NY State Assembly Bill 2023-A3285

Current Bill Status - In Assembly Committee

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

	Assembly Actions - Lowercase Senate Actions - UPPERCASE
Jan 03, 2024	referred to consumer affairs and protection
Feb 02, 2023	referred to consumer affairs and protection

co-Sponsors

2023-A3285 (ACTIVE) - Details

Current Committee:: Assembly Consumer Affairs And Protection
Law Section:: General Business Law
Laws Affected:: Add Art 42 §§1100 - 1103, Gen Bus L
Versions Introduced in Other Legislative Sessions:: 2019-2020: A10704
2021-2022: A6656

2023-A3285 (ACTIVE) - Summary

Creates privacy standards for electronic health products and services; requires consent to be given for the collection and/or sharing of personal health information or other personal data.

2023-A3285 (ACTIVE) - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   3285
 
                        2023-2024 Regular Sessions
 
                           I N  A S S E M B L Y
 
                             February 2, 2023
                                ___________
 
 Introduced  by  M. of A. L. ROSENTHAL, GALLAGHER, KELLES, SIMON, OTIS --
   read once and referred  to  the  Committee  on  Consumer  Affairs  and
   Protection
 
 AN  ACT  to  amend  the  general business law, in relation to electronic
   health products and services
 
   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. The general business law is amended by adding a new article
 42 to read as follows:
                                ARTICLE 42
                  ELECTRONIC HEALTH PRODUCTS AND SERVICES
 
 SECTION 1100. DEFINITIONS.
         1101. ELECTRONIC HEALTH PRODUCTS AND SERVICES; PRIVACY.
         1102. PRIVATE RIGHT OF ACTION.
         1103. ACTIONS THAT ARE HIPAA COMPLIANT.
   §  1100.  DEFINITIONS. FOR THE PURPOSES OF THIS ARTICLE, THE FOLLOWING
 TERMS SHALL HAVE THE FOLLOWING MEANINGS:
   1. "CONSENT" MEANS AN  ACTION  WHICH  (A)  CLEARLY  AND  CONSPICUOUSLY
 COMMUNICATES  THE  INDIVIDUAL'S AUTHORIZATION OF AN ACT OR PRACTICE; (B)
 IS MADE IN THE ABSENCE OF ANY MECHANISM IN THE USER INTERFACE  THAT  HAS
 THE PURPOSE OR SUBSTANTIAL EFFECT OF OBSCURING, SUBVERTING, OR IMPAIRING
 DECISION  MAKING OR CHOICE TO OBTAIN CONSENT; AND (C) CANNOT BE INFERRED
 FROM INACTION.
   2. "DEACTIVATION" MEANS A USER'S DELETION, REMOVAL,  OR  OTHER  ACTION
 MADE TO TERMINATE THEIR USE OF AN ELECTRONIC HEALTH PRODUCT OR SERVICE.
   3.  "ELECTRONIC HEALTH PRODUCT OR SERVICE" MEANS ANY SOFTWARE OR HARD-
 WARE, INCLUDING A MOBILE APPLICATION, WEBSITE, OR OTHER RELATED  PRODUCT
 OR SERVICE, THAT IS DESIGNED TO MAINTAIN PERSONAL HEALTH INFORMATION, IN
 ORDER TO MAKE SUCH PERSONAL HEALTH INFORMATION AVAILABLE TO A USER OR TO
 A  HEALTH  CARE  PROVIDER  AT  THE  REQUEST  OF SUCH USER OR HEALTH CARE

  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD01394-02-3

 A. 3285                             2
 
 PROVIDER, FOR THE PURPOSES OF ALLOWING SUCH USER TO MANAGE THEIR  INFOR-
 MATION,  OR  FOR  THE  DIAGNOSIS,  TREATMENT, OR MANAGEMENT OF A MEDICAL
 CONDITION.
   4. "HEALTH CARE PROVIDER" MEANS:
   (A) A HOSPITAL AS DEFINED IN ARTICLE TWENTY-EIGHT OF THE PUBLIC HEALTH
 LAW, A HOME CARE SERVICES AGENCY AS DEFINED IN ARTICLE THIRTY-SIX OF THE
 PUBLIC  HEALTH  LAW, A HOSPICE AS DEFINED IN ARTICLE FORTY OF THE PUBLIC
 HEALTH LAW, A HEALTH MAINTENANCE  ORGANIZATION  AS  DEFINED  IN  ARTICLE
 FORTY-FOUR  OF  THE  PUBLIC  HEALTH  LAW, OR A SHARED HEALTH FACILITY AS
 DEFINED IN ARTICLE FORTY-SEVEN OF THE PUBLIC HEALTH LAW; OR
   (B) A PERSON  LICENSED  UNDER  ARTICLE  ONE  HUNDRED  THIRTY-ONE,  ONE
 HUNDRED  THIRTY-ONE-B, ONE HUNDRED THIRTY-TWO, ONE HUNDRED THIRTY-THREE,
 ONE HUNDRED THIRTY-SIX, ONE HUNDRED THIRTY-NINE, ONE HUNDRED  FORTY-ONE,
 ONE  HUNDRED  FORTY-THREE,  ONE  HUNDRED  FORTY-FOUR, ONE HUNDRED FIFTY-
 THREE, ONE HUNDRED FIFTY-FOUR, ONE  HUNDRED  FIFTY-SIX  OR  ONE  HUNDRED
 FIFTY-NINE OF THE EDUCATION LAW.
   5.  "INDIVIDUALLY IDENTIFIABLE INFORMATION" MEANS ANY INFORMATION THAT
 IDENTIFIES OR COULD REASONABLY BE LINKED, DIRECTLY OR INDIRECTLY,  TO  A
 PARTICULAR CONSUMER, HOUSEHOLD, OR CONSUMER DEVICE.
   6.  "PERSONAL  HEALTH INFORMATION" MEANS ANY INDIVIDUALLY IDENTIFIABLE
 INFORMATION ABOUT AN INDIVIDUAL'S MENTAL OR PHYSICAL CONDITION  PROVIDED
 BY SUCH INDIVIDUAL, OR OTHERWISE GAINED OR INFERRED FROM MONITORING SUCH
 INDIVIDUAL'S MENTAL OR PHYSICAL CONDITION.
   7.  "OTHER PERSONAL DATA" MEANS ANY INDIVIDUALLY IDENTIFIABLE INFORMA-
 TION ABOUT AN INDIVIDUAL  PROVIDED  BY  SUCH  INDIVIDUAL,  OR  OTHERWISE
 GAINED  OR INFERRED FROM MONITORING SUCH INDIVIDUAL, OTHER THAN PERSONAL
 HEALTH INFORMATION.
   8. "USER" MEANS AN INDIVIDUAL WHO HAS DOWNLOADED OR USES AN ELECTRONIC
 HEALTH PRODUCT OR SERVICE.
   9. "DATA PROCESSING" MEANS ANY ACTION OR SET OF ACTIONS  PERFORMED  ON
 OR  WITH  PERSONAL INFORMATION, INCLUDING BUT NOT LIMITED TO COLLECTION,
 ACCESS, USE, RETENTION, SHARING, MONETIZING, ANALYSIS, CREATION,  GENER-
 ATION,  DERIVATION,  DECISION-MAKING,  RECORDING, ALTERNATION, ORGANIZA-
 TION, STRUCTURING, STORAGE, DISCLOSURE, TRANSMISSION,  SALE,  LICENSING,
 DISPOSAL,  DESTRUCTION,  DE-IDENTIFYING,  OR  OTHER HANDLING OF PERSONAL
 INFORMATION.
   10. "COVERED ORGANIZATION" MEANS AN ENTITY THAT OFFERS  AN  ELECTRONIC
 HEALTH  PRODUCT  OR  SERVICE  THAT  IS SUBJECT TO THE PROVISIONS OF THIS
 ARTICLE.
   § 1101. ELECTRONIC HEALTH PRODUCTS AND SERVICES; PRIVACY. 1.   (A)  IT
 SHALL  BE UNLAWFUL FOR A COVERED ORGANIZATION TO ENGAGE IN DATA PROCESS-
 ING UNLESS:
   (I) THE USER TO WHOM THE INFORMATION OR DATA PERTAINS HAS GIVEN AFFIR-
 MATIVE EXPRESS CONSENT TO SUCH DATA PROCESSING; OR
   (II) SUCH DATA PROCESSING IS STRICTLY NECESSARY AND PROPORTIONATE  FOR
 THE PURPOSE OF:
   (A) PROTECTING AGAINST MALICIOUS, FRAUDULENT, OR ILLEGAL ACTIVITY;
   (B)  DETECTING,  RESPONDING  TO,  OR  PREVENTING SECURITY INCIDENTS OR
 THREATS; OR
   (C) THE COVERED ORGANIZATION IS COMPELLED TO DO SO  BY  A  WARRANT  OR
 COURT ORDER.
   (B) THE GENERAL NATURE OF ANY DATA PROCESSING SHALL BE CONVEYED BY THE
 COVERED  ORGANIZATION IN A STANDALONE DOCUMENT SUCH AS A DATA PROCESSING
 ADDENDUM, AND IN CLEAR AND PROMINENT TERMS IN SUCH A WAY THAT  AN  ORDI-
 NARY CONSUMER WOULD NOTICE AND UNDERSTAND SUCH TERMS.
 A. 3285                             3
 
   (C) A USER MAY CONSENT TO DATA PROCESSING ON BEHALF OF THEIR DEPENDENT
 MINORS.
   (D)  A COVERED ORGANIZATION SHALL PROVIDE AN EFFECTIVE MECHANISM FOR A
 USER TO REVOKE THEIR CONSENT AFTER IT IS GIVEN.  AFTER  A  USER  REVOKES
 THEIR  CONSENT, THE COVERED ORGANIZATION SHALL CEASE ALL DATA PROCESSING
 OF SUCH USER'S PERSONAL HEALTH INFORMATION OR  OTHER  PERSONAL  DATA  AS
 SOON  AS  PRACTICABLE,  BUT  NOT LATER THAN FIFTEEN DAYS AFTER SUCH USER
 REVOKES SUCH CONSENT.   THE COVERED ORGANIZATION SHALL  ALSO  DELETE  OR
 OTHERWISE  DESTROY  ANY SUCH USER'S PERSONAL HEALTH INFORMATION OR OTHER
 PERSONAL DATA PER THE TERMS OF PARAGRAPH (A) OF SUBDIVISION FOUR OF THIS
 SECTION.
   2. IN ORDER TO OBTAIN CONSENT IN COMPLIANCE WITH  SUBDIVISION  ONE  OF
 THIS SECTION, AN ENTITY OFFERING AN ELECTRONIC HEALTH PRODUCT OR SERVICE
 SHALL:
   (A)  DISCLOSE  TO  THE  USER  ALL PERSONAL HEALTH INFORMATION OR OTHER
 PERSONAL DATA SUCH ELECTRONIC HEALTH PRODUCT  OR  SERVICE  WILL  COLLECT
 FROM THE USER UPON OBTAINING CONSENT;
   (B)  DISCLOSE  TO  THE  USER  ANY  THIRD  PARTY  WITH WHOM SUCH USER'S
 PERSONAL HEALTH INFORMATION OR OTHER PERSONAL DATA MAY BE SHARED BY  THE
 ELECTRONIC HEALTH PRODUCT OR SERVICE UPON OBTAINING CONSENT;
   (C)  DISCLOSE  TO  THE  USER  THE  PURPOSE FOR COLLECTING ANY PERSONAL
 HEALTH INFORMATION OR OTHER PERSONAL DATA; AND
   (D) ALLOW THE USER TO WITHDRAW CONSENT AT ANY TIME.
   3. NO ELECTRONIC HEALTH PRODUCT OR SERVICE SHALL COLLECT ANY  PERSONAL
 HEALTH  INFORMATION  OR  OTHER  PERSONAL  DATA  BEYOND  WHICH A USER HAS
 SPECIFICALLY CONSENTED TO SHARE WITH SUCH ELECTRONIC HEALTH  PRODUCT  OR
 SERVICE UNDER SUBDIVISION ONE OF THIS SECTION.
   4.  (A) AN ELECTRONIC HEALTH PRODUCT OR SERVICE SHALL DELETE OR OTHER-
 WISE DESTROY ANY PERSONAL HEALTH  INFORMATION  OR  OTHER  PERSONAL  DATA
 COLLECTED  FROM  A USER IMMEDIATELY UPON SUCH USER'S REQUEST, WITHDRAWAL
 OF CONSENT; OR UPON SUCH USER'S DEACTIVATION OF THEIR ACCOUNT.
   (B) AN ENTITY THAT COLLECTS A USER'S PERSONAL  HEALTH  INFORMATION  OR
 OTHER  PERSONAL  DATA  SHALL  LIMIT  ITS  COLLECTION AND SHARING OF THAT
 INFORMATION WITH THIRD  PARTIES  TO  WHAT  IS  REASONABLY  NECESSARY  TO
 PROVIDE A SERVICE OR CONDUCT AN ACTIVITY THAT A USER HAS REQUESTED OR IS
 REASONABLY NECESSARY FOR SECURITY OR FRAUD PREVENTION.
   (C)  AN  ENTITY  THAT COLLECTS A USER'S PERSONAL HEALTH INFORMATION OR
 OTHER PERSONAL DATA SHALL LIMIT ITS USE AND RETENTION OF  SUCH  INFORMA-
 TION  TO  WHAT  IS STRICTLY NECESSARY TO PROVIDE A SERVICE OR CONDUCT AN
 ACTIVITY THAT A USER HAS REQUESTED OR  A  RELATED  OPERATIONAL  PURPOSE,
 PROVIDED  THAT  INFORMATION COLLECTED OR RETAINED SOLELY FOR SECURITY OR
 FRAUD PREVENTION MAY NOT BE USED FOR OPERATIONAL PURPOSES.  MONETIZATION
 OF PERSONAL HEALTH INFORMATION OR OTHER PERSONAL DATA, INCLUDING BUT NOT
 LIMITED  TO  THE  USE  OF TARGETED ADVERTISING, CROSS-CONTEXT BEHAVIORAL
 ADVERTISING OR MARKETING SERVICES, OR THE USE OF PERSONAL HEALTH  INFOR-
 MATION FOR TRAINING OR INCLUSION IN MACHINE LEARNING MODELS, BEYOND THAT
 WHICH A USER HAS EXPLICITLY CONSENTED TO SHALL NOT BE CONSIDERED STRICT-
 LY  NECESSARY  TO  PROVIDE A SERVICE OR CONDUCT AN ACTIVITY OR A RELATED
 OPERATIONAL PURPOSE.
   (D) IF A USER DELETES  THEIR  PERSONAL  HEALTH  INFORMATION  OR  OTHER
 PERSONAL  DATA  COLLECTED  BY  AN  ENTITY, OR REQUESTS THE ENTITY DELETE
 THEIR PERSONAL HEALTH INFORMATION OR OTHER PERSONAL  DATA,  SUCH  ENTITY
 SHALL  RETAIN  SUCH USER'S PERSONAL HEALTH INFORMATION OR OTHER PERSONAL
 DATA ON ANY SERVER OR DATA MANAGEMENT SYSTEM NO LONGER THAN THIRTY  DAYS
 AFTER  SUCH DELETION OR REQUEST. THE ENTITY MUST GIVE THE USER AN OPPOR-
 A. 3285                             4
 
 TUNITY TO DOWNLOAD  A  COPY  OF  SUCH  PERSONAL  HEALTH  INFORMATION  OR
 PERSONAL DATA PRIOR TO PERMANENT DELETION.
   5.  A  COVERED  ORGANIZATION  SHALL  NOT  DISCRIMINATE  AGAINST A USER
 BECAUSE THE USER EXERCISED ANY OF THE USER'S RIGHTS UNDER THIS  ARTICLE,
 OR  DID  NOT  AGREE  TO INFORMATION PROCESSING FOR A SEPARATE PRODUCT OR
 SERVICE, INCLUDING, BUT NOT LIMITED TO, BY:
   (A) DENYING GOODS OR SERVICES TO THE USER.
   (B) CHARGING DIFFERENT PRICES OR RATES FOR GOODS OR SERVICES,  INCLUD-
 ING  THROUGH  THE  USE OF DISCOUNTS OR OTHER BENEFITS OR IMPOSING PENAL-
 TIES.
   (C) PROVIDING A DIFFERENT LEVEL OR QUALITY OF GOODS OR SERVICES TO THE
 USER.
   (D) SUGGESTING THAT THE CONSUMER WILL RECEIVE  A  DIFFERENT  PRICE  OR
 RATE  FOR  GOODS OR SERVICES OR A DIFFERENT LEVEL OR QUALITY OF GOODS OR
 SERVICES.
   6. A COVERED ORGANIZATION  SHALL  IMPLEMENT  AND  MAINTAIN  REASONABLE
 SECURITY  PROCEDURES  AND PRACTICES, INCLUDING ADMINISTRATIVE, PHYSICAL,
 AND TECHNICAL SAFEGUARDS, APPROPRIATE TO THE NATURE OF  THE  INFORMATION
 AND  THE  PURPOSES  FOR  WHICH  THE PERSONAL HEALTH INFORMATION OR OTHER
 PERSONAL DATA WILL BE USED, TO PROTECT CONSUMERS' PERSONAL HEALTH INFOR-
 MATION OR OTHER PERSONAL DATA FROM UNAUTHORIZED USE, DISCLOSURE, ACCESS,
 DESTRUCTION, OR MODIFICATION.
   § 1102. PRIVATE RIGHT OF ACTION. 1. ANY PERSON WHO HAS BEEN INJURED BY
 REASON OF A VIOLATION OF THIS ARTICLE MAY BRING AN ACTION IN  THEIR  OWN
 NAME,  OR IN THE NAME OF THEIR MINOR CHILD, TO ENJOIN SUCH UNLAWFUL ACT,
 OR TO RECOVER THE GREATER  OF  THEIR  ACTUAL  DAMAGES  OR  ONE  THOUSAND
 DOLLARS,  OR  BOTH SUCH ACTIONS. THE COURT SHALL AWARD REASONABLE ATTOR-
 NEY'S FEES TO A PREVAILING PLAINTIFF. ACTIONS PURSUANT TO  THIS  SECTION
 MAY BE BROUGHT ON A CLASS-WIDE BASIS.
   2.  ANY  ENTITY  WHO VIOLATES THIS ARTICLE IS SUBJECT TO AN INJUNCTION
 AND LIABLE FOR DAMAGES AND A CIVIL PENALTY. WHEN CALCULATING DAMAGES AND
 CIVIL PENALTIES, THE COURT SHALL CONSIDER THE NUMBER OF  AFFECTED  INDI-
 VIDUALS, THE SEVERITY OF THE VIOLATION, AND THE SIZE AND REVENUES OF THE
 COVERED  ENTITY.  EACH  INDIVIDUAL  WHOSE  DATA WAS UNLAWFULLY PROCESSED
 COUNTS AS A SEPARATE VIOLATION. EACH PROVISION OF THIS ARTICLE THAT  WAS
 VIOLATED COUNTS AS A SEPARATE VIOLATION.
   §  1103.  ACTIONS  THAT ARE HIPAA COMPLIANT.   NOTHING IN THIS ARTICLE
 SHALL PROHIBIT ANY ACTION TAKEN WITH RESPECT TO THE  HEALTH  INFORMATION
 OF AN INDIVIDUAL BY A BUSINESS ASSOCIATE OR COVERED ORGANIZATION THAT IS
 PERMISSIBLE  UNDER  THE  FEDERAL  REGULATIONS  CONCERNING  STANDARDS FOR
 PRIVACY OF  INDIVIDUALLY  IDENTIFIABLE  HEALTH  INFORMATION  PROMULGATED
 UNDER  SECTION  264(C)  OF THE HEALTH INSURANCE PORTABILITY AND ACCOUNT-
 ABILITY ACT OF 1996.
   § 2. This act shall take effect on the sixtieth  day  after  it  shall
 have become a law.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Assembly Bill A3285

Sponsored By

Current Bill Status - In Assembly Committee

co-Sponsors

2023-A3285 (ACTIVE) - Details

2023-A3285 (ACTIVE) - Summary

2023-A3285 (ACTIVE) - Bill Text download pdf

Comments

Assembly Bill A3285

Share this bill

Sponsored By

ROSENTHAL L

Current Bill Status - In Assembly Committee

co-Sponsors

Emily Gallagher

Anna Kelles

Jo Anne Simon

Steven Otis

2023-A3285 (ACTIVE) - Details

2023-A3285 (ACTIVE) - Summary

2023-A3285 (ACTIVE) - Bill Text download pdf

Comments