N.Y. Gen. Bus. Law § 394-H

Current through 2024 NY Law Chapter 456
Section 394-H - Electronic health information protections
1. For the purposes of this section, the following terms shall have the following meanings:
a. Electronic health information. The term "electronic health information" means any information in any electronic format or media that relates to an individual or a device that is reasonably linkable to an individual or individuals in connection with any past, present, or future disability, physical health condition, or mental health condition; the search for or attempt to obtain health care services; any past, present, or future treatment or other health care services for a disability, physical health condition, or mental health condition; location information associated with a health care facility; or the past, present, or future payment for health care services. For the avoidance of doubt, any inference drawn or data derived about an individual or a device that is reasonably linkable to an individual or individuals that relates to any of these topics in any electronic format or media is considered electronic health information. Electronic health information does not include deidentified information.
b. Law enforcement agency. The term "law enforcement agency" shall have the same meaning as in subdivision four of section 705.00 of the criminal procedure law.
c. Law enforcement officer. The term "law enforcement officer" means a police officer or peace officer as defined in section 1.20 of the criminal procedure law.
2. Prohibition on access to electronic health information. Notwithstanding any other law, law enforcement agencies and law enforcement officers shall be prohibited from purchasing or obtaining electronic health information without a warrant.
3. Exemptions. Nothing in this article shall apply to:
a. Information processed by local, state, and federal governments, and municipal corporations;
b. Protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 ( Public Law 104-191 ) and the Health Information Technology for Economic and Clinical Health Act ( Public Law 111-5 );
c. Any covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 ( Public Law 104-191 ), to the extent the covered entity maintains patient information in the same manner as protected health information as described in paragraph b of this subdivision;
d. Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration;
e. Information processed pursuant to the federal Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g) and its implementing regulations;
f. Information processed pursuant to section two-d of the education law; and
g. Information processed pursuant to the federal Driver's Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq).

N.Y. Gen. Bus. Law § 394-H

Added by New York Laws 2023, ch. 57,Sec. U-3, eff. 7/2/2023.