S T A T E O F N E W Y O R K
________________________________________________________________________
799
2023-2024 Regular Sessions
I N A S S E M B L Y
January 11, 2023
___________
Introduced by M. of A. L. ROSENTHAL -- read once and referred to the
Committee on Insurance
AN ACT to amend the insurance law, in relation to the establishment of
the "Wellness Program Privacy Act"
THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:
Section 1. This act shall be known and may be cited as the "Wellness
Program Privacy Act".
§ 2. The insurance law is amended by adding a new section 3239-a to
read as follows:
§ 3239-A. WELLNESS PROGRAM PRIVACY. (A) DEFINITIONS. FOR PURPOSES OF
THIS SECTION:
(1) "EMPLOYER" MEANS:
(I) ANY PERSON WHO DIRECTLY EMPLOYS FIFTY OR MORE PERSONS TO PERFORM
SERVICES FOR A WAGE OR SALARY; OR
(II) THE STATE AND ANY POLITICAL OR CIVIL SUBDIVISION OF THE STATE, OR
ANY COUNTY OR CITY OR OTHER MUNICIPALITY.
(2) "COLLECTS," "COLLECTED," OR "COLLECTION" MEANS BUYING, RENTING,
GATHERING, OBTAINING, RECEIVING, OR ACCESSING ANY PERSONAL INFORMATION
OR PROTECTED HEALTH INFORMATION PERTAINING TO A CONSUMER BY ANY MEANS.
THIS INCLUDES RECEIVING INFORMATION FROM SUCH CONSUMER, EITHER ACTIVELY
OR PASSIVELY, OR BY OBSERVING SUCH CONSUMER'S BEHAVIOR.
(3) "ADMINISTRATION AND OPERATION OF A WELLNESS PROGRAM" MEANS, BUT IS
NOT LIMITED TO, THE USE OF PERSONAL INFORMATION WHEN REASONABLY NECES-
SARY AND PROPORTIONATE TO ACHIEVE ONE OF THE FOLLOWING PURPOSES:
(I) DETECTING AND RESPONDING TO SECURITY INCIDENTS ARISING FROM A
WELLNESS PROGRAM AND PROTECTING AGAINST MALICIOUS, DECEPTIVE, FRAUDU-
LENT, OR ILLEGAL ACTIVITY RELATED TO A WELLNESS PROGRAM;
(II) EXECUTING FUNCTIONS OF A WELLNESS PROGRAM FOR THE BENEFIT OF THE
INSURED;
EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD00693-01-3
A. 799 2
(III) UNDERTAKING INTERNAL RESEARCH FOR TECHNOLOGICAL DEVELOPMENT AND
DEMONSTRATION RELATED TO A WELLNESS PROGRAM; OR
(IV) UNDERTAKING ACTIVITIES TO VERIFY OR MAINTAIN THE QUALITY OR SAFE-
TY OF A SERVICE OR DEVICE THAT IS OWNED BY, MANUFACTURED BY, MANUFAC-
TURED FOR, OR CONTROLLED BY THE INSURER, OR TO IMPROVE, UPGRADE, OR
ENHANCE THE SERVICE OR DEVICE THAT IS OWNED BY, MANUFACTURED BY, MANU-
FACTURED FOR, OR CONTROLLED BY THE INSURER RELATED TO A WELLNESS
PROGRAM.
(4) "PERSONAL INFORMATION" MEANS INFORMATION THAT IDENTIFIES OR COULD
REASONABLY BE LINKED, DIRECTLY OR INDIRECTLY, WITH A PARTICULAR CONSUM-
ER, HOUSEHOLD, OR CONSUMER DEVICE. "PERSONAL INFORMATION" SHALL NOT
INCLUDE PUBLICLY AVAILABLE INFORMATION.
(5) "PUBLICLY AVAILABLE" MEANS INFORMATION THAT IS LAWFULLY MADE
AVAILABLE FROM FEDERAL, STATE, OR LOCAL GOVERNMENT RECORDS, IF ANY
CONDITIONS ASSOCIATED WITH SUCH INFORMATION. "PUBLICLY AVAILABLE" SHALL
NOT MEAN INFORMATION COLLECTED BY AN EMPLOYER OR INSURER ABOUT AN ENROL-
LEE WITHOUT THE ENROLLEE'S KNOWLEDGE. "PERSONAL INFORMATION" DOES NOT
INCLUDE ENROLLEE INFORMATION THAT IS DE-IDENTIFIED OR AGGREGATE ENROLLEE
INFORMATION.
(6) "RETALIATORY" OR "ADVERSE ACTION" IN THE CONTEXT OF AN EMPLOYER
OFFERING A WELLNESS PROGRAM TO ITS EMPLOYEES SHALL INCLUDE: DENIAL OF
COVERAGE, TERMINATION OF EMPLOYMENT, REQUIRING ONE HUNDRED PERCENT
PAYMENT OF MEDICAL CARE PREMIUMS WHEN AN EMPLOYER PAYS A PORTION OF THE
PREMIUM FOR WELLNESS PROGRAM PARTICIPANTS, OR REDUCING CONTRIBUTIONS TO
PARTICIPANTS' HEALTH SAVINGS ACCOUNTS.
(7) "RETALIATORY" OR "ADVERSE ACTION" IN THE CONTEXT OF AN INSURER
OFFERING A WELLNESS PROGRAM SHALL INCLUDE: DENIAL OF COVERAGE, TERMI-
NATION OF COVERAGE BASED ON NON-PARTICIPATION OR FAILURE TO ACHIEVE
WELLNESS TARGETS, OR ADJUSTMENTS TO INSURANCE PREMIUMS.
(B) FAIR COLLECTION AND USE OF PERSONAL INFORMATION. (1) ANY INSURER
OR EMPLOYER THAT COLLECTS A WELLNESS PROGRAM PARTICIPANT'S PERSONAL
INFORMATION IN THE ADMINISTRATION AND OPERATION OF A WELLNESS PROGRAM
SHALL LIMIT ITS COLLECTION TO WHAT IS REASONABLY NECESSARY TO OPERATE
THE WELLNESS PROGRAM IN WHICH A CONSUMER IS ENROLLED.
(2) ANY INSURER OR EMPLOYER THAT COLLECTS A WELLNESS PROGRAM PARTIC-
IPANT'S PERSONAL INFORMATION IN THE ADMINISTRATION AND OPERATION OF A
WELLNESS PROGRAM SHALL LIMIT ITS USE AND RETENTION OF PERSONAL INFORMA-
TION TO WHAT IS REASONABLY NECESSARY TO ADMINISTER AND OPERATE THE WELL-
NESS PROGRAM IN WHICH A CONSUMER IS ENROLLED AND FOR RELATED ADMINISTRA-
TIVE AND OPERATIONAL PURPOSES.
(3) NO INSURER OR EMPLOYER SHALL SHARE WITH THIRD PARTIES ANY PERSONAL
INFORMATION OR DATA COLLECTED THROUGH A WELLNESS PROGRAM.
(4) FOLLOWING THE CLOSE OF A WELLNESS PROGRAM, AN EMPLOYEE'S TERMI-
NATION, OR THE END OF AN ENROLLEE'S TERM OF INSURANCE, ANY PERSONAL
INFORMATION OR DATA SHALL BE DELETED OR DE-IDENTIFIED.
(5) WELLNESS PROGRAM PARTICIPANTS SHALL HAVE THE RIGHT TO OBTAIN A
COPY OF THEIR WELLNESS PROGRAM DATA, AND SHALL HAVE THE RIGHT TO CHAL-
LENGE THE COMPLETENESS AND ACCURACY OF ANY DATA THE PROGRAM HAS ABOUT
THEM.
(6) THE REQUIREMENTS DESCRIBED IN THIS SUBDIVISION SHALL APPLY, TO THE
EXTENT THAT THEY ARE APPLICABLE, TO ANY ENTITY THAT AN INSURER OR
EMPLOYER CONTRACTS WITH FOR PURPOSES OF ADMINISTERING OR OPERATING A
WELLNESS PROGRAM ON SUCH INSURER OR EMPLOYER'S BEHALF.
(C) TRANSPARENCY. ANY INSURER OR AN EMPLOYER THAT COLLECTS A WELLNESS
PROGRAM PARTICIPANT'S PERSONAL INFORMATION IN THE ADMINISTRATION AND
A. 799 3
OPERATION OF A WELLNESS PROGRAM SHALL PROVIDE SUCH PARTICIPANT WITH A
WRITTEN EXPLANATION OF:
(1) ALL DATA COLLECTED IN THE PROGRAM;
(2) PRACTICES RELATED TO DATA SHARING, INCLUDING WHO WILL HAVE ACCESS
TO SUCH DATA; AND
(3) THE WELLNESS PROGRAM ENROLLEE'S RIGHTS CONCERNING THE WELLNESS
PROGRAM UNDER FEDERAL AND STATE LAWS, RULES, AND REGULATIONS.
(D) PROHIBITION OF DISCRIMINATION BASED ON PARTICIPATION. (1) ANY
EMPLOYER THAT OFFERS A WELLNESS PROGRAM TO ITS EMPLOYEES, OR ANY INSURER
THAT OFFERS A WELLNESS PROGRAM TO ENROLLEES, SHALL NOT ENGAGE IN RETALI-
ATORY OR ADVERSE ACTION AGAINST INDIVIDUALS WHO DO NOT PARTICIPATE IN
WELLNESS PROGRAMS.
(2) THE TOTAL AMOUNT OF ALL WELLNESS PROGRAM INCENTIVES SHALL BE
LIMITED TO AN AMOUNT DEEMED BY THE SUPERINTENDENT NOT TO BE COERCIVE.
(E) ENFORCEMENT AND ENROLLEE PRIVATE RIGHT OF ACTION. (1) ANY CONSUMER
WHO HAS SUFFERED FROM A VIOLATION OF THIS SECTION BY AN EMPLOYER OR
INSURER MAY BRING A LAWSUIT AGAINST SUCH EMPLOYER OR INSURER. A
VIOLATION OF THIS SECTION SHALL BE DEEMED TO CONSTITUTE AN INJURY IN
FACT TO THE CONSUMER WHO HAS SUFFERED FROM SUCH VIOLATION, AND THE
CONSUMER NEED NOT SUFFER A LOSS OF MONEY OR PROPERTY AS A RESULT OF THE
VIOLATION IN ORDER TO BRING AN ACTION FOR A VIOLATION OF THIS SECTION.
(2) A CONSUMER WHO PREVAILS IN SUCH A LAWSUIT SHALL OBTAIN THE FOLLOW-
ING REMEDIES:
(I) DAMAGES IN AN AMOUNT NOT GREATER THAN THE INCREASED HEALTH OR LIFE
INSURANCE PREMIUM COST DUE TO PENALTIES OR LOST INCENTIVES, OR SEVEN
HUNDRED FIFTY DOLLARS PER CONSUMER PER INCIDENT, OR ACTUAL DAMAGES,
WHICHEVER IS GREATER;
(II) INJUNCTIVE OR DECLARATORY RELIEF, AS THE COURT DEEMS PROPER;
(III) REASONABLE ATTORNEYS' FEES AND COSTS; AND
(IV) ANY OTHER RELIEF THE COURT DEEMS PROPER.
(3) IN ASSESSING THE AMOUNT OF STATUTORY DAMAGES, THE COURT SHALL
CONSIDER ANY ONE OR MORE OF THE RELEVANT CIRCUMSTANCES PRESENTED BY ANY
OF THE PARTIES TO THE CASE, INCLUDING, BUT NOT LIMITED TO, THE NATURE
AND SERIOUSNESS OF THE MISCONDUCT, THE NUMBER OF VIOLATIONS, THE
PERSISTENCE OF THE MISCONDUCT, THE LENGTH OF TIME OVER WHICH THE MISCON-
DUCT OCCURRED, THE WILLFULNESS OF THE DEFENDANT'S MISCONDUCT, AND THE
DEFENDANT'S ASSETS, LIABILITIES, AND NET WORTH.
(4) A CONSUMER BRINGING AN ACTION SHALL NOTIFY THE ATTORNEY GENERAL
WITHIN THIRTY DAYS THAT THE ACTION HAS BEEN FILED.
(5) THE ATTORNEY GENERAL MAY BRING A CIVIL ACTION, IN THE NAME OF THE
PEOPLE OF THE STATE, AGAINST ANY EMPLOYER OR INSURER IN VIOLATION OF
THIS SECTION.
(6) THE DEPARTMENT MAY PURSUE ENFORCEMENT ACTION AGAINST HEALTH INSUR-
ERS, HEALTH PLANS, OR LIFE INSURERS IN VIOLATION OF THIS SECTION.
(7) ANY EMPLOYER OR INSURER THAT VIOLATES THIS SECTION MAY BE LIABLE
FOR A CIVIL PENALTY OF UP TO SEVEN THOUSAND FIVE HUNDRED DOLLARS FOR
EACH INTENTIONAL VIOLATION, AND UP TO TWO THOUSAND FIVE HUNDRED DOLLARS
FOR EACH UNINTENTIONAL VIOLATION.
§ 3. This act shall take effect immediately.