) - Summary

2021-A6656 (ACTIVE) - Bill Text download pdf

Comments

Assembly Bill A6656

Share this bill

Sponsored By

ROSENTHAL L

Archive: Last Bill Status - In Assembly Committee

co-Sponsors

Emily Gallagher

Steven Englebright

Steven Otis

Anna Kelles

2021-A6656 (ACTIVE) - Details

2021-A6656 (ACTIVE) - Summary

2021-A6656 (ACTIVE) - Bill Text download pdf

Comments