BILL NUMBER: S158E
SPONSOR: KRUEGER
 
TITLE OF BILL:
An act to amend the general business law, in relation to providing for
the protection of health information
 
PURPOSE OR GENERAL IDEA OF BILL:
This bill would govern companies that collect and sell healthcare infor-
mation and provides additional rights and protections to users related
to the sale and of their private health information.
 
SUMMARY OF SPECIFIC PROVISIONS:
Section one amends the general business law by adding a new article 42.
Section two provides a severatility clause. Section three establishes
the effective date.
 
JUSTIFICATION:
Most residents of the State are under the impression that HIPAA protects
them and their health data from being accessed by third parties and sold
by and to other organizations. Residents are generally unaware that
their technology is constantly tracking their movements, and geolocation
data is being sold to companies for the purposes of targeted advertise-
ments or tracking. Most users also do not have an understanding of how
much information is being collected, stored, and sold for the benefit of
third parties. For example, a mobile app to track menstruation cycles
was recently caught selling users' data to antiabortion advocacy organ-
izations.
This bill creates a legal framework for residents to reclaim and retain
control of their healthcare information. Electronic apps or websites,
that are designed to provide a diagnosis or retain health information
will be required to receive affirmative consent by the user to retain
such information and would provide users the ability to rescind such
consent. The bill also provides a legal remedy for those whose data was
improperly collected or used.
 
PRIOR LEGISLATIVE HISTORY:
New bill.
 
FISCAL IMPLICATIONS:
None to the State.
 
EFFECTIVE DATE:
One year.