NY State Assembly Bill 2025-A2613

Assembly Bill A2613

2025-2026 Legislative Session

Provides additional protections for sensitive health information and requires patients to have the right to restrict the disclosures of such patient's health information

download bill text pdf

Current Bill Status - In Assembly Committee

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

	Assembly Actions - Lowercase Senate Actions - UPPERCASE
Jan 21, 2025	referred to health

co-Sponsors

2025-A2613 (ACTIVE) - Details

See Senate Version of this Bill:: S1633
Current Committee:: Assembly Health
Law Section:: Public Health Law
Laws Affected:: Add §§25 & 26, Pub Health L
Versions Introduced in 2023-2024 Legislative Session:: A8884, S7879

2025-A2613 (ACTIVE) - Summary

Provides additional protections for sensitive health information and requires all health information networks, electronic health record systems, and health care providers to provide patients with a right to restrict the disclosures of such patient's health information; defines terms; provides for exceptions.

2025-A2613 (ACTIVE) - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   2613
 
                        2025-2026 Regular Sessions
 
                           I N  A S S E M B L Y
 
                             January 21, 2025
                                ___________
 
 Introduced  by M. of A. LUNSFORD, TAPIA, ROZIC -- read once and referred
   to the Committee on Health
 
 AN ACT to amend the public health law, in relation  to  providing  addi-
   tional  protections for sensitive health information and requiring all
   health information networks, electronic  health  record  systems,  and
   health care providers to provide patients with a right to restrict the
   disclosures of such patient's health information
 
   THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. The public health law is amended by adding two new sections
 25 and 26 to read as follows:
   § 25. PRIVACY OF  INFORMATION  DISCLOSED  THROUGH  HEALTH  INFORMATION
 NETWORKS. 1. DEFINITIONS. FOR PURPOSES OF THIS SECTION:
   (A)  "BUSINESS  ASSOCIATE" SHALL HAVE THE SAME MEANING AS SET FORTH IN
 45 CFR 160.103.
   (B) "CODIFIED SENSITIVE INFORMATION" MEANS PATIENT  INFORMATION  THAT,
 BY  ASSOCIATED  STANDARD  CODES COMMONLY USED IN THE EXCHANGE OF PATIENT
 INFORMATION INCLUDING, BUT NOT LIMITED TO ICD-10 OR SNOMED, CAN BE IDEN-
 TIFIED AS SENSITIVE INFORMATION IN ACCORDANCE WITH SUBDIVISION THREE  OF
 THIS SECTION.
   (C)  "DISCLOSURE" MEANS THE RELEASE, TRANSFER, PROVISION OF ACCESS TO,
 OR DIVULGING IN ANY MANNER OF INFORMATION OUTSIDE THE ENTITY THAT DELIV-
 ERED THE HEALTH CARE AND THE PATIENT WHO RECEIVED  THE  CARE,  AND  SUCH
 TERM SHALL NOT INCLUDE ANY OF THE EXCEPTIONS SET FORTH IN THE DEFINITION
 OF  "DISCLOSURE  TO  ANY  OTHER  PERSON"  AS DEFINED IN PARAGRAPH (E) OF
 SUBDIVISION ONE OF SECTION EIGHTEEN OF THIS CHAPTER.
   (D) "ELECTRONIC HEALTH RECORDS SYSTEM" MEANS ANY ENTITY  OPERATING  IN
 THE  STATE  OF  NEW YORK THAT ELECTRONICALLY STORES OR MAINTAINS PATIENT
 INFORMATION, ELECTRONIC HEALTH RECORDS, PERSONAL HEALTH RECORDS,  HEALTH
 CARE  CLAIMS,  OR  PAYMENT  AND OTHER ADMINISTRATIVE DATA ON BEHALF OF A
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD04417-02-5
 A. 2613                             2

 
 HEALTH CARE PROVIDER, HEALTH CARE SERVICE PLAN, PHARMACEUTICAL  COMPANY,
 CONTRACTOR, OR EMPLOYER.
   (E) "HEALTH CARE PROVIDER" SHALL HAVE THE SAME MEANING AS SET FORTH IN
 PARAGRAPH  (B)  OF SUBDIVISION ONE OF SECTION EIGHTEEN OF THIS TITLE AND
 FOR PURPOSES OF THIS SECTION SHALL REFER TO HEALTH CARE  PROVIDERS  THAT
 ARE  LOCATED  IN  THE  STATE  OF  NEW  YORK AND USE A HEALTH INFORMATION
 NETWORK TO RECEIVE,  HOLD  OR  EXCHANGE  PATIENT  INFORMATION  ON  THEIR
 BEHALF.
   (F)  "HEALTH  INFORMATION  NETWORK" SHALL MEAN ANY ENTITY, INCLUDING A
 HEALTH INFORMATION TECHNOLOGY DEVELOPER OF CERTIFIED HEALTH  INFORMATION
 TECHNOLOGY,  THAT  RECEIVES,  HOLDS  OR EXCHANGES PATIENT INFORMATION IN
 ELECTRONIC FORM ON BEHALF OF A  HEALTH  CARE  PROVIDER  AND  MAKES  SUCH
 INFORMATION  AVAILABLE  TO  TWO OR MORE INDIVIDUALS OR ENTITIES THAT ARE
 UNAFFILIATED WITH THE HEALTH CARE PROVIDER FOR  PURPOSES  OF  TREATMENT,
 PAYMENT,  OR  HEALTH  CARE  OPERATIONS, AS THOSE TERMS ARE DEFINED UNDER
 HIPAA, OR A QUALIFIED HEALTH INFORMATION NETWORK  AS  ESTABLISHED  UNDER
 TEFCA,  WHICH  EXCHANGES  PATIENT INFORMATION ON BEHALF OF A HEALTH CARE
 PROVIDER LOCATED IN THE STATE OF NEW YORK. AN ENTITY MAY  QUALIFY  AS  A
 "HEALTH   INFORMATION  NETWORK"  IRRESPECTIVE  OF  WHETHER  SUCH  ENTITY
 RECEIVES FUNDING FROM  THE  DEPARTMENT.  THE  TERM  "HEALTH  INFORMATION
 NETWORK" SHALL NOT INCLUDE:
   (I) A HEALTH CARE PROVIDER;
   (II) AN ENTITY THAT MAKES PATIENT INFORMATION AVAILABLE SOLELY:
   (1)  FROM ONE HEALTH CARE PROVIDER TO A SINGLE HEALTH CARE PROVIDER AS
 PART OF A REFERRAL, PRESCRIPTION, OR CONSULTATION;
   (2) AS NECESSARY FOR THE PAYMENT OF A HEALTH CARE CLAIM;
   (3) AMONG AFFILIATES OF A SINGLE HEALTH CARE PROVIDER;
   (4) TO INDIVIDUALS AND ENTITIES UNDER CONTRACT  WITH  THE  ENTITY  WHO
 MEET  THE DEFINITION OF A "BUSINESS ASSOCIATE" UNDER HIPAA AND WHO PROC-
 ESS PATIENT INFORMATION ONLY AS DIRECTED BY A HEALTH CARE  PROVIDER  AND
 DO NOT DISCLOSE PATIENT INFORMATION; OR
   (5)  AS  NECESSARY  TO OPERATE CLINICAL DATA REGISTRIES, PROVIDE ORGAN
 DONATION COORDINATION SERVICES AND  OTHER  SIMILAR  SERVICES  AS  DEEMED
 APPROPRIATE BY THE DEPARTMENT IN REGULATION;
   (III)  A  HEALTH  INSURER  OR  A HEALTH MAINTENANCE ORGANIZATION, WHEN
 ACTING AS A HEALTH INSURER, TO THE EXTENT IT EXCHANGES PATIENT  INFORMA-
 TION VIA HIPAA STANDARD TRANSACTIONS; AND
   (IV)  AN ENTITY THAT MAKES PATIENT INFORMATION AVAILABLE SOLELY TO AND
 BETWEEN HEALTH INFORMATION NETWORKS AND HAS NO ABILITY TO ACCESS,  MODI-
 FY,  OR FURTHER DISCLOSE PATIENT INFORMATION, INCLUDING, BUT NOT LIMITED
 TO, THE RECOGNIZED COORDINATING ENTITY UNDER TEFCA.
   (G) "HIPAA" MEANS THE HEALTH INSURANCE PORTABILITY AND  ACCOUNTABILITY
 ACT  OF  1996  AND  ITS IMPLEMENTING REGULATIONS AT 45 C.F.R. PARTS 160,
 162, AND 164.
   (H) "NON-CODIFIED SENSITIVE  INFORMATION"  MEANS  PATIENT  INFORMATION
 THAT  CONTAINS OR REVEALS SENSITIVE INFORMATION, BUT THAT IS NOT ASSOCI-
 ATED WITH STANDARDIZED CODES AND SHALL INCLUDE, BUT IS  NOT  LIMITED  TO
 NOTES, VISIT SUMMARIES, LABORATORY RESULTS AND IMAGES.
   (I)  "PATIENT INFORMATION" SHALL HAVE THE SAME MEANING AS SET FORTH IN
 PARAGRAPH (E) OF SUBDIVISION ONE OF SECTION EIGHTEEN OF THIS CHAPTER.
   (J) "QUALIFIED PERSON" SHALL HAVE THE SAME MEANING  AS  SET  FORTH  IN
 PARAGRAPH (G) OF SUBDIVISION ONE OF SECTION EIGHTEEN OF THIS TITLE.
   (K) "SENSITIVE INFORMATION" MEANS PATIENT INFORMATION THAT CONTAINS OR
 REVEALS  REPRODUCTIVE  HEALTH  SERVICES  AS  DEFINED IN PARAGRAPH (A) OF
 SUBDIVISION ONE OF SECTION SIXTY-FIVE HUNDRED THIRTY-ONE-B OF THE EDUCA-
 TION LAW, GENDER-AFFIRMING CARE AS DEFINED IN PARAGRAPH (C) OF  SUBDIVI-
 A. 2613                             3
 
 SION  ONE  OF  SECTION  SIXTY-FIVE HUNDRED THIRTY-ONE-B OF THE EDUCATION
 LAW, CARE PROTECTED UNDER 42 CFR PART 2, DIAGNOSIS AND TREATMENT  FOR  A
 SEXUALLY  TRANSMITTED  INFECTION OR HIV, MENTAL HEALTH SERVICES, ALCOHOL
 OR  SUBSTANCE  USE  TREATMENT, AND ANY OTHER HEALTH CARE SERVICES DETER-
 MINED BY THE COMMISSIONER  THROUGH  REGULATIONS,  IN  CONSULTATION  WITH
 HEALTH  CARE  PROVIDERS,  PATIENT ADVOCATES, HEALTH INFORMATION NETWORKS
 AND OTHER RELEVANT STAKEHOLDERS.
   (L) "TEFCA" MEANS THE TRUSTED EXCHANGE FRAMEWORK AND COMMON  AGREEMENT
 AUTHORIZED BY THE 21ST CENTURY CURES ACT.
   2.  PATIENT  RIGHT  TO  RESTRICT  DISCLOSURES  BY  HEALTH  INFORMATION
 NETWORKS. WITHIN ONE HUNDRED EIGHTY DAYS FROM THE EFFECTIVE DATE OF THIS
 SECTION, THE DEPARTMENT SHALL ESTABLISH RULES AND REGULATIONS  REQUIRING
 ANY HEALTH INFORMATION NETWORK TO:
   (A)  PROVIDE  QUALIFIED  PERSONS WITH THE MEANS OF REQUESTING, WITHOUT
 UNDUE EFFORT, RESTRICTIONS ON DISCLOSURES OF  PATIENT  INFORMATION  FROM
 ALL HEALTH INFORMATION NETWORKS;
   (B)  SUBJECT  TO  ANY REGULATORY EXCEPTIONS ESTABLISHED BY THE DEPART-
 MENT, ABIDE BY THE TERMS OF A QUALIFIED PERSON'S  REQUESTED  RESTRICTION
 MADE UNDER PARAGRAPH (A) OF THIS SUBDIVISION; AND
   (C)  SUBJECT  TO  ANY REGULATORY EXCEPTIONS ESTABLISHED BY THE DEPART-
 MENT, PROVIDE OR  CAUSE  TO  BE  PROVIDED  TO  QUALIFIED  PERSONS,  UPON
 REQUEST, A REPORT OR NOTIFICATIONS DETAILING DISCLOSURES OF THE APPLICA-
 BLE  PATIENT'S  PATIENT INFORMATION BY OR THROUGH ALL HEALTH INFORMATION
 NETWORKS.
   3. ADDITIONAL PROTECTIONS FOR CODIFIED SENSITIVE INFORMATION BY HEALTH
 INFORMATION NETWORKS. (A) WITHIN ONE HUNDRED EIGHTY DAYS FROM THE EFFEC-
 TIVE DATE OF THIS SECTION, THE  DEPARTMENT  SHALL  ESTABLISH  RULES  AND
 REGULATIONS,  CONSISTENT  WITH  STATE  AND  FEDERAL LAW AND REGULATIONS,
 INCLUDING BUT NOT LIMITED TO ARTICLE THIRTY-THREE OF THE MENTAL  HYGIENE
 LAW AND SECTION TWENTY-SEVEN HUNDRED EIGHTY-TWO OF THIS CHAPTER, REQUIR-
 ING ANY HEALTH INFORMATION NETWORK TO:
   (I) DEVELOP THE CAPACITY TO LIMIT THE DISCLOSURE OF CODIFIED SENSITIVE
 INFORMATION  WHILE  ALLOWING  FOR  THE  DISCLOSURE  OF A PATIENT'S OTHER
 HEALTH INFORMATION;
   (II) WHEN DIRECTED BY A QUALIFIED PERSON, LIMIT USER ACCESS PRIVILEGES
 TO CODIFIED SENSITIVE INFORMATION TO ONLY THOSE HIPAA  COVERED  ENTITIES
 WHOM  THE  QUALIFIED  PERSON  HAS  SPECIFICALLY AUTHORIZED TO ACCESS THE
 CODIFIED SENSITIVE INFORMATION;
   (III) PROVIDE THE ABILITY TO AUTOMATICALLY DISABLE ACCESS TO  CODIFIED
 SENSITIVE  INFORMATION  BY  AN  INDIVIDUAL OR ENTITY LOCATED OUTSIDE THE
 STATE OF NEW YORK AS DIRECTED BY A QUALIFIED PERSON; AND
   (IV) UNLESS OTHERWISE ORDERED BY A COURT  OF  COMPETENT  JURISDICTION,
 NOTIFY  THE  QUALIFIED  PERSON  AND THE PROVIDER WHO RENDERED THE HEALTH
 CARE DOCUMENTED IN THE CODIFIED SENSITIVE INFORMATION  AT  LEAST  THIRTY
 DAYS  PRIOR  TO COMPLYING WITH A CIVIL, CRIMINAL, OR REGULATORY INQUIRY,
 INVESTIGATION, SUBPOENA, OR SUMMONS FOR CODIFIED SENSITIVE INFORMATION.
   (B) SUCH RULES AND REGULATIONS SHALL ALSO:
   (I) ESTABLISH A LIST OF PROCEDURE CODES, DIAGNOSIS  CODES,  MEDICATION
 CODES,  AND  OTHER  APPROPRIATE CODES THAT CONSTITUTE CODIFIED SENSITIVE
 INFORMATION;
   (II) SET FORTH EXCEPTIONS TO THE REQUIREMENT TO BLOCK  THE  DISCLOSURE
 OF  CODIFIED  SENSITIVE INFORMATION AS REQUIRED BY PARAGRAPH (A) OF THIS
 SUBDIVISION, INCLUDING FOR DISCLOSURES TO INDIVIDUALS AND ENTITIES UNDER
 CONTRACT WITH A HEALTH INFORMATION NETWORK WHO MEET THE DEFINITION OF  A
 "BUSINESS ASSOCIATE" UNDER HIPAA AND WHO DO NOT RE-DISCLOSE SUCH PATIENT
 INFORMATION; AND
 A. 2613                             4
 
   (III)  ESTABLISH  GUIDELINES  FOR THE AUTHORIZATION NECESSARY TO LIMIT
 DISCLOSURE OF CODIFIED SENSITIVE INFORMATION PURSUANT  TO  SUBPARAGRAPHS
 (II) AND (III) OF PARAGRAPH (A) OF THIS SUBDIVISION.
   4.  ADDITIONAL  PROTECTIONS  FOR  SENSITIVE  INFORMATION BY ELECTRONIC
 HEALTH RECORDS SYSTEMS. (A) WITHIN ONE HUNDRED EIGHTY DAYS OF THE EFFEC-
 TIVE DATE OF THIS SECTION, THE  DEPARTMENT  SHALL  ESTABLISH  RULES  AND
 REGULATIONS,  CONSISTENT  WITH  STATE  AND  FEDERAL LAW AND REGULATIONS,
 INCLUDING BUT NOT LIMITED TO ARTICLE THIRTY-THREE OF THE MENTAL  HYGIENE
 LAW AND SECTION TWENTY-SEVEN HUNDRED EIGHTY-TWO OF THIS CHAPTER, REQUIR-
 ING ANY ELECTRONIC HEALTH RECORDS SYSTEM TO:
   (I)  DEVELOP  THE CAPACITY TO PROVIDE QUALIFIED PERSONS WITH THE MEANS
 OF REQUESTING, WITHOUT UNDUE  EFFORT,  RESTRICTIONS  ON  DISCLOSURES  OF
 PATIENT INFORMATION;
   (II)  DEVELOP  THE CAPACITY TO LIMIT THE DISCLOSURE OF CODIFIED SENSI-
 TIVE INFORMATION WHILE ALLOWING FOR THE DISCLOSURE OF A PATIENT'S  OTHER
 HEALTH INFORMATION;
   (III)  WHEN  DIRECTED  BY A QUALIFIED PERSON, LIMIT USER ACCESS PRIVI-
 LEGES TO CODIFIED SENSITIVE INFORMATION  TO  ONLY  THOSE  HIPAA  COVERED
 ENTITIES WHOM THE QUALIFIED PERSON HAS SPECIFICALLY AUTHORIZED TO ACCESS
 THE SENSITIVE INFORMATION;
   (IV)  PROVIDE  THE ABILITY TO AUTOMATICALLY DISABLE ACCESS TO CODIFIED
 SENSITIVE INFORMATION BY AN INDIVIDUAL OR  ENTITY  LOCATED  OUTSIDE  THE
 STATE OF NEW YORK AS DIRECTED BY A QUALIFIED PERSON; AND
   (V)  UNLESS  OTHERWISE  ORDERED  BY A COURT OF COMPETENT JURISDICTION,
 NOTIFY THE QUALIFIED PERSON AND THE PROVIDER  WHO  RENDERED  THE  HEALTH
 CARE  DOCUMENTED  IN  THE CODIFIED SENSITIVE INFORMATION AT LEAST THIRTY
 DAYS PRIOR TO COMPLYING WITH A CIVIL, CRIMINAL, OR  REGULATORY  INQUIRY,
 INVESTIGATION, SUBPOENA, OR SUMMONS FOR CODIFIED SENSITIVE INFORMATION.
   (B) WITHIN ONE YEAR OF THE EFFECTIVE DATE OF THIS SECTION, THE DEPART-
 MENT  SHALL  ESTABLISH  RULES AND REGULATIONS, CONSISTENT WITH STATE AND
 FEDERAL LAW AND REGULATIONS, INCLUDING BUT NOT LIMITED TO ARTICLE  THIR-
 TY-THREE  OF  THE  MENTAL  HYGIENE  LAW AND SECTION TWENTY-SEVEN HUNDRED
 EIGHTY-TWO OF THIS CHAPTER,  REQUIRING  ANY  ELECTRONIC  HEALTH  RECORDS
 SYSTEM TO:
   (I)  DEVELOP  THE  CAPACITY  TO  LIMIT  THE DISCLOSURE OF NON-CODIFIED
 SENSITIVE INFORMATION WHILE ALLOWING FOR THE DISCLOSURE OF  A  PATIENT'S
 OTHER HEALTH INFORMATION;
   (II) WHEN DIRECTED BY A QUALIFIED PERSON, LIMIT USER ACCESS PRIVILEGES
 TO  NON-CODIFIED SENSITIVE INFORMATION TO ONLY THOSE HIPAA COVERED ENTI-
 TIES WHOM THE QUALIFIED PERSON HAS SPECIFICALLY AUTHORIZED TO ACCESS THE
 NON-CODIFIED SENSITIVE INFORMATION;
   (III) PROVIDE THE ABILITY TO AUTOMATICALLY DISABLE ACCESS TO NON-CODI-
 FIED SENSITIVE INFORMATION BY AN INDIVIDUAL OR  ENTITY  LOCATED  OUTSIDE
 THE STATE OF NEW YORK AS DIRECTED BY A QUALIFIED PERSON; AND
   (IV)  UNLESS  OTHERWISE  ORDERED BY A COURT OF COMPETENT JURISDICTION,
 NOTIFY THE QUALIFIED PERSON AND THE PROVIDER  WHO  RENDERED  THE  HEALTH
 CARE DOCUMENTED IN THE NON-CODIFIED SENSITIVE INFORMATION AT LEAST THIR-
 TY  DAYS  PRIOR  TO  COMPLYING  WITH  A  CIVIL,  CRIMINAL, OR REGULATORY
 INQUIRY, INVESTIGATION, SUBPOENA, OR SUMMONS FOR NON-CODIFIED  SENSITIVE
 INFORMATION.
   (C)  THE  RULES  AND REGULATIONS REQUIRED BY PARAGRAPHS (A) AND (B) OF
 THIS SUBDIVISION SHALL ALSO:
   (I) SET FORTH EXCEPTIONS TO THE REQUIREMENT TO BLOCK THE DISCLOSURE OF
 CODIFIED AND NON-CODIFIED SENSITIVE INFORMATION  AS  REQUIRED  BY  PARA-
 GRAPHS  (A)  AND  (B)  OF THIS SUBDIVISION, INCLUDING FOR DISCLOSURES TO
 INDIVIDUALS AND  ENTITIES  UNDER  CONTRACT  WITH  A  HEALTH  INFORMATION
 A. 2613                             5

 NETWORK  WHO  MEET  THE DEFINITION OF A "BUSINESS ASSOCIATE" UNDER HIPAA
 AND WHO DO NOT RE-DISCLOSE SUCH PATIENT INFORMATION; AND
   (II)  ESTABLISH  GUIDELINES  FOR  THE AUTHORIZATION NECESSARY TO LIMIT
 DISCLOSURE OF CODIFIED AND NON-CODIFIED SENSITIVE  INFORMATION  PURSUANT
 TO  SUBPARAGRAPHS (III) AND (IV) OF PARAGRAPH (A) AND SUBPARAGRAPHS (II)
 AND (III) OF PARAGRAPH (B) OF THIS SECTION.
   5. AUTHORIZATION. NOTWITHSTANDING SECTION EIGHTEEN OF THIS  TITLE  AND
 SUBDIVISION  TWENTY-THREE  OF  SECTION  SIXTY-FIVE HUNDRED THIRTY OF THE
 EDUCATION LAW, A HEALTH INFORMATION NETWORK THAT ABIDES BY  A  QUALIFIED
 PERSON'S  REQUEST TO LIMIT DISCLOSURE OF SENSITIVE INFORMATION SHALL NOT
 BE OTHERWISE REQUIRED TO OBTAIN  AUTHORIZATION  FOR  THE  DISCLOSURE  OF
 PATIENT INFORMATION, UNLESS AUTHORIZATION IS REQUIRED IN ACCORDANCE WITH
 SUBDIVISIONS  THREE  OR  FOUR OF THIS SECTION, ARTICLE TWENTY-SEVEN-F OF
 THIS CHAPTER, THE PROVISIONS OF SECTION SEVENTEEN OF THIS TITLE  RELATED
 TO  PROHIBITING THE RELEASE TO AN INFANT PATIENT'S PARENT OR GUARDIAN OF
 INFORMATION RELATED TO THE TREATMENT OF SUCH INFANT PATIENT FOR VENEREAL
 DISEASE OR THE PERFORMANCE OF AN ABORTION  OPERATION  UPON  SUCH  INFANT
 PATIENT, SECTION 33.13 OF THE MENTAL HYGIENE LAW, SECTION SEVENTY-NINE-L
 OF  THE  CIVIL  RIGHTS  LAW,  SECTION THREE HUNDRED NINETY-FOUR-E OF THE
 GENERAL BUSINESS LAW, 42 CFR PART 2, HIPAA, OR OTHER  RELEVANT  FEDERAL,
 STATE, OR LOCAL LAWS.
   §  26.  PRIVACY  OF PATIENT INFORMATION HELD BY HEALTH CARE PROVIDERS.
 1. DEFINITIONS. FOR PURPOSES OF THIS SECTION:
   (A) "DISCLOSURE" MEANS THE RELEASE, TRANSFER, PROVISION OF ACCESS  TO,
 OR DIVULGING IN ANY MANNER OF INFORMATION OUTSIDE THE ENTITY THAT DELIV-
 ERED  THE  HEALTH  CARE  AND THE PATIENT WHO RECEIVED THE CARE, AND SUCH
 TERM SHALL NOT INCLUDE ANY OF THE EXCEPTIONS SET FORTH IN THE DEFINITION
 OF "DISCLOSURE TO ANY OTHER PERSON"  AS  DEFINED  IN  PARAGRAPH  (E)  OF
 SUBDIVISION ONE OF SECTION EIGHTEEN OF THIS CHAPTER.
   (B) "HEALTH CARE PROVIDER" SHALL HAVE THE SAME MEANING AS SET FORTH IN
 PARAGRAPH (B) OF SUBDIVISION ONE OF SECTION EIGHTEEN OF THIS CHAPTER.
   (C)  "HIPAA" SHALL HAVE THE SAME MEANING AS SET FORTH IN PARAGRAPH (G)
 OF SUBDIVISION ONE OF SECTION TWENTY-FIVE OF THIS TITLE.
   (D) "PATIENT INFORMATION" SHALL HAVE THE SAME MEANING AS SET FORTH  IN
 PARAGRAPH (E) OF SUBDIVISION ONE OF SECTION EIGHTEEN OF THIS TITLE.
   (E)  "QUALIFIED  PERSON"  SHALL  HAVE THE SAME MEANING AS SET FORTH IN
 PARAGRAPH (G) OF SUBDIVISION ONE OF SECTION EIGHTEEN OF THIS TITLE.
   (F) "SENSITIVE INFORMATION" SHALL HAVE THE SAME MEANING AS  SET  FORTH
 IN  PARAGRAPH  (K)  OF  SUBDIVISION  ONE  OF SECTION TWENTY-FIVE OF THIS
 TITLE.
   2. PATIENT RIGHT TO RESTRICT DISCLOSURES  BY  HEALTH  CARE  PROVIDERS.
 (A)  WITHIN  ONE  HUNDRED  EIGHTY  DAYS  FROM THE EFFECTIVE DATE OF THIS
 SUBDIVISION, THE DEPARTMENT SHALL ESTABLISH RULES AND  REGULATIONS  THAT
 REQUIRE HEALTH CARE PROVIDERS TO TAKE REASONABLE STEPS TO:
   (I)   PROVIDE   QUALIFIED   PERSONS   WITH  THE  MEANS  OF  REQUESTING
 RESTRICTIONS ON DISCLOSURES OF PATIENT INFORMATION CONSISTENT  WITH  THE
 OBLIGATIONS IMPOSED BY SECTION TWENTY-FIVE OF THIS ARTICLE;
   (II)  NOTIFY  QUALIFIED PERSONS OF THEIR RIGHT TO RESTRICT THE DISCLO-
 SURE OF PATIENT INFORMATION;
   (III) SUBJECT TO ANY REGULATORY EXCEPTIONS ESTABLISHED BY THE  DEPART-
 MENT,  ABIDE BY THE TERMS OF A QUALIFIED PERSON'S REQUESTED RESTRICTION;
 AND
   (IV) UNLESS OTHERWISE ORDERED BY A COURT  OF  COMPETENT  JURISDICTION,
 NOTIFY THE QUALIFIED PERSON AT LEAST THIRTY DAYS PRIOR TO COMPLYING WITH
 A  CIVIL,  CRIMINAL,  OR REGULATORY INQUIRY, INVESTIGATION, SUBPOENA, OR
 SUMMONS FOR SENSITIVE INFORMATION.
 A. 2613                             6
 
   (B) THE DEPARTMENT'S RULES AND REGULATIONS SHALL SET FORTH  EXCEPTIONS
 TO A QUALIFIED PERSON'S RIGHT TO RESTRICT DISCLOSURES AND SHALL INCLUDE,
 AT A MINIMUM, EXCEPTIONS FOR:
   (I)  DISCLOSURES  TO PUBLIC HEALTH AUTHORITIES LOCATED IN THE STATE OF
 NEW YORK IN ACCORDANCE WITH NEW YORK LAW;
   (II) DISCLOSURES NECESSARY TO FACILITATE  PAYMENT  OF  A  HEALTH  CARE
 CLAIM;
   (III) DISCLOSURES NECESSARY TO ENSURE THAT A PROVIDER IS IN COMPLIANCE
 WITH  APPLICABLE  QUALITY OF CARE, LICENSURE OR ACCREDITATION STANDARDS;
 AND
   (IV) DISCLOSURES STRICTLY NECESSARY TO FILL A PRESCRIPTION OR  PROVIDE
 A SERVICE.
   (C)  THE  DEPARTMENT  SHALL ESTABLISH PHASE-IN PERIODS FOR HEALTH CARE
 PROVIDERS TO IMPLEMENT THE REQUIREMENTS OF THIS SUBDIVISION, TAKING INTO
 ACCOUNT THE TECHNICAL FEASIBILITY  OF  IMPLEMENTING  RESTRICTIONS  AMONG
 VARIOUS  SECTORS,  INCLUDING  (I)  SMALL HEALTH CARE PROVIDERS; AND (II)
 HEALTH CARE PROVIDERS IN SECTORS THAT DO NOT TYPICALLY UTILIZE CERTIFIED
 HEALTH INFORMATION TECHNOLOGY, AS WELL AS THE  TIME  IT  TAKES  FOR  THE
 HEALTH INFORMATION SYSTEMS OR ELECTRONIC HEALTH RECORD SYSTEMS TO DEVEL-
 OP AND IMPLEMENT THE CAPACITY TO SEGMENT HEALTH RECORDS.
   (D)  THE  DEPARTMENT  SHALL PROVIDE GUIDANCE TO HEALTH CARE PROVIDERS,
 INCLUDING MODEL NOTICES HEALTH CARE PROVIDERS MAY USE TO  NOTIFY  QUALI-
 FIED PERSONS TO PERMIT THEM TO EXERCISE THEIR RIGHTS UNDER THIS SUBDIVI-
 SION.    SUCH  GUIDANCE SHALL RECOMMEND MORE PROMINENT NOTICES AND MEANS
 FOR A QUALIFIED PERSON TO EXERCISE THEIR RIGHTS IN HEALTH CARE  SETTINGS
 WHERE SENSITIVE INFORMATION IS FREQUENTLY GENERATED AS PART OF PATIENTS'
 HEALTH CARE RECORDS.
   3.  AUTHORIZATION  FOR  A HEALTH CARE PROVIDER'S DISCLOSURE OF PATIENT
 INFORMATION. NOTWITHSTANDING SECTION EIGHTEEN OF THIS TITLE AND SUBDIVI-
 SION TWENTY-THREE OF SECTION SIXTY-FIVE HUNDRED THIRTY OF THE  EDUCATION
 LAW, IF A HEALTH CARE PROVIDER HAS PROVIDED ACTUAL NOTICE TO A QUALIFIED
 PERSON  OF SUCH PERSON'S RIGHT TO RESTRICT DISCLOSURES OF PATIENT INFOR-
 MATION IN ACCORDANCE WITH THE REQUIREMENTS OF SUBDIVISION  TWO  OF  THIS
 SECTION  AND  ABIDES BY A QUALIFIED PERSON'S REQUEST TO RESTRICT DISCLO-
 SURES, NO AUTHORIZATION SHALL BE REQUIRED FOR SUCH HEALTH CARE  PROVIDER
 TO  DISCLOSE  A PATIENT'S OTHER PATIENT INFORMATION UNLESS AUTHORIZATION
 IS REQUIRED BY THIS SECTION OR SECTION TWENTY-FIVE OF THIS TITLE,  ARTI-
 CLE  TWENTY-SEVEN-F OF THIS CHAPTER, THE PROVISIONS OF SECTION SEVENTEEN
 OF THIS TITLE RELATING TO PROHIBITING THE RELEASE TO AN INFANT PATIENT'S
 PARENT OR GUARDIAN OF INFORMATION  RELATED  TO  THE  TREATMENT  OF  SUCH
 INFANT  PATIENT  FOR  VENEREAL DISEASE OR THE PERFORMANCE OF AN ABORTION
 OPERATION UPON SUCH INFANT PATIENT, SECTION 33.13 OF THE MENTAL  HYGIENE
 LAW,  SECTION  SEVENTY-NINE-L  OF  THE  CIVIL  RIGHTS LAW, SECTION THREE
 HUNDRED NINETY-FOUR-E OF THE GENERAL BUSINESS LAW, 42 CFR PART 2, HIPAA,
 OR OTHER RELEVANT FEDERAL, STATE, OR LOCAL LAWS.
   4. AUTHORIZATION FOR A HEALTH  CARE  PROVIDER'S  REQUEST  FOR  PATIENT
 INFORMATION. NOTWITHSTANDING SECTION EIGHTEEN OF THIS TITLE AND SUBDIVI-
 SION  TWENTY-THREE OF SECTION SIXTY-FIVE HUNDRED THIRTY OF THE EDUCATION
 LAW, IF A HEALTH CARE  PROVIDER  PROVIDES  ACTUAL  NOTICE  TO  QUALIFIED
 PERSONS  THAT  IT  MAKES  ROUTINE  REQUESTS FOR PATIENT INFORMATION FROM
 OTHER INDIVIDUALS OR ENTITIES, NO AUTHORIZATION  SHALL  BE  REQUIRED  TO
 MAKE  A REQUEST FOR PATIENT INFORMATION UNLESS AUTHORIZATION IS REQUIRED
 BY  THIS  SECTION  OR  SECTION  TWENTY-FIVE  OF  THIS   TITLE,   ARTICLE
 TWENTY-SEVEN-F  OF  THIS CHAPTER, THE PROVISIONS OF SECTION SEVENTEEN OF
 THIS TITLE RELATING TO PROHIBITING THE RELEASE TO  AN  INFANT  PATIENT'S
 PARENT  OR  GUARDIAN  OF  INFORMATION  RELATED  TO THE TREATMENT OF SUCH
 A. 2613                             7
 
 INFANT PATIENT FOR VENEREAL DISEASE OR THE PERFORMANCE  OF  AN  ABORTION
 OPERATION  UPON SUCH INFANT PATIENT, SECTION 33.13 OF THE MENTAL HYGIENE
 LAW, SECTION SEVENTY-NINE-L OF  THE  CIVIL  RIGHTS  LAW,  SECTION  THREE
 HUNDRED NINETY-FOUR-E OF THE GENERAL BUSINESS LAW, 42 CFR PART 2, HIPAA,
 OR OTHER RELEVANT FEDERAL, STATE, OR LOCAL LAWS.
   5.  DISCLOSURE  OF  DE-IDENTIFIED PATIENT INFORMATION. NOTHING IN THIS
 SECTION SHALL PROHIBIT A HEALTH CARE PROVIDER'S DISCLOSURE OF DE-IDENTI-
 FIED PATIENT INFORMATION  FOR  THE  PURPOSES  OF  QUALITY  ASSURANCE  OR
 IMPROVEMENT  ACTIVITIES,  CLINICAL  TRIALS  OR RESEARCH. FOR PURPOSES OF
 THIS SECTION, "DE-IDENTIFIED" MEANS THAT THE INFORMATION CANNOT IDENTIFY
 OR BE MADE TO IDENTIFY OR BE ASSOCIATED WITH  A  PARTICULAR  INDIVIDUAL,
 DIRECTLY  OR INDIRECTLY AND IS SUBJECT TO TECHNICAL SAFEGUARDS AND POLI-
 CIES AND  PROCEDURES  THAT  PREVENT  RE-IDENTIFICATION,  WHETHER  INTEN-
 TIONALLY OR UNINTENTIONALLY, OF ANY INDIVIDUAL.
   § 2. Severability. If any provision of this act, or any application of
 any provision of this act, is held to be invalid, or ruled to violate or
 be  inconsistent  with  any  applicable  federal law or regulation, that
 shall not affect the validity or effectiveness of any other provision of
 this act, or of any other application of any provision of this  act.  It
 is  hereby  declared  to  be the intent of the legislature that this act
 would have been enacted even if such invalid  provisions  had  not  been
 included herein.
   § 3. This act shall take effect immediately.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Assembly Bill A2613

Share this bill

Sponsored By

LUNSFORD