Bill Text: NY S00336 | 2021-2022 | General Assembly | Introduced


Bill Title: Establishes the wellness program privacy act; requires employers and insurers to take certain measures to protect the security of wellness program participants' private information.

Spectrum: Partisan Bill (Democrat 1-0)

Status: (Introduced - Dead) 2022-01-05 - REFERRED TO INSURANCE [S00336 Detail]

Download: New_York-2021-S00336-Introduced.html



                STATE OF NEW YORK
        ________________________________________________________________________

                                           336

                               2021-2022 Regular Sessions

                    IN SENATE

                                       (Prefiled)

                                     January 6, 2021
                                       ___________

        Introduced  by  Sen.  THOMAS -- read twice and ordered printed, and when
          printed to be committed to the Committee on Insurance

        AN ACT to amend the insurance law, in relation to the  establishment  of
          the "Wellness Program Privacy Act"

          The  People of the State of New York, represented in Senate and Assem-
        bly, do enact as follows:

     1    Section 1. This act shall be known and may be cited as  the  "Wellness
     2  Program Privacy Act".
     3    §  2.  The  insurance law is amended by adding a new section 3239-a to
     4  read as follows:
     5    § 3239-a. Wellness program privacy. (a) Definitions. For  purposes  of
     6  this section:
     7    (1) "Employer" means:
     8    (i)  any  person who directly employs fifty or more persons to perform
     9  services for a wage or salary; or
    10    (ii) the state and any political or civil subdivision of the state, or
    11  any county or city or other municipality.
    12    (2) "Collects," "collected," or "collection"  means  buying,  renting,
    13  gathering,  obtaining,  receiving, or accessing any personal information
    14  or protected health information pertaining to a consumer by  any  means.
    15  This  includes receiving information from such consumer, either actively
    16  or passively, or by observing such consumer's behavior.
    17    (3) "Administration and operation of a wellness program" means, but is
    18  not limited to, the use of personal information when  reasonably  neces-
    19  sary and proportionate to achieve one of the following purposes:
    20    (i)  detecting  and  responding  to  security incidents arising from a
    21  wellness program and protecting against  malicious,  deceptive,  fraudu-
    22  lent, or illegal activity related to a wellness program;
    23    (ii)  executing functions of a wellness program for the benefit of the
    24  insured;

         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD00553-01-1

        S. 336                              2

     1    (iii) undertaking internal research for technological development  and
     2  demonstration related to a wellness program; or
     3    (iv) undertaking activities to verify or maintain the quality or safe-
     4  ty  of  a  service or device that is owned by, manufactured by, manufac-
     5  tured for, or controlled by the insurer,  or  to  improve,  upgrade,  or
     6  enhance  the  service or device that is owned by, manufactured by, manu-
     7  factured for, or  controlled  by  the  insurer  related  to  a  wellness
     8  program.
     9    (4)  "Personal information" means information that identifies or could
    10  reasonably be linked, directly or indirectly, with a particular  consum-
    11  er,  household,  or  consumer  device.  "Personal information" shall not
    12  include publicly available information.
    13    (5) "Publicly available"  means  information  that  is  lawfully  made
    14  available  from  federal,  state,  or  local  government records, if any
    15  conditions associated with such information. "Publicly available"  shall
    16  not mean information collected by an employer or insurer about an enrol-
    17  lee  without  the  enrollee's knowledge. "Personal information" does not
    18  include enrollee information that is de-identified or aggregate enrollee
    19  information.
    20    (6) "Retaliatory" or "adverse action" in the context  of  an  employer
    21  offering  a  wellness  program to its employees shall include: denial of
    22  coverage, termination  of  employment,  requiring  one  hundred  percent
    23  payment  of medical care premiums when an employer pays a portion of the
    24  premium for wellness program participants, or reducing contributions  to
    25  participants' health savings accounts.
    26    (7)  "Retaliatory"  or  "adverse  action" in the context of an insurer
    27  offering a wellness program shall include: denial  of  coverage,  termi-
    28  nation  of  coverage  based  on  non-participation or failure to achieve
    29  wellness targets, or adjustments to insurance premiums.
    30    (b) Fair collection and use of personal information. (1)  Any  insurer
    31  or  employer  that  collects  a  wellness program participant's personal
    32  information in the administration and operation of  a  wellness  program
    33  shall  limit  its  collection to what is reasonably necessary to operate
    34  the wellness program in which a consumer is enrolled.
    35    (2) Any insurer or employer that collects a wellness  program  partic-
    36  ipant's  personal  information  in the administration and operation of a
    37  wellness program shall limit its use and retention of personal  informa-
    38  tion to what is reasonably necessary to administer and operate the well-
    39  ness program in which a consumer is enrolled and for related administra-
    40  tive and operational purposes.
    41    (3) No insurer or employer shall share with third parties any personal
    42  information or data collected through a wellness program.
    43    (4)  Following  the  close of a wellness program, an employee's termi-
    44  nation, or the end of an enrollee's  term  of  insurance,  any  personal
    45  information or data shall be deleted or de-identified.
    46    (5)  Wellness  program  participants  shall have the right to obtain a
    47  copy of their wellness program data, and shall have the right  to  chal-
    48  lenge  the  completeness  and accuracy of any data the program has about
    49  them.
    50    (6) The requirements described in this subdivision shall apply, to the
    51  extent that they are applicable,  to  any  entity  that  an  insurer  or
    52  employer  contracts  with  for  purposes of administering or operating a
    53  wellness program on such insurer or employer's behalf.
    54    (c) Transparency. Any insurer or an employer that collects a  wellness
    55  program  participant's  personal  information  in the administration and

        S. 336                              3

     1  operation of a wellness program shall provide such  participant  with  a
     2  written explanation of:
     3    (1) all data collected in the program;
     4    (2)  practices related to data sharing, including who will have access
     5  to such data; and
     6    (3) the wellness program enrollee's  rights  concerning  the  wellness
     7  program under federal and state laws, rules, and regulations.
     8    (d)  Prohibition  of  discrimination  based  on participation. (1) Any
     9  employer that offers a wellness program to its employees, or any insurer
    10  that offers a wellness program to enrollees, shall not engage in retali-
    11  atory or adverse action against individuals who do  not  participate  in
    12  wellness programs.
    13    (2)  The  total  amount  of  all  wellness program incentives shall be
    14  limited to an amount deemed by the superintendent not to be coercive.
    15    (e) Enforcement and enrollee private right of action. (1) Any consumer
    16  who has suffered from a violation of this  section  by  an  employer  or
    17  insurer  may  bring  a  lawsuit  against  such  employer  or  insurer. A
    18  violation of this section shall be deemed to  constitute  an  injury  in
    19  fact  to  the  consumer  who  has  suffered from such violation, and the
    20  consumer need not suffer a loss of money or property as a result of  the
    21  violation in order to bring an action for a violation of this section.
    22    (2) A consumer who prevails in such a lawsuit shall obtain the follow-
    23  ing remedies:
    24    (i) damages in an amount not greater than the increased health or life
    25  insurance  premium  cost  due  to penalties or lost incentives, or seven
    26  hundred fifty dollars per consumer  per  incident,  or  actual  damages,
    27  whichever is greater;
    28    (ii) injunctive or declaratory relief, as the court deems proper;
    29    (iii) reasonable attorneys' fees and costs; and
    30    (iv) any other relief the court deems proper.
    31    (3)  In  assessing  the  amount  of statutory damages, the court shall
    32  consider any one or more of the relevant circumstances presented by  any
    33  of  the  parties  to the case, including, but not limited to, the nature
    34  and seriousness  of  the  misconduct,  the  number  of  violations,  the
    35  persistence of the misconduct, the length of time over which the miscon-
    36  duct  occurred,  the  willfulness of the defendant's misconduct, and the
    37  defendant's assets, liabilities, and net worth.
    38    (4) A consumer bringing an action shall notify  the  attorney  general
    39  within thirty days that the action has been filed.
    40    (5)  The attorney general may bring a civil action, in the name of the
    41  people of the state, against any employer or  insurer  in  violation  of
    42  this section.
    43    (6) The department may pursue enforcement action against health insur-
    44  ers, health plans, or life insurers in violation of this section.
    45    (7)  Any  employer or insurer that violates this section may be liable
    46  for a civil penalty of up to seven thousand  five  hundred  dollars  for
    47  each  intentional violation, and up to two thousand five hundred dollars
    48  for each unintentional violation.
    49    § 3. This act shall take effect immediately.
feedback