A7185 Luster (MS)
No Same as
Public Health Law
TITLE....Enacts the health information privacy act to designate health information on individual persons as confidential and limit disclosure thereof
| | | |
| 03/14/01 | referred to health |
| 01/09/02 | referred to health |
LUSTER, GOTTFRIED, GRANNIS, HOOPER, JOHN, SIDIKMAN, MATUSOW, TONKO; M-S: Brodsky, Cahill, Christensen, A. Cohen, Cook, Davis, Jacobs, Markey, McEneny, Millman, Ortiz, Perry, Seddio, Sweeney, Towns
Add Art 10 SS1000 - 1013, Pub Health L; amd S215, CPLR
Enacts the "health information privacy act" which provides that health care
information on identifiable persons is to be kept confidential and secured in
an appropriate manner; requires maintenance of records of the disclose of such
information by the holders thereof; requires the informed consent of the
person to whom the information relates for the disclosure of health
information in most cases; requires court to review the disclosure of such
information for purposes of civil or criminal litigation; establishes civil
remedies for violation of such provisions and makes the intentional or knowing
violation thereof a misdemeanor punishable by a fine of up to $5,000,
imprisonment of up to 1 year, or both such fine and imprisonment.
CRIMINAL SANCTION IMPACT.
RETRIEVE BILL
STATE OF NEW YORK
________________________________________________________________________
7185
2001-2002 Regular Sessions
IN ASSEMBLY
March 14, 2001
___________
Introduced by M. of A. LUSTER, GOTTFRIED, GRANNIS, VANN, HOOPER, JOHN,
SIDIKMAN, MATUSOW, TONKO -- Multi-Sponsored by -- M. of A. BRODSKY,
CAHILL, CHRISTENSEN, A. COHEN, COOK, DAVIS, JACOBS, MARKEY, McENENY,
MILLMAN, ORTIZ, PERRY, RHODD-CUMMINGS, SEDDIO, SWEENEY, TOWNS -- read
once and referred to the Committee on Health
AN ACT to enact the "health information privacy act"; and to amend the
public health law and the civil practice law and rules, in relation to
regulating the disclosure of health information of individuals
The People of the State of New York, represented in Senate and Assem-
bly, do enact as follows:
1 Section 1. Short title. This act shall be known and may be cited as
2 the "health information privacy act".
3 § 2. The public health law is amended by adding a new article 10 to
4 read as follows:
5 ARTICLE 10
6 HEALTH INFORMATION PRIVACY
7 Section 1000. Legislative intent.
8 1001. Definitions.
9 1002. Application.
10 1003. Duty to maintain the confidentiality of health informa-
11 tion.
12 1004. Disclosure.
13 1005. Notice upon disclosure.
14 1006. Record of disclosures.
15 1007. Disclosure without informed consent.
16 1008. Informed consent.
17 1009. Disclosure for criminal or civil litigation.
18 1010. Criminal penalties.
19 1011. Civil remedy.
20 1012. Immunity.
21 1013. Severability.
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD01480-01-1
A. 7185 2
1 § 1000. Legislative intent. The legislature hereby finds that all
2 persons have significant privacy interests with resect to their personal
3 health information. Such privacy interests justify regulation of the
4 uses and disclosures of such information, the individual's access to his
5 or her own health information, and means of assuring the security and
6 confidentiality of such information.
7 The legislature declares that the purposes of this article are to:
8 1. address the privacy and security issues arising from the
9 collection, maintenance, use, disclosure and storage of identifiable
10 health information;
11 2. protect individually identifiable health information against unau-
12 thorized uses and disclosures;
13 3. allow wide use and disclosure of non-identifiable public health
14 information because this does not implicate serious privacy and security
15 concerns at the individual level and greatly facilitates the accomplish-
16 ment of legitimate public health, medical and research objectives;
17 4. impose a general duty on persons possessing individually identifi-
18 able health records to ensure the confidentiality of such information;
19 5. require that uses of public health information be consistent with
20 legitimate public health purposes;
21 6. limit the disclosure of public health information to the least
22 intrusive extent possible to protect personal privacy;
23 7. require all disclosures of individually identifiable health infor-
24 mation to include language on the record being disclosed which describes
25 basic privacy protections to which the holder thereof shall adhere;
26 8. require records of disclosures of health information to be kept by
27 facilities disclosing such information;
28 9. authorize disclosures of identifiable health information without
29 informed consent to individuals to whom the information relates, public
30 health officials for legitimate public health objectives, for statis-
31 tical purposes, for research purposes provided there is a compelling
32 need for identifiable information, to appropriate federal agencies and
33 to medical personnel in the event of an emergency;
34 10. maintain the requirement to protect confidentiality of health
35 information on persons collecting or maintaining individually identifi-
36 able health information and subsequent holders, users or storers of such
37 information; and
38 11. establish criminal penalties and civil remedies to protect indi-
39 viduals who are harmed by willful and negligent violations of this arti-
40 cle.
41 § 1001. Definitions. As used in this article:
42 1. "Disclose", "disclosed" and "disclosure" shall mean the release,
43 transfer, dissemination or provision of access to or other communication
44 of all or any portion of health information by any means to another
45 person.
46 2. "Health information" shall mean any information which identifies or
47 can readily be associated with the identity of a person and relates to
48 the person's past, present or future physical or mental health status,
49 condition, treatment, service, products purchased or provision of care.
50 3. "Informed consent" shall mean a written and signed authorization
51 for disclosure of health information by the person to which such infor-
52 mation relates. Every such informed consent shall be dated and state the
53 person or persons to whom disclosure is authorized, the purpose of the
54 disclosure and the time period during which such authorization shall
55 remain in effect.
A. 7185 3
1 4. "Legitimate public health purpose" shall mean those population-
2 based activities or individual efforts primarily aimed at the prevention
3 of injury, disease or premature mortality, or the promotion of health in
4 the community, including (a) assessing the health needs and status of
5 the community through public health surveillance and epidemiological
6 research, (b) developing public health policy, (c) responding to public
7 health needs and emergencies, and (d) other activities or efforts
8 specifically authorized by federal or state law.
9 5. "Non-identifiable information" shall mean any health information
10 which does not identify nor can readily be associated with any specific
11 person through other information including names, social security
12 numbers, addresses, employers, medical providers, unique identifiers or
13 other facts, without the use of encryption, a code or key, or other
14 technological tool.
15 6. "Public health" shall mean population-based activities or individ-
16 ual efforts primarily aimed at the prevention of injury, disease or
17 premature mortality, or the promotion of health.
18 7. "Public health agency" shall mean any organization operated or
19 funded in whole or part by the state or any local government which
20 collects, maintains, uses or stores health information for public health
21 purposes. Such organizations shall include, but not be limited to,
22 public health offices established by state or local law, testing labora-
23 tories, testing facilities, treatment clinics, research facilities and
24 information storage facilities.
25 8. "Public health information" shall mean any health information that
26 is collected, maintained, used, disclosed or stored by any public health
27 agency, including information regarding whether the agency possesses
28 such information.
29 9. "Public health official" shall mean any officer, employee, contrac-
30 tor, intern, or volunteer of a public health agency with authorization
31 from the agency or pursuant to law to collect, maintain, use, disclose
32 or store public health information.
33 10. "Public information" shall mean information which is open to
34 inspection or review by the general public pursuant to article six of
35 the public officers law.
36 11. "Use" and "used" shall mean to employ or utilize all or any part
37 of health information by any means.
38 § 1002. Application. The provisions of this article shall apply to all
39 disclosures of health information, except disclosures of health informa-
40 tion which are otherwise subject to the provisions of this chapter or to
41 which any other provision of law applies.
42 § 1003. Duty to maintain the confidentiality of health information. 1.
43 Health information shall be collected, maintained, used and stored in a
44 manner which ensures the confidentiality and integrity of such informa-
45 tion.
46 2. Health information shall not be deemed to be public information and
47 shall not be disclosed, except as authorized by this article.
48 3. No provision of this article shall be deemed to limit the disclo-
49 sure of health information by the person to which such information
50 relates.
51 § 1004. Disclosure. Health information disclosed without informed
52 consent shall, whenever practicable, be disclosed in a non-identifiable
53 form. All disclosures of health information made in a non-identifiable
54 form shall be limited to the minimum amount which the person making the
55 disclosure reasonably believes is necessary to accomplish the purpose of
56 the disclosure.
A. 7185 4
1 § 1005. Notice upon disclosure. 1. Every disclosure of health informa-
2 tion made pursuant to this article shall include a statement of policy
3 on the disclosure of health information of the entity disclosing such
4 information. Such statement of policy shall include the following or
5 substantially similar language:
6 "Health information may contain information about a person or persons
7 which is highly sensitive and entitled to confidentiality and privacy
8 protection under federal and state laws. Various provisions of the laws
9 of this state may prohibit further disclosure of health information in
10 an identifiable form without the written and signed informed consent of
11 the person or persons to which such information relates. Unauthorized
12 disclosure could result in the imposition of criminal and civil liabil-
13 ity, including imprisonment, fines and monetary damages."
14 2. Upon the premises of any entity upon which health information is
15 disclosed or made accessible, there shall be conspicuously posted a
16 notice which shall include the following or substantially similar
17 language:
18 "Health information may contain information about a person or persons
19 which is highly sensitive and entitled to confidentiality and privacy
20 protection under federal and state laws. An "unauthorized disclosure" is
21 the disclosure of such information outside of these premises in an iden-
22 tifiable form without the written and signed informed consent of the
23 person or persons to which the information relates. Unauthorized disclo-
24 sure could result in the imposition of criminal and civil liability,
25 including imprisonment, fines and monetary damages."
26 § 1006. Record of disclosures. Every entity possessing health informa-
27 tion, shall upon disclosure thereof establish and maintain a record of
28 each such disclosure. Such record shall include, but need not be limited
29 to:
30 1. the name, address, title and institutional affiliation of any
31 person to whom health information is disclosed;
32 2. the date and purpose of the disclosure;
33 3. a brief description of the information disclosed; and
34 4. the legal authority for the disclosure.
35 § 1007. Disclosure without informed consent. No health information
36 shall be disclosed without the written and signed informed consent of
37 the person to which the information relates, unless such disclosure:
38 1. is made directly to the person to which the health information
39 relates;
40 2. is made to or between public health officials for the purpose of
41 facilitating or accomplishing a legitimate public health objective,
42 including:
43 (a) testing, screening, reporting, monitoring or surveillance of
44 infectious or contagious diseases or other reportable and non-reportable
45 conditions or behavioral risk factors as authorized by federal or state
46 law;
47 (b) investigations or interventions; and
48 (c) public health emergencies as determined by law;
49 3. is made in a non-identifiable form for statistical purposes;
50 4. is made for the purpose of public health, epidemiological, medical
51 or health services research and:
52 (a) such information is non-identifiable; or
53 (b) such disclosures are made pursuant to compelling need for iden-
54 tifiable information and assurances of protections through the execution
55 of a confidentiality agreement, after review by an institutional review
56 board. Every such agreement shall require any person receiving such
A. 7185 5
1 information to adhere to protections for the privacy and security of the
2 information equivalent to or greater than the protections required by
3 this article;
4 5. is made pursuant to any other provision of law; and
5 6. is made to a health care provider, to the extent necessary, in a
6 medical emergency to protect the health of the person to whom the infor-
7 mation relates.
8 § 1008. Informed consent. 1. Except as otherwise authorized by this
9 article, health information shall not be disclosed without informed
10 consent.
11 2. Informed consent may be revoked in writing at any time. Such revo-
12 cation shall not take effect until the person in receipt of the informed
13 consent has been provided notice of the revocation thereof.
14 3. Every informed consent which does not include a date of expiration
15 shall be deemed to expire six months after the execution thereof.
16 4. No person deemed by law to be incompetent shall be able to provide
17 informed consent. However, such person's parent, guardian or lawful
18 representative may grant such consent on such person's behalf.
19 § 1009. Disclosure for criminal or civil litigation. No health infor-
20 mation shall be disclosed or compelled to be disclosed pursuant to any
21 criminal, civil or administrative proceeding, except as follows:
22 1. A court may order the disclosure of such information upon a motion
23 showing:
24 (a) a compelling need for the disclosure for the adjudication of a
25 cause of action,
26 (b) there may exist a clear and imminent danger to the health of a
27 person as the result of contact with the person to which such informa-
28 tion relates,
29 (c) there exists a clear and imminent danger to the public health and
30 welfare, or
31 (d) the disclosure is otherwise authorized pursuant to this article.
32 2. Upon issuance of an order pursuant to subdivision one of this
33 section, the court shall also order that all health information
34 disclosed pursuant to such order be sealed and shall only be made avail-
35 able to the extent necessary for the conduct of the criminal or civil
36 proceedings, or as otherwise authorized by law.
37 3. (a) Every person about whom health information is sought pursuant
38 to this section and every person who possesses health information that
39 is sought pursuant to this section shall be notified of the motion for
40 disclosure of such information. Every such person shall have a right to
41 be heard by the court prior to the issuance of any order for the disclo-
42 sure of health information.
43 (b) However, an order of the disclosure of health information may be
44 issued without such notice and opportunity to be heard when the motion
45 for disclosure is submitted by a public health agency or public health
46 officer and states the need for immediate action to avert a clear and
47 imminent danger to the public health. In assessing whether there exists
48 a clear and immediate danger, the court shall weigh the need for disclo-
49 sure against (i) the privacy interests of the person to which the health
50 information relates and (ii) any legitimate public health purpose which
51 may be impaired by such disclosure. The court shall thereafter issue a
52 written findings of fact statement.
53 4. Every order directing the disclosure of health information shall:
54 (a) limit such disclosure to that information which is necessary for
55 the proceeding;
A. 7185 6
1 (b) limit such disclosure only to those persons who have a need for
2 the health information in the conduct of the proceedings and prohibits
3 disclosure to any other person;
4 (c) include any other restrictions which the court deems necessary to
5 prevent any unauthorized disclosure; and
6 (d) conform to the provisions of this article.
7 § 1010. Criminal penalties. Any person who intentionally or knowingly
8 violates the provisions of this article shall be guilty of a misdemeanor
9 which shall be punishable by a fine of not more than five thousand
10 dollars, or a term of imprisonment not to exceed one year, or both such
11 fine and imprisonment.
12 § 1011. Civil remedy. 1. Any person aggrieved by a violation of this
13 article or the attorney general may commence a civil course of action
14 for relief for such violation.
15 2. A court may order the following relief:
16 (a) injunction,
17 (b) compensatory damages,
18 (c) punitive damages, and
19 (d) attorney's fees and costs.
20 § 1012. Immunity. No person who is the parent or legal guardian of a
21 minor or incompetent shall be subject to the provisions of this article
22 as the result of the disclosure of health information relating to such
23 minor or incompetent.
24 § 1013. Severability. If any section of this article or part thereof
25 shall be adjudged by a court of competent jurisdiction to be invalid,
26 such judgement shall not affect, impair or invalidate the remainder of
27 this article, or any other section or part thereof.
28 § 3. Section 215 of the civil practice law and rules is amended by
29 adding a new subdivision 9 to read as follows:
30 9. an action to recover damages for a violation of health information
31 privacy under section one thousand twelve of the public health law.
32 § 4. This act shall take effect 180 days after it shall have become a
33 law.
NEW YORK STATE ASSEMBLY
MEMORANDUM IN SUPPORT OF LEGISLATION
submitted in accordance with Assembly Rule III, Sec 1(e)
RETRIEVE BILL
BILL NUMBER: A7185
SPONSOR: Luster (MS)
TITLE OF BILL: An act to enact the "health information privacy act";
and to amend the public health law and the civil practice law and rules,
in relation to regulating the disclosure of health information of indi-
viduals
PURPOSE OR GENERAL IDEA OF BILL: This bill will enhance protections
on the confidentiality of individual identifiable medical records.
SUMMARY OF SPECIFIC PROVISIONS: adds a new article 10 to the Public
Health Law.
JUSTIFICATION: In the age of computerization and HMOs, the confiden-
tiality of medical records has never been more urgent an issue. In 1997
testimony to the Senate Committee on Labor and Human Resources, the U.S.
Secretary of Health and Human Services testified that close to 75% of
citizens surveyed are concerned that computerized records will have a
negative effect on their privacy. The absence of comprehensive medical
records privacy laws make us vulnerable to life—destroying revelations
not only by health care professionals or insurers, but also by hospital
bill handlers, pharmaceutical benefit management companies and others.
This concern, in turn, has the potential to prevent people from disclos-
ing vital information to their doctors and getting needed treatment.
The Health Insurance Portability and Accountability Act of 1996 required
the federal government to legislate standards for the protection of
individually identifiable health information by August of 1999. Accord-
ingly, the Secretary of the U.S. Department of Health and Human Services
at that time proposed regulations which were eventually adopted based on
the five principles of 1) "boundaries" (limiting the purposes for which
the information may be used); 2) "Security" (requiring patient authori-
zation each time his/her information is used or given out); 3) "consumer
control" (giving the patient a way to find out what information is on
record about him/her and how it is used, and to correct it if inaccu-
rate); 4) "accountability" (implementing severe punishments for using
information improperly) and 5) "public responsibility" (allowing for the
use of information to promote public health, research, quality care and
the fight against health care fraud and abuse). However, the current
Secretary of Health and Human Services recently announced plans to
review the new federal health privacy regulations with any eye toward
delaying their implementation and/or weakening them.
New York State lacks a common law cause of action for invasion of priva-
cy. Sections 50 and 51 of the New York Civil Rights Law deal with the
use of pictures and names for commercial purposes, but do not address
other invasions of privacy with regard to medical records. While health
care practitioners are held to strict confidentiality standards, there
is no way to hold others accountable when they improperly obtain or make
improper use of medical records.
This bill, based largely on model state legislation by the Model State
Public Health Privacy project at Georgetown University Law Center, would
clearly set forth the manner in which we could prohibit the disclosure
of personally identifiable health information without express, written
consent of the patient. It would hold accountable any person who, having
legitimately obtained such information, discloses it to a second person
without informed consent of the patient. It would prohibit the use of
health information for personal or professional gain or commercial
purposes without the informed consent of the patient.
PRIOR LEGISLATIVE HISTORY: A.4473 of 1999 referred to health
FISCAL IMPLICATIONS: None.
EFFECTIVE DATE: Immediately.