S T A T E O F N E W Y O R K
________________________________________________________________________
4983--C
2023-2024 Regular Sessions
I N A S S E M B L Y
February 27, 2023
___________
Introduced by M. of A. L. ROSENTHAL, CUNNINGHAM, REYES, DINOWITZ, SIMON,
TAPIA, SHIMSKY, FAHY, BICHOTTE HERMELYN, EPSTEIN, BURDICK, McDONALD,
BRAUNSTEIN, SEAWRIGHT, LUCAS, STIRPE, AUBRY, GLICK, KIM, DILAN,
TAYLOR, SEPTIMO, GONZALEZ-ROJAS, LEVENBERG, MITAYNES, ARDILA, THIELE
-- read once and referred to the Committee on Science and Technology
-- committee discharged, bill amended, ordered reprinted as amended
and recommitted to said committee -- again reported from said commit-
tee with amendments, ordered reprinted as amended and recommitted to
said committee -- recommitted to the Committee on Science and Technol-
ogy in accordance with Assembly Rule 3, sec. 2 -- committee
discharged, bill amended, ordered reprinted as amended and recommitted
to said committee
AN ACT to amend the general business law, in relation to providing for
the protection of health information
THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:
Section 1. The general business law is amended by adding a new article
42 to read as follows:
ARTICLE 42
NEW YORK HEALTH INFORMATION PRIVACY ACT
SECTION 1100. DEFINITIONS.
1101. REQUIREMENTS FOR COMMUNICATIONS TO INDIVIDUALS.
1102. LAWFULNESS OF PROCESSING REGULATED HEALTH INFORMATION.
1103. INDIVIDUAL RIGHTS.
1104. SECURITY.
1105. SERVICE PROVIDERS.
1106. EXEMPTIONS.
1107. ENFORCEMENT.
1108. CONTRACTS AND WAIVERS VOID AND UNENFORCEABLE.
§ 1100. DEFINITIONS. AS USED IN THIS ARTICLE, THE FOLLOWING TERMS
SHALL HAVE THE FOLLOWING MEANINGS:
EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD01105-14-4
A. 4983--C 2
1. "DEIDENTIFIED INFORMATION" MEANS INFORMATION THAT CANNOT REASONABLY
BE USED TO INFER INFORMATION ABOUT, OR OTHERWISE BE LINKED TO A PARTIC-
ULAR INDIVIDUAL, HOUSEHOLD, OR DEVICE, PROVIDED THAT THE REGULATED ENTI-
TY OR SERVICE PROVIDER THAT PROCESSES THE INFORMATION:
(A) IMPLEMENTS REASONABLE TECHNICAL SAFEGUARDS TO ENSURE THAT THE
INFORMATION CANNOT BE ASSOCIATED WITH AN INDIVIDUAL, HOUSEHOLD, OR
DEVICE;
(B) PUBLICLY COMMITS TO PROCESS THE INFORMATION ONLY AS DEIDENTIFIED
INFORMATION AND NOT ATTEMPT TO REIDENTIFY THE INFORMATION, EXCEPT THAT
THE REGULATED ENTITY OR SERVICE PROVIDER MAY ATTEMPT TO REIDENTIFY THE
INFORMATION SOLELY FOR THE PURPOSE OF DETERMINING WHETHER ITS DEIDEN-
TIFICATION PROCESSES SATISFY THE REQUIREMENTS OF THIS SECTION; AND
(C) CONTRACTUALLY OBLIGATES ANY RECIPIENT OF THE DEIDENTIFIED INFORMA-
TION TO COMPLY WITH ALL REQUIREMENTS OF THIS SECTION.
2. "REGULATED HEALTH INFORMATION" MEANS ANY INFORMATION THAT IS
REASONABLY LINKABLE TO AN INDIVIDUAL OR DEVICE, INCLUDING, BUT NOT
LIMITED TO, ANY NAME, NUMBER, PERSONAL MARK, OR OTHER IDENTIFIER, SUCH
AS A DEVICE IDENTIFIER, THAT IDENTIFIES OR REVEALS AN INDIVIDUAL'S PAST,
PRESENT, OR FUTURE PHYSICAL OR MENTAL HEALTH STATUS. REGULATED HEALTH
INFORMATION INCLUDES, WITHOUT LIMITATION, INFORMATION THAT IS DERIVED,
EXTRAPOLATED OR INFERRED FROM NON-HEALTH INFORMATION, SUCH AS LOCATION
OR PAYMENT INFORMATION, ONLINE BROWSING OR APP USAGE, OR INCLUDED IN A
PROFILE RELATING TO THAT INDIVIDUAL. REGULATED HEALTH INFORMATION SHALL
NOT INCLUDE DEIDENTIFIED INFORMATION.
3. "PROCESS" OR "PROCESSING" MEANS AN OPERATION OR SET OF OPERATIONS
PERFORMED ON REGULATED HEALTH INFORMATION, INCLUDING BUT NOT LIMITED TO
THE COLLECTION, USE, ACCESS, SHARING, SALE, MONETIZATION, ANALYSIS,
RETENTION, CREATION, GENERATION, DERIVATION, RECORDING, ORGANIZATION,
STRUCTURING, STORAGE, DISCLOSURE, TRANSMISSION, DISPOSAL, LICENSING,
DESTRUCTION, DELETION, MODIFICATION, OR DEIDENTIFICATION OF REGULATED
HEALTH INFORMATION.
4. "REGULATED ENTITY" MEANS ANY ENTITY THAT (A) CONTROLS THE PROCESS-
ING OF REGULATED HEALTH INFORMATION OF AN INDIVIDUAL WHO IS A NEW YORK
RESIDENT, (B) CONTROLS THE PROCESSING OF REGULATED HEALTH INFORMATION OF
AN INDIVIDUAL WHO IS PHYSICALLY PRESENT IN NEW YORK WHILE THAT INDIVID-
UAL IS IN NEW YORK, OR (C) IS LOCATED IN NEW YORK AND CONTROLS THE PROC-
ESSING OF REGULATED HEALTH INFORMATION. A REGULATED ENTITY MAY ALSO BE A
SERVICE PROVIDER DEPENDING UPON THE CONTEXT IN WHICH REGULATED HEALTH
INFORMATION IS PROCESSED.
5. "SELL" MEANS TO SHARE REGULATED HEALTH INFORMATION FOR MONETARY OR
OTHER VALUABLE CONSIDERATION. SELLING DOES NOT INCLUDE THE SHARING OF
REGULATED HEALTH INFORMATION FOR MONETARY OR OTHER VALUABLE CONSIDER-
ATION TO A THIRD PARTY AS AN ASSET THAT IS PART OF A MERGER, ACQUISI-
TION, BANKRUPTCY, OR OTHER TRANSACTION IN WHICH THE THIRD PARTY ASSUMES
CONTROL OF ALL OR PART OF THE REGULATED ENTITY'S ASSETS.
6. "SERVICE PROVIDER" MEANS ANY PERSON OR ENTITY THAT PROCESSES REGU-
LATED HEALTH INFORMATION ON BEHALF OF A REGULATED ENTITY. A SERVICE
PROVIDER MAY ALSO BE A REGULATED ENTITY DEPENDING UPON THE CONTEXT IN
WHICH REGULATED HEALTH INFORMATION IS PROCESSED.
7. "THIRD PARTY" MEANS A PERSON OR ENTITY OTHER THAN THE INDIVIDUAL,
REGULATED ENTITY, OR SERVICE PROVIDER INVOLVED IN A TRANSACTION OR
OCCURRENCE THAT INVOLVES REGULATED HEALTH INFORMATION. A THIRD PARTY MAY
ALSO BE A REGULATED ENTITY OR SERVICE PROVIDER DEPENDING UPON THE
CONTEXT IN WHICH REGULATED HEALTH INFORMATION IS PROCESSED.
A. 4983--C 3
§ 1101. REQUIREMENTS FOR COMMUNICATIONS TO INDIVIDUALS. ALL NOTICES,
DISCLOSURES, FORMS, AND OTHER COMMUNICATIONS TO INDIVIDUALS PROVIDED
PURSUANT TO THIS ARTICLE SHALL COMPLY WITH THE FOLLOWING:
1. IN GENERAL, ALL COMMUNICATIONS SHALL USE PLAIN, STRAIGHTFORWARD
LANGUAGE, AVOIDING TECHNICAL OR LEGAL JARGON, AND MUST BE PROVIDED
THROUGH AN INTERFACE THE INDIVIDUAL REGULARLY USES IN CONNECTION WITH
THE REGULATED ENTITY'S PRODUCT OR SERVICE.
2. ALL COMMUNICATIONS SHALL BE REASONABLY ACCESSIBLE TO INDIVIDUALS
WITH DISABILITIES, INCLUDING BY:
(A) UTILIZING DIGITAL ACCESSIBILITY TOOLS;
(B) FOR NOTICES, COMPLYING WITH GENERALLY RECOGNIZED INDUSTRY STAND-
ARDS, INCLUDING, BUT NOT LIMITED TO, CURRENT STANDARDS SET BY STANDARDS
SETTING BODIES SUCH AS THE WORLD WEB CONSORTIUM, OR OTHER SIMILAR STAND-
ARDS SETTING BODIES AS DETERMINED BY THE ATTORNEY GENERAL; AND
(C) FOR OTHER COMMUNICATIONS, PROVIDING INFORMATION ABOUT HOW AN INDI-
VIDUAL WITH A DISABILITY MAY ACCESS THE COMMUNICATION IN AN ALTERNATIVE
FORMAT.
3. ALL COMMUNICATIONS SHALL BE AVAILABLE IN THE LANGUAGES IN WHICH THE
REGULATED ENTITY PROVIDES INFORMATION VIA ITS WEBSITE AND SERVICES. ANY
DIRECT COMMUNICATION TO AN INDIVIDUAL SHALL BE PROVIDED IN THE LANGUAGE
IN WHICH THE INDIVIDUAL ORDINARILY INTERACTS WITH THE REGULATED ENTITY
OR ITS SERVICE PROVIDER.
4. A REGULATED ENTITY SHALL MAKE ANY NOTICE FOR PROCESSING PURSUANT TO
A PERMISSIBLE PURPOSE, PURSUANT TO SUBPARAGRAPH (II) OF PARAGRAPH (B) OF
SUBDIVISION ONE OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE, OR FORM
FOR PROCESSING PURSUANT TO AUTHORIZATION, PURSUANT TO SUBPARAGRAPH (I)
OF PARAGRAPH (B) OF SUBDIVISION ONE OF SECTION ELEVEN HUNDRED TWO OF
THIS ARTICLE, PUBLICLY AVAILABLE ON ITS WEBSITE. IF AN AUTHORIZATION
FORM IS CUSTOMIZED FOR EACH INDIVIDUAL, THE REGULATED ENTITY MAY INSTEAD
PUBLICLY POST A SAMPLE AUTHORIZATION FORM ON ITS WEBSITE.
§ 1102. LAWFULNESS OF PROCESSING REGULATED HEALTH INFORMATION. 1. IN
GENERAL, IT SHALL BE UNLAWFUL FOR A REGULATED ENTITY TO:
(A) SELL AN INDIVIDUAL'S REGULATED HEALTH INFORMATION TO A THIRD
PARTY; OR
(B) OTHERWISE PROCESS AN INDIVIDUAL'S REGULATED HEALTH INFORMATION
UNLESS:
(I) THE INDIVIDUAL HAS PROVIDED VALID AUTHORIZATION FOR SUCH PROCESS-
ING AS SET FORTH IN PARAGRAPH (B) OF SUBDIVISION TWO OF THIS SECTION; OR
(II) PROCESSING OF AN INDIVIDUAL'S REGULATED HEALTH INFORMATION IS
STRICTLY NECESSARY FOR THE PURPOSE OF:
(A) PROVIDING OR MAINTAINING A SPECIFIC PRODUCT OR SERVICE REQUESTED
BY SUCH INDIVIDUAL;
(B) CONDUCTING THE REGULATED ENTITY'S INTERNAL BUSINESS OPERATIONS,
WHICH EXCLUDE ANY ACTIVITIES RELATED TO MARKETING, ADVERTISING, RESEARCH
AND DEVELOPMENT, OR PROVIDING PRODUCTS OR SERVICES TO THIRD PARTIES;
(C) PROTECTING AGAINST MALICIOUS, FRAUDULENT, OR ILLEGAL ACTIVITY;
(D) DETECTING, RESPONDING TO, OR PREVENTING SECURITY INCIDENTS OR
THREATS;
(E) PROTECTING THE VITAL INTERESTS OF AN INDIVIDUAL;
(F) INVESTIGATING, ESTABLISHING, EXERCISING, PREPARING FOR, OR DEFEND-
ING LEGAL CLAIMS; OR
(G) COMPLYING WITH THE REGULATED ENTITY'S LEGAL OBLIGATIONS.
2. A REGULATED ENTITY THAT PROCESSES REGULATED HEALTH INFORMATION
PURSUANT TO VALID AUTHORIZATION AS REQUIRED BY SUBPARAGRAPH (I) OF PARA-
GRAPH (B) OF SUBDIVISION ONE OF THIS SECTION SHALL COMPLY WITH THE
FOLLOWING:
A. 4983--C 4
(A) A REQUEST FOR AUTHORIZATION TO PROCESS AN INDIVIDUAL'S REGULATED
HEALTH INFORMATION SHALL:
(I) BE MADE SEPARATELY FROM ANY OTHER TRANSACTION OR PART OF A TRANS-
ACTION;
(II) BE MADE AT LEAST TWENTY-FOUR HOURS AFTER AN INDIVIDUAL CREATES AN
ACCOUNT OR FIRST USES THE REQUESTED PRODUCT OR SERVICE;
(III) BE MADE IN THE ABSENCE OF ANY MECHANISM THAT HAS THE PURPOSE OR
SUBSTANTIAL EFFECT OF OBSCURING, SUBVERTING, OR IMPAIRING AN INDIVID-
UAL'S DECISION-MAKING REGARDING AUTHORIZATION FOR PROCESSING;
(IV) IF REQUESTING AUTHORIZATION FOR MULTIPLE CATEGORIES OF PROCESSING
ACTIVITIES, ALLOW THE INDIVIDUAL TO PROVIDE OR WITHHOLD AUTHORIZATION
SEPARATELY FOR EACH CATEGORY OF PROCESSING ACTIVITY; AND
(V) NOT INCLUDE ANY REQUEST FOR AUTHORIZATION FOR A PROCESSING ACTIV-
ITY FOR WHICH AN INDIVIDUAL HAS WITHHELD OR REVOKED AUTHORIZATION WITHIN
THE PAST CALENDAR YEAR.
(B) A VALID AUTHORIZATION SHALL INCLUDE:
(I) THE TYPES OF REGULATED HEALTH INFORMATION TO BE PROCESSED;
(II) THE NATURE OF THE PROCESSING ACTIVITY;
(III) THE SPECIFIC PURPOSES FOR SUCH PROCESSING;
(IV) THE NAMES WHERE READILY AVAILABLE, OR CATEGORIES OF SERVICE
PROVIDERS AND THIRD PARTIES TO WHICH THE REGULATED ENTITY MAY DISCLOSE
THE INDIVIDUAL'S REGULATED HEALTH INFORMATION AND THE PURPOSES FOR SUCH
DISCLOSURE, INCLUDING THE CIRCUMSTANCES UNDER WHICH THE REGULATED ENTITY
MAY DISCLOSE REGULATED HEALTH INFORMATION TO LAW ENFORCEMENT;
(V) ANY MONETARY OR OTHER VALUABLE CONSIDERATION THE REGULATED ENTITY
MAY RECEIVE IN CONNECTION WITH PROCESSING THE INDIVIDUAL'S REGULATED
HEALTH INFORMATION, WHERE APPLICABLE;
(VI) THAT FAILING TO PROVIDE AUTHORIZATION WILL NOT AFFECT THE INDI-
VIDUAL'S EXPERIENCE OF USING THE REGULATED ENTITY'S PRODUCTS OR
SERVICES;
(VII) THE EXPIRATION DATE OF THE AUTHORIZATION, WHICH MAY BE UP TO ONE
YEAR FROM THE DATE AUTHORIZATION WAS PROVIDED;
(VIII) THE MECHANISM BY WHICH THE INDIVIDUAL MAY REVOKE AUTHORIZATION
PRIOR TO EXPIRATION;
(IX) THE MECHANISM BY WHICH THE INDIVIDUAL MAY REQUEST ACCESS TO AND
DELETION OF THEIR REGULATED HEALTH INFORMATION;
(X) ANY OTHER INFORMATION MATERIAL TO AN INDIVIDUAL'S DECISION-MAKING
REGARDING AUTHORIZATION FOR PROCESSING; AND
(XI) THE SIGNATURE, WHICH MAY BE ELECTRONIC, OF THE INDIVIDUAL WHO IS
THE SUBJECT OF THE REGULATED HEALTH INFORMATION, OR A PARENT OR GUARDIAN
AUTHORIZED BY LAW TO TAKE ACTIONS OF LEGAL CONSEQUENCE ON BEHALF OF THE
INDIVIDUAL WHO IS THE SUBJECT OF THE REGULATED HEALTH INFORMATION, AND
THE DATE.
(C) (I) A REGULATED ENTITY THAT RECEIVES AUTHORIZATION FOR PROCESSING
SHALL PROVIDE AN EFFECTIVE, EFFICIENT, AND EASY-TO-USE MECHANISM BY
WHICH AN INDIVIDUAL MAY REVOKE AUTHORIZATION AT ANY TIME THROUGH AN
INTERFACE THE INDIVIDUAL REGULARLY USES IN CONNECTION WITH THE REGULATED
ENTITY'S PRODUCT OR SERVICE.
(II) UPON AN INDIVIDUAL'S REVOCATION OF AUTHORIZATION, THE REGULATED
ENTITY SHALL IMMEDIATELY CEASE ALL PROCESSING ACTIVITIES FOR WHICH
AUTHORIZATION WAS REVOKED, EXCEPT TO THE EXTENT NECESSARY TO COMPLY WITH
THE REGULATED ENTITY'S LEGAL OBLIGATIONS.
(III) FOR INDIVIDUALS WHO HAVE AN ONLINE ACCOUNT WITH THE REGULATED
ENTITY, THE REGULATED ENTITY MUST PROVIDE, IN A CONSPICUOUS AND EASILY
ACCESSIBLE PLACE WITHIN THE ACCOUNT SETTINGS, A LIST OF ALL PROCESSING
ACTIVITIES FOR WHICH THE INDIVIDUAL HAS PROVIDED AUTHORIZATION AND, FOR
A. 4983--C 5
EACH PROCESSING ACTIVITY, ALLOW THE INDIVIDUAL TO REVOKE AUTHORIZATION
IN THE SAME PLACE WITH ONE MOTION OR ACTION.
(D) UPON OBTAINING VALID AUTHORIZATION FROM AN INDIVIDUAL, THE REGU-
LATED ENTITY SHALL PROVIDE THAT INDIVIDUAL A COPY OF THE AUTHORIZATION.
THE AUTHORIZATION SHALL BE PROVIDED IN A MANNER THAT IS CAPABLE OF BEING
RETAINED BY THE INDIVIDUAL.
(E) THE REGULATED ENTITY SHALL LIMIT ITS PROCESSING TO WHAT WAS CLEAR-
LY DISCLOSED TO AN INDIVIDUAL PURSUANT TO PARAGRAPH (B) OF THIS SUBDIVI-
SION WHEN THE REGULATED ENTITY RECEIVED AUTHORIZATION FROM THE INDIVID-
UAL.
(F) IF THE REGULATED ENTITY SEEKS TO MATERIALLY ALTER ITS PROCESSING
ACTIVITIES FOR REGULATED HEALTH INFORMATION COLLECTED PURSUANT TO
AUTHORIZATION, THE REGULATED ENTITY SHALL OBTAIN A NEW AUTHORIZATION FOR
THE NEW OR ALTERED PROCESSING ACTIVITY.
(G) PROVIDING A PRODUCT OR SERVICE REQUESTED BY AN INDIVIDUAL MUST NOT
BE MADE CONTINGENT ON PROVIDING AUTHORIZATION. THE REGULATED ENTITY MUST
NOT DISCRIMINATE AGAINST AN INDIVIDUAL FOR WITHHOLDING AUTHORIZATION,
SUCH AS BY CHARGING DIFFERENT PRICES OR RATES FOR PRODUCTS OR SERVICES,
INCLUDING THROUGH THE USE OF DISCOUNTS OR OTHER BENEFITS, IMPOSING
PENALTIES, OR PROVIDING A DIFFERENT LEVEL OR QUALITY OF SERVICES OR
GOODS TO THE INDIVIDUAL.
3. A REGULATED ENTITY THAT PROCESSES REGULATED HEALTH INFORMATION
PURSUANT TO A PERMISSIBLE PURPOSE PURSUANT TO SUBPARAGRAPH (II) OF PARA-
GRAPH (B) OF SUBDIVISION ONE OF THIS SECTION SHALL COMPLY WITH THE
FOLLOWING:
(A) A REGULATED ENTITY SHALL PROVIDE CLEAR AND CONSPICUOUS NOTICE THAT
DESCRIBES:
(I) THE TYPES OF REGULATED HEALTH INFORMATION TO BE PROCESSED;
(II) THE NATURE OF THE PROCESSING ACTIVITY;
(III) THE SPECIFIC PURPOSES FOR SUCH PROCESSING;
(IV) THE NAMES WHERE READILY AVAILABLE, OR CATEGORIES OF SERVICE
PROVIDERS AND THIRD PARTIES TO WHICH THE REGULATED ENTITY MAY DISCLOSE
THE INDIVIDUAL'S REGULATED HEALTH INFORMATION AND THE PURPOSES FOR SUCH
DISCLOSURE, INCLUDING THE CIRCUMSTANCES UNDER WHICH THE REGULATED ENTITY
MAY DISCLOSE REGULATED HEALTH INFORMATION TO LAW ENFORCEMENT; AND
(V) THE MECHANISM BY WHICH THE INDIVIDUAL MAY REQUEST ACCESS TO AND
DELETION OF THEIR REGULATED HEALTH INFORMATION.
(B) IF THE REGULATED ENTITY MATERIALLY ALTERS ITS PROCESSING ACTIV-
ITIES FOR REGULATED HEALTH INFORMATION COLLECTED PURSUANT TO A PERMISSI-
BLE PURPOSE, THE REGULATED ENTITY MUST PROVIDE A CLEAR AND CONSPICUOUS
NOTICE IN PLAIN LANGUAGE, SEPARATE FROM A PRIVACY POLICY, TERMS OF
SERVICE, OR SIMILAR DOCUMENT, THAT DESCRIBES ANY MATERIAL CHANGES TO THE
PROCESSING ACTIVITIES AND PROVIDE THE INDIVIDUAL WITH AN OPPORTUNITY TO
REQUEST DELETION OF THEIR REGULATED HEALTH INFORMATION.
§ 1103. INDIVIDUAL RIGHTS. 1. (A) A REGULATED ENTITY SHALL MAKE AVAIL-
ABLE AN EFFECTIVE, EFFICIENT, AND EASY-TO-USE MECHANISM THROUGH AN
INTERFACE THE INDIVIDUAL REGULARLY USES IN CONNECTION WITH THE REGULATED
ENTITY'S PRODUCT OR SERVICE BY WHICH AN INDIVIDUAL MAY REQUEST ACCESS TO
THEIR REGULATED HEALTH INFORMATION.
(B) WITHIN THIRTY DAYS OF RECEIVING AN ACCESS REQUEST, THE REGULATED
ENTITY SHALL MAKE AVAILABLE A COPY OF ALL REGULATED HEALTH INFORMATION
ABOUT THE INDIVIDUAL THAT THE REGULATED ENTITY MAINTAINS OR THAT SERVICE
PROVIDERS MAINTAIN ON BEHALF OF THE REGULATED ENTITY.
2. (A) A REGULATED ENTITY SHALL MAKE AVAILABLE AN EFFECTIVE, EFFI-
CIENT, AND EASY-TO-USE MECHANISM THROUGH AN INTERFACE THE INDIVIDUAL
REGULARLY USES IN CONNECTION WITH THE REGULATED ENTITY'S PRODUCT OR
A. 4983--C 6
SERVICE BY WHICH AN INDIVIDUAL MAY REQUEST THE DELETION OF THEIR REGU-
LATED HEALTH INFORMATION.
(B) AN INDIVIDUAL'S REQUEST TO DELETE OR CANCEL THEIR ONLINE ACCOUNT
SHALL BE TREATED AS A REQUEST TO DELETE THE INDIVIDUAL'S REGULATED
HEALTH INFORMATION.
(C) WITHIN THIRTY DAYS OF RECEIVING A DELETION REQUEST, THE REGULATED
ENTITY SHALL:
(I) DELETE ALL REGULATED HEALTH INFORMATION ASSOCIATED WITH THE INDI-
VIDUAL IN THE REGULATED ENTITY'S POSSESSION OR CONTROL, EXCEPT TO THE
EXTENT NECESSARY TO COMPLY WITH THE REGULATED ENTITY'S LEGAL OBLI-
GATIONS; AND
(II) UNLESS IT PROVES IMPOSSIBLE OR INVOLVES DISPROPORTIONATE EFFORT
THAT IS DOCUMENTED IN WRITING BY THE REGULATED ENTITY, COMMUNICATE SUCH
REQUEST TO EACH SERVICE PROVIDER OR THIRD PARTY THAT PROCESSED THE INDI-
VIDUAL'S REGULATED HEALTH INFORMATION IN CONNECTION WITH A TRANSACTION
INVOLVING THE REGULATED ENTITY OCCURRING WITHIN ONE YEAR PRECEDING THE
INDIVIDUAL'S REQUEST.
(D) ANY SERVICE PROVIDER OR THIRD PARTY THAT RECEIVES NOTICE OF AN
INDIVIDUAL'S DELETION REQUEST SHALL WITHIN THIRTY DAYS DELETE ALL REGU-
LATED HEALTH INFORMATION ASSOCIATED WITH THE INDIVIDUAL IN ITS
POSSESSION OR CONTROL, EXCEPT TO THE EXTENT NECESSARY TO COMPLY WITH ITS
LEGAL OBLIGATIONS.
3. ANY RIGHT SET FORTH IN THIS SECTION MAY BE EXERCISED AT ANY TIME BY
THE INDIVIDUAL WHO IS THE SUBJECT OF THE REGULATED HEALTH INFORMATION OR
AN AGENT AUTHORIZED BY SUCH INDIVIDUAL.
§ 1104. SECURITY. 1. IN GENERAL, A REGULATED ENTITY SHALL DEVELOP,
IMPLEMENT, AND MAINTAIN REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYS-
ICAL SAFEGUARDS TO PROTECT THE SECURITY, CONFIDENTIALITY, AND INTEGRITY
OF REGULATED HEALTH INFORMATION.
2. A REGULATED ENTITY MUST SECURELY DISPOSE OF AN INDIVIDUAL'S REGU-
LATED HEALTH INFORMATION PURSUANT TO A PUBLICLY AVAILABLE RETENTION
SCHEDULE WITHIN A REASONABLE TIME, AND IN NO EVENT LATER THAN SIXTY
DAYS, AFTER IT IS NO LONGER NECESSARY TO MAINTAIN FOR THE PERMISSIBLE
PURPOSE OR PURPOSES IDENTIFIED IN THE NOTICE OR FOR WHICH THE INDIVIDUAL
PROVIDED VALID AUTHORIZATION.
§ 1105. SERVICE PROVIDERS. 1. IN GENERAL, ANY PROCESSING OF REGULATED
HEALTH INFORMATION BY A SERVICE PROVIDER ON BEHALF OF A REGULATED ENTITY
SHALL BE GOVERNED BY A WRITTEN, BINDING AGREEMENT. SUCH AGREEMENT SHALL
CLEARLY SET FORTH INSTRUCTIONS FOR PROCESSING REGULATED HEALTH INFORMA-
TION, THE NATURE AND PURPOSE OF PROCESSING, THE DURATION OF PROCESSING,
AND THE RIGHTS AND OBLIGATIONS OF BOTH PARTIES.
2. AN AGREEMENT PURSUANT TO SUBDIVISION ONE OF THIS SECTION SHALL
REQUIRE THAT THE SERVICE PROVIDER:
(A) ENSURE THAT EACH PERSON PROCESSING REGULATED HEALTH INFORMATION IS
SUBJECT TO A DUTY OF CONFIDENTIALITY WITH RESPECT TO SUCH INFORMATION;
(B) PROTECT REGULATED HEALTH INFORMATION IN A MANNER CONSISTENT WITH
THE REQUIREMENTS OF THIS ARTICLE;
(C) PROCESS REGULATED HEALTH INFORMATION ONLY WHEN AND TO THE EXTENT
NECESSARY TO COMPLY WITH ITS OBLIGATIONS TO THE REGULATED ENTITY;
(D) NOT COMBINE THE REGULATED HEALTH INFORMATION WHICH THE SERVICE
PROVIDER RECEIVES FROM OR ON BEHALF OF THE REGULATED ENTITY WITH ANY
OTHER PERSONAL INFORMATION WHICH THE SERVICE PROVIDER RECEIVES FROM OR
ON BEHALF OF ANOTHER PARTY OR COLLECTS FROM ITS OWN RELATIONSHIP WITH
INDIVIDUALS;
(E) COMPLY WITH ANY EXERCISES OF AN INDIVIDUAL'S RIGHTS UNDER SECTION
ELEVEN HUNDRED THREE OF THIS ARTICLE UPON THE REQUEST OF THE REGULATED
A. 4983--C 7
ENTITY AND NOTIFY ANY SERVICE PROVIDERS OR THIRD PARTIES TO WHICH IT
DISCLOSED REGULATED HEALTH INFORMATION OF THE REQUEST;
(F) DELETE OR RETURN ALL REGULATED HEALTH INFORMATION TO THE REGULATED
ENTITY AT THE END OF THE PROVISION OF SERVICES, UNLESS RETENTION OF THE
REGULATED HEALTH INFORMATION IS REQUIRED BY LAW;
(G) UPON THE REASONABLE REQUEST OF THE REGULATED ENTITY, MAKE AVAIL-
ABLE TO THE REGULATED ENTITY ALL DATA IN ITS POSSESSION NECESSARY TO
DEMONSTRATE THE SERVICE PROVIDER'S COMPLIANCE WITH THE OBLIGATIONS IN
THIS SECTION;
(H) ALLOW, AND COOPERATE WITH, REASONABLE ASSESSMENTS BY THE REGULATED
ENTITY OR THE REGULATED ENTITY'S DESIGNATED ASSESSOR FOR PURPOSES OF
EVALUATING COMPLIANCE WITH THE OBLIGATIONS OF THIS ARTICLE. ALTERNA-
TIVELY, THE SERVICE PROVIDER MAY ARRANGE FOR A QUALIFIED AND INDEPENDENT
ASSESSOR TO CONDUCT AN ASSESSMENT OF THE SERVICE PROVIDER'S POLICIES AND
TECHNICAL AND ORGANIZATIONAL MEASURES IN SUPPORT OF THE OBLIGATIONS
UNDER THIS ARTICLE USING AN APPROPRIATE AND ACCEPTED CONTROL STANDARD OR
FRAMEWORK AND ASSESSMENT PROCEDURE FOR SUCH ASSESSMENTS. THE SERVICE
PROVIDER SHALL PROVIDE A REPORT OF SUCH ASSESSMENT TO THE REGULATED
ENTITY UPON REQUEST;
(I) NOTIFY THE REGULATED ENTITY A REASONABLE TIME IN ADVANCE BEFORE
DISCLOSING OR TRANSFERRING REGULATED HEALTH INFORMATION TO ANY FURTHER
SERVICE PROVIDERS, WHICH MAY BE IN THE FORM OF A REGULARLY UPDATED LIST
OF FURTHER SERVICE PROVIDERS THAT MAY ACCESS REGULATED HEALTH INFORMA-
TION; AND
(J) ENGAGE ANY FURTHER SERVICE PROVIDER PURSUANT TO A WRITTEN, BINDING
AGREEMENT THAT INCLUDES THE CONTRACTUAL REQUIREMENTS PROVIDED IN THIS
SECTION, CONTAINING AT MINIMUM THE SAME OBLIGATIONS THAT THE SERVICE
PROVIDER HAS ENTERED INTO WITH REGARD TO REGULATED HEALTH INFORMATION.
§ 1106. EXEMPTIONS. NOTHING IN THIS ARTICLE SHALL APPLY TO:
1. INFORMATION PROCESSED BY LOCAL, STATE, AND FEDERAL GOVERNMENTS, AND
MUNICIPAL CORPORATIONS;
2. PROTECTED HEALTH INFORMATION THAT IS COLLECTED BY A COVERED ENTITY
OR BUSINESS ASSOCIATE GOVERNED BY THE PRIVACY, SECURITY, AND BREACH
NOTIFICATION RULES ISSUED BY THE UNITED STATES DEPARTMENT OF HEALTH AND
HUMAN SERVICES, PARTS 160 AND 164 OF TITLE 45 OF THE CODE OF FEDERAL
REGULATIONS, ESTABLISHED PURSUANT TO THE HEALTH INSURANCE PORTABILITY
AND ACCOUNTABILITY ACT OF 1996 (PUBLIC LAW 104-191) AND THE HEALTH
INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT (PUBLIC LAW
111-5);
3. ANY COVERED ENTITY GOVERNED BY THE PRIVACY, SECURITY, AND BREACH
NOTIFICATION RULES ISSUED BY THE UNITED STATES DEPARTMENT OF HEALTH AND
HUMAN SERVICES, PARTS 160 AND 164 OF TITLE 45 OF THE CODE OF FEDERAL
REGULATIONS, ESTABLISHED PURSUANT TO THE HEALTH INSURANCE PORTABILITY
AND ACCOUNTABILITY ACT OF 1996 (PUBLIC LAW 104-191), TO THE EXTENT THE
COVERED ENTITY MAINTAINS PATIENT INFORMATION IN THE SAME MANNER AS
PROTECTED HEALTH INFORMATION AS DESCRIBED IN SUBDIVISION TWO OF THIS
SECTION; AND
4. INFORMATION COLLECTED AS PART OF A CLINICAL TRIAL SUBJECT TO THE
FEDERAL POLICY FOR THE PROTECTION OF HUMAN SUBJECTS, ALSO KNOWN AS THE
COMMON RULE, PURSUANT TO GOOD CLINICAL PRACTICE GUIDELINES ISSUED BY THE
INTERNATIONAL COUNCIL FOR HARMONISATION OR PURSUANT TO HUMAN SUBJECT
PROTECTION REQUIREMENTS OF THE UNITED STATES FOOD AND DRUG ADMINIS-
TRATION.
§ 1107. ENFORCEMENT. 1. WHENEVER IT APPEARS TO THE ATTORNEY GENERAL,
EITHER UPON COMPLAINT OR OTHERWISE, THAT ANY PERSON OR PERSONS, WITHIN
OR OUTSIDE THE STATE, HAS ENGAGED IN OR IS ABOUT TO ENGAGE IN ANY OF THE
A. 4983--C 8
ACTS OR PRACTICES STATED TO BE UNLAWFUL UNDER THIS ARTICLE, THE ATTORNEY
GENERAL MAY BRING AN ACTION OR SPECIAL PROCEEDING IN THE NAME AND ON
BEHALF OF THE PEOPLE OF THE STATE OF NEW YORK TO ENJOIN ANY VIOLATION OF
THIS ARTICLE, TO OBTAIN RESTITUTION OF ANY MONEYS OR PROPERTY OBTAINED
DIRECTLY OR INDIRECTLY BY ANY SUCH VIOLATION, TO OBTAIN DISGORGEMENT OF
ANY PROFITS OBTAINED DIRECTLY OR INDIRECTLY BY ANY SUCH VIOLATION, TO
OBTAIN CIVIL PENALTIES OF NOT MORE THAN FIFTEEN THOUSAND DOLLARS PER
VIOLATION OR TWENTY PERCENT OF REVENUE OBTAINED FROM NEW YORK CONSUMERS
WITHIN THE PAST FISCAL YEAR, WHICHEVER IS GREATER, AND TO OBTAIN ANY
SUCH OTHER AND FURTHER RELIEF AS THE COURT MAY DEEM PROPER, INCLUDING
PRELIMINARY RELIEF.
2. THE REMEDIES PROVIDED BY THIS SECTION SHALL BE IN ADDITION TO ANY
OTHER LAWFUL REMEDY AVAILABLE.
3. ANY ACTION OR SPECIAL PROCEEDING BROUGHT BY THE ATTORNEY GENERAL
PURSUANT TO THIS SECTION MUST BE COMMENCED WITHIN SIX YEARS OF THE DATE
ON WHICH THE ATTORNEY GENERAL BECAME AWARE OF THE VIOLATION.
4. IN CONNECTION WITH ANY PROPOSED ACTION OR SPECIAL PROCEEDING UNDER
THIS SECTION, THE ATTORNEY GENERAL IS AUTHORIZED TO TAKE PROOF AND MAKE
A DETERMINATION OF THE RELEVANT FACTS, AND TO ISSUE SUBPOENAS IN ACCORD-
ANCE WITH THE CIVIL PRACTICE LAW AND RULES. THE ATTORNEY GENERAL MAY
ALSO REQUIRE SUCH OTHER DATA AND INFORMATION AS THEY MAY DEEM RELEVANT
AND MAY REQUIRE WRITTEN RESPONSES TO QUESTIONS UNDER OATH. SUCH POWER OF
SUBPOENA AND EXAMINATION SHALL NOT ABATE OR TERMINATE BY REASON OF ANY
ACTION OR SPECIAL PROCEEDING BROUGHT BY THE ATTORNEY GENERAL UNDER THIS
ARTICLE.
5. THIS SECTION SHALL APPLY TO ALL ACTS DECLARED TO BE UNLAWFUL IN
THIS ARTICLE, WHETHER OR NOT SUBJECT TO ANY OTHER LAW OF THIS STATE, AND
SHALL NOT SUPERSEDE, AMEND OR REPEAL ANY OTHER LAW OF THIS STATE UNDER
WHICH THE ATTORNEY GENERAL IS AUTHORIZED TO TAKE ANY ACTION OR CONDUCT
ANY INQUIRY.
6. THE ATTORNEY GENERAL MAY PROMULGATE SUCH RULES AND REGULATIONS AS
ARE NECESSARY TO EFFECTUATE AND ENFORCE THE PROVISIONS OF THIS SECTION.
§ 1108. CONTRACTS AND WAIVERS VOID AND UNENFORCEABLE. 1. ANY CONTRAC-
TUAL PROVISION INCONSISTENT WITH THIS ARTICLE SHALL BE VOID AND UNEN-
FORCEABLE.
2. ANY WAIVER BY ANY INDIVIDUAL OF THE PROVISIONS OF THIS ARTICLE
SHALL BE VOID AND UNENFORCEABLE.
§ 2. Severability. If any clause, sentence, paragraph, subdivision,
section or part of this act shall be adjudged by any court of competent
jurisdiction to be invalid, such judgment shall not affect, impair, or
invalidate the remainder thereof, but shall be confined in its operation
to the clause, sentence, paragraph, subdivision, section or part thereof
directly involved in the controversy in which such judgment shall have
been rendered. It is hereby declared to be the intent of the legislature
that this act would have been enacted even if such invalid provisions
had not been included herein.
§ 3. This act shall take effect one year after it shall have become a
law. Effective immediately, the addition, amendment and/or repeal of any
rule or regulation necessary for the implementation of this act on its
effective date are authorized to be made and completed on or before such
effective date.