Bill Text: NY A10704 | 2019-2020 | General Assembly | Introduced
Bill Title: Creates privacy standards for electronic health products and services; requires consent to be given for the collection and/or sharing of personal health information or other personal data.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Introduced - Dead) 2020-07-01 - referred to consumer affairs and protection [A10704 Detail]
Download: New_York-2019-A10704-Introduced.html
STATE OF NEW YORK ________________________________________________________________________ 10704 IN ASSEMBLY July 1, 2020 ___________ Introduced by COMMITTEE ON RULES -- (at request of M. of A. L. Rosen- thal) -- read once and referred to the Committee on Consumer Affairs and Protection AN ACT to amend the general business law, in relation to electronic health products and services The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. The general business law is amended by adding a new article 2 42 to read as follows: 3 ARTICLE 42 4 ELECTRONIC HEALTH PRODUCTS AND SERVICES 5 Section 1100. Definitions. 6 1101. Electronic health products and services; privacy. 7 § 1100. Definitions. For the purposes of this article, the following 8 terms shall have the following meanings: 9 1. "Deactivation" means a user's deletion, removal, or other action 10 made to terminate his or her use of an electronic health product or 11 service. 12 2. "Electronic health product or service" means any software or hard- 13 ware, including a mobile application, website, or other related product 14 or service, that is designed to maintain personal health information, in 15 order to make such personal health information available to a user or to 16 a health care provider at the request of such user or health care 17 provider, for the purposes of allowing such user to manage his or her 18 information, or for the diagnosis, treatment, or management of a medical 19 condition. 20 3. "Health care provider" means: 21 (a) a hospital as defined in article twenty-eight of the public health 22 law, a home care services agency as defined in article thirty-six of the 23 public health law, a hospice as defined in article forty of the public 24 health law, a health maintenance organization as defined in article 25 forty-four of the public health law, or a shared health facility as 26 defined in article forty-seven of the public health law; or EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD16757-01-0A. 10704 2 1 (b) a person licensed under article one hundred thirty-one, one 2 hundred thirty-one-B, one hundred thirty-two, one hundred thirty-three, 3 one hundred thirty-six, one hundred thirty-nine, one hundred forty-one, 4 one hundred forty-three, one hundred forty-four, one hundred fifty- 5 three, one hundred fifty-four, one hundred fifty-six or one hundred 6 fifty-nine of the education law. 7 4. "Personal health information" means any individually identifiable 8 information about an individual's mental or physical condition provided 9 by such individual, or otherwise gained from monitoring such individ- 10 ual's mental or physical condition. 11 5. "Other personal data" means any individually identifiable informa- 12 tion about an individual provided by such individual, or otherwise 13 gained from monitoring such individual, other than personal health 14 information. 15 6. "User" means an individual who has downloaded or uses an electronic 16 health product or service. 17 § 1101. Electronic health products and services; privacy. 1. Any 18 entity that offers an electronic health product or service, shall obtain 19 consent from a user before collecting any personal health information or 20 any other personal data from such user. 21 2. In order to obtain consent in compliance with subdivision one of 22 this section, an entity offering an electronic health product or service 23 shall: 24 (a) disclose to the user all personal health information or other 25 personal data such electronic health product or service will collect 26 from the user upon obtaining consent; 27 (b) disclose to the user any third party with whom such user's 28 personal health information or other personal data may be shared by the 29 electronic health product or service upon obtaining consent; 30 (c) disclose to the user the purpose for collecting any personal 31 health information or other personal data; and 32 (d) allow the user to withdraw consent at any time. 33 3. No electronic health product or service shall collect any personal 34 health information or other personal data beyond which a user has 35 specifically consented to share with such electronic health product or 36 service under subdivision one of this section. 37 4. An electronic health product or service shall delete or otherwise 38 destroy any personal health information or other personal data collected 39 from a user immediately upon such user's request, withdrawal of consent; 40 or upon such user's deactivation of his or her account. 41 § 2. This act shall take effect on the sixtieth day after it shall 42 have become a law.