BILL
SUBJECT
DATE
In its current form, the Business Council opposes S.158-E (Krueger) / A.4983-D (Rosenthal), which would enact the New York Health Information Privacy Act.
The Business Council has the unique perspective of advocating on behalf of New York State businesses that touch every sector of the economy. In that role we consider many voices in the business community and utilize that interaction to advocate for the best possible results for our members, and most of all, the State of New York. We support the underlying intent of this legislation and support the passage of reasonable consumer health data privacy laws that protect consumers in meaningful ways, but we firmly believe it must be done in a way that does not disrupt a businesses or providers ability to improve consumer access to services and products. This legislation misaligns New York with practices adopted by other states, conflicts with HIPAA, the FTC and other laws, and will confuse consumers from understanding how to protect their sensitive health information.
The adoption of a health data privacy bill should be composed with industry to ensure the most comprehensive and thoughtful outcome. Yet, this bill fails to incorporate industry stakeholders’ significant concerns and is rife with unintended consequences for businesses and consumers alike.
The broad definitions must be tightened to clarify the scope of the Act.
The intent of the Act is to protect the health data of New Yorkers. However, the definitions for “regulated health information” and “regulated entities” deviate from this intent. Additionally, the bill covers non-health information if health “might be inferred” and greatly exceeds personal health information protected by HIPAA. For example, companies will be forced to track data on everyday things, like hygiene products, simply because they have that information. The bill also applies to any consumer temporarily in New York and applies to residents of other states if any of the entity’s processing occurs in New York. By regulating the data of another state’s consumers, the bill is subjecting entities to conflicting state laws and regulations.
Key definitions within the proposed law are vague at best and fail to clearly delineate roles, specifically “regulated entity,” “third-party,” and “service provider.” Each of these roles should have clear definitions and direction about their place and purpose within the process. Further, the definition of “sale” does not align with other states. Under this bill’s definition of “sale,” hiring a service provider to process information is considered a sale of data, which would then require companies that do not sell data to say that they do.
The authorization requirements are operationally impossible for healthcare providers and will create a delay in services for all platforms, detrimentally impacting a consumer’s ability to receive, and an entity’s ability to provide, services.
Concerningly, this bill creates a 24-hour waiting period before providing authorization. This contradicts the bill’s intent to provide consumers with sufficient notice of a regulated entities’ data practices at the time they sign up for, or first use, a product or service. There is no state or federal law that requires consent to be garnered 24 hours after a consumer engages or that expires after 1 year. This is vastly different from when an individual visits a physician’s office and provides authorization at the time of service and will create a delay in services for consumers.
In doing so, New York State is creating a different standard for certain healthcare services, like telehealth (which the State has sought to expand access to in recent years), from that encountered in a doctor’s office. This departure contradicts the efforts that have been made in recent years to increase access to healthcare services, specifically, mental health services. A consumer/patient should not be told they have to wait 24-hours before being able to access telehealth mental health counseling services, but that will be the result under this legislation.
Further, while California is the only state to require efforts to inform other parties of deletion requests, no other state that has passed a privacy law since has included such requirement. This requirement would also be impossible for health care entities who have obligations to preserve records, particularly for patients in other states where this bill seeks to cover.
Requiring detailed authorization for all processing will cause fatigue and is in direct conflict with trusted frameworks.
This legislation imposes obligations and requirements that surpass and are inconsistent with HIPAA. In exceeding standards set out by HIPAA, the bill intentionally prohibits marketing activities that are allowed under HIPAA. For example, HIPAA allows an insurance company or pharmacy to send a consumer materials that inform them about services available without any special consent or authorizations. Under this bill, there will be no way for a regulated entity to make consumers (or patients) aware of their services, like mental health counseling, even when consistent with HIPAA. Also, by requiring consumers to provide authorization for every use (rather than being triggered only for sale), consumers may miss the signal when there is truly sensitive information being sold.
While the intent of the bill is to protect health data information of consumers, when combined with the detailed and multiple authorization processes, the structure of the bill requires regulated entities to collect more data than necessary to determine what is covered.
Bill limits a consumer’s ability to interface with products and services in the most meaningful way possible.
We also share the concerns of other stakeholders that require regulated entities to provide services to consumers when those consumers have opted out of providing an authorization for the use of their health data. This could severely limit a consumer’s ability to interact with a regulated entities’ platform, especially when that health data is critical to providing the service, and result in some features just not working.
Bill does not provide a carve-out for employer benefits and programs.
The bill has broader, unintended consequences for all New York employers. We believe that a carve-out or more explicit language is warranted so that employers can provide their employees with benefits and programs, without meeting the authorization requirements of this bill. For example, employers are involved with matters related to short-term disability, long-term disability, ADA accommodations, leave practices and wellness programs (smoking cessation, fitness, etc). In some instances, employees may voluntarily provide their employers with a doctor’s note pertaining to an illness or accommodation they require. The language of this bill is so broad that we believe the definitions of the bill may capture the day-to-day Human Resources operations. Businesses are heavily regulated by state and federal laws regarding the handling of employees’ sensitive health information.
It appears it is not the intent of the sponsor to capture employer benefits and programs within the parameters of this legislation (§1102 (1)(b)(ii)(B)), however, we believe that it is necessary for this to be made explicitly clear within the text of the bill.
Bill does not provide an exclusion for insurance underwriting practices and product development, and due to its overly broad definition of “regulated health information,” would include financial institutions regulated by The Gramm-Leach-Bliley Act and Fair Credit Reporting Act.
The HIPAA carve-out does not cover health information that insurers obtain during the life underwriting process. Further, under the requirements of the bill, it appears that insurers would be required to obtain affirmative consent to use health information for legitimate actuarial purposes and/or product development, which could hinder their ability to offer services to consumers. Insurance is heavily regulated in New York State by the Department of Financial Services and all data is processed in accordance with the state’s insurance privacy rules.
Further, the bill’s definition of “regulated health information” is overly broad and specifically includes “payment data,” without any carve-out for entities or data regulated by the federal Gramm-Leach-Bliley Act. Inevitably, without a specific GLBA-exemption, every bank, credit card company, payment processor, or any institution involved in handling payment information would be impacted and required to track and report data under the provisions of this legislation. It also doesn’t exempt data covered by the Fair Credit Reporting Act. Similar to other states, it would be prudent to include an exemption for information that is governed and collected by regulations under The Gramm-Leach-Bliley Act and the Fair Credit Reporting Act.
Enforcement provisions are out of step with other states.
The bill provides for numerous ambiguous definitions and standards which could expose a regulated entity to excessive and unnecessary litigation and provides for enforcement by the Attorney General without any right to cure provisions. A right to cure has been recognized as an element of omnibus privacy laws and is lacking in this proposal. Not only is that out of step, but the civil penalties assessed within this legislation are grossly inconsistent with those adopted by other states, with penalties of up to $15,000 per violation or 20% of revenue from New York consumers and “any such other and further relied as the court may deem proper.” The vague, inconsistent definitions and standards of this bill, coupled with these aggressive enforcement provisions, will make providing health-related services to New York consumers more expensive than any other state.
*****
This bill fails to incorporate the significant feedback provided by industry. Without amendments to ensure the most comprehensive bill possible for both industry and consumers alike, The Business Council must oppose S.158-E (Krueger) / A.4983-D (Rosenthal) and urges the Legislature to reject its passage.