Section 2169 - Vaccine confidentiality1. As used in this section, unless context requires otherwise:(a) The term "consent" shall mean informed, affirmative, and voluntary authorization.(b) The term "de-identified" shall mean that the information cannot identify or be made to identify or be associated with a particular individual, directly or indirectly, and is subject to technical safeguards and policies and procedures that prevent re-identification, whether intentionally or unintentionally, of any individual.(c) The term "disclosure" shall mean release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information.(d) The term "immigration authority" means any entity, officer, employee, or government employee or agent thereof charged with or engaged in enforcement of the federal Immigration and Nationality Act, including the United States Immigration and Customs Enforcement, United States Department of Homeland Security, or United States Customs and Border Protection, or agent, contractor, or employee thereof, or any successor legislation or entity.(e) The term "law enforcement agent or entity" means any governmental entity or public servant, or agent, contractor or employee thereof, authorized to investigate, prosecute, or make an arrest for a criminal or civil offense, or engaged in any such activity, but shall not mean the department, the commissioner, a health district, a county department of health, a county health commissioner, a local board of health, a local health officer, the department of health and mental hygiene of the city of New York, or the commissioner of the department of health and mental hygiene of the city of New York.(f) The term "personal information" shall mean information obtained from or about an individual, in connection with their registering for a vaccination, that directly or indirectly identifies, relates to, describes, is capable of being associated with, or could reasonably be linked to a particular individual, household, or personal device. Information is reasonably linkable to an individual, household, or personal device if it can be used on its own or in combination with other reasonably available information, when such information is held by the vaccine navigator, to identify an individual, household, or a personal device.(g) The term "service attendant to the delivery of immunization" shall mean facilitating an immunization appointment, sending reminders about immunization, arranging transportation to or from a vaccine provider, or reporting to the department, the New York City department of health and mental hygiene, or other local health agency on whose behalf such vaccine navigator is performing such services.
(h) The term "use" shall mean, with respect to personal information, the sharing, employment, application, utilization, examination or analysis of such information within an entity that maintains such information.(i) The term "vaccine navigator" shall mean any person that collects personal information from an individual in order to register that individual for immunization or to help that individual register for immunization, provided the department, a local public health agency, or a person that administers vaccines or their designees are not vaccine navigators .2.(a) Except as provided in paragraph (d) of this subdivision, absent consent from the individual seeking immunization, or if the individual lacks the capacity to make health care decisions, an individual authorized to consent to health care for the individual or the individual's legal representative, a vaccine navigator shall not use, disclose, or maintain personal information except as necessary to provide services attendant to the delivery of immunization.(b) A vaccine navigator may request consent from an individual, or if the individual lacks the capacity to make health care decisions, an individual authorized to consent to health care for the individual or the individual's legal representative, to use, disclose, or maintain the individual's personal information for purposes other than services attendant to the delivery of immunization provided that: (i) a vaccine navigator shall not refuse to provide a service attendant to the delivery of immunization for an individual who does not provide such consent;(ii) a vaccine navigator shall not relate the price or quality of any service attendant to the delivery of immunization to the privacy protections afforded the individual, including by providing a discount or other incentive in exchange for such consent, provided that this paragraph does not prohibit the offering of incentives to individuals to get vaccinated; provided that such incentives shall not be conditioned on an individual's consent to additional uses, disclosures, or maintenance of their personal information except as necessary to provide the incentive; and(iii) a vaccine navigator shall clearly delineate what personal information is adequate, relevant, and necessary to provide a service attendant to the delivery of immunization by clearly and conspicuously indicating in any solicitation for the information that all other requests for personal information are optional.(c) Except as provided in paragraph (d) of this subdivision:(i) No vaccine navigator may provide personal information or otherwise make personal information accessible, directly or indirectly, to a law enforcement agent or entity or immigration authority;(ii) No vaccine navigator may provide personal information or otherwise make personal information accessible, directly or indirectly, to any other individual or entity, except as explicitly authorized by this title; and(iii) Without consent under this subdivision, personal information and any evidence derived therefrom shall not be subject to or provided in response to any legal process or be admissible for any purpose in any judicial or administrative action or proceeding unless provided in response pursuant to warrants, court-ordered subpoenas, administrative subpoenas, or grand jury subpoenas. (d)(i) This section does not bar otherwise lawful disclosure, possession or use of information pertaining to services attendant to the delivery of immunization, including aggregate information, that is de-identified. Disclosure, possession or use under this subparagraph shall only be for a public health or public health research purposes.(ii) A vaccine navigator may only possess or use de-identified information pertaining to services attendant to the delivery of immunization if the vaccine navigator maintains technical safeguards and policies and procedures that prevent re-identification, whether intentional or unintentional, of any individual, as may be required by the commissioner (or the New York city commissioner of health and mental hygiene, in the case of information collected by or under authority of the New York city department of health and mental hygiene. The commissioner (or the New York city commissioner as the case may be) shall require safeguards, policies and procedures under this paragraph as the commissioner deems practicable. (iii) Disclosure, possession and use of de-identified information under this subdivision shall be only pursuant to approval by the commissioner (or the New York city commissioner of health and mental hygiene in the case of information collected by or under authority of the New York city department of health and mental hygiene) specifying the purpose, nature and scope of the disclosure, possession and use and measures to ensure that it will comply with this section and the terms of the approval.(e) A vaccine navigator that maintains personal information shall establish appropriate administrative, technical, and physical safeguards, policies, and procedures that ensure the security of that personal information. The safeguards, policies, and procedures must be appropriate to the volume and nature of the personal information maintained and the size, revenue, and sophistication of the vaccine navigator and must ensure that personal information is encrypted and protected at least as much as or more than other confidential information in the vaccine navigator's possession. The commissioner or, in the city of New York, the commissioner of the department of health and mental hygiene may make regulations as reasonably necessary to require that personal information possessed, used, or under the control of a vaccine navigator shall be subject to technical safeguards, policies, and procedures for storage, transmission, use, and protection of the information.
The regulations must take into account the different sizes, revenues and sophistications of different vaccine navigators, as well as the volume and nature of the personal information they maintain.
(f) Nothing in this section shall limit a vaccine navigator that has a pre-existing service provider-client, provider-patient, or familial relationship or a friendship with an individual from processing that individual's personal information as previously agreed to in the course of the pre-existing relationship.3. Vaccine providers. A vaccine provider shall not delay or condition the provision of any service attendant to the delivery of immunization by inviting or requiring an individual seeking vaccination to complete an application for a customer discount card or account or share personal information that will be stored outside of a record protected under the federal Health Insurance Portability and Accountability Act of 1996, its implementing regulations, or section eighteen of this chapter for purposes other than services attendant to the delivery of immunization, or by engaging in any other activity unrelated to the provision of such a service that the commissioner designates by regulation.N.Y. Pub. Health Law § 2169
Amended by New York Laws 2023, ch. 109,Sec. 3, eff. 12/30/2022.Added by New York Laws 2022, ch. 829,Sec. 6, eff. 12/30/2022.