WeVote

Bill

Bill

A 10357

Provides for the protection of health information

2025 Regular Session Introduced by Rodneyse Bichotte Hermelyn and 31 co-sponsors

Establishes a comprehensive New York Health Information Privacy Act that strictly limits handling of regulated health information, grants individual rights, and imposes strong prot

REPORTED REFERRED TO RULES
0
WeVote Research Nonpartisan
Bill Summary · A 10357

Overview

  • Bill: A 10357 (New York)
  • Session: 2025-2026
  • Committee: Science and Technology (initial referral)
  • Primary aim: Establish a New York Health Information Privacy Act to protect health-related information, define regulated health information, set rights for individuals, and outline duties for entities and service providers handling such data.

Main purpose and intent

  • Create a comprehensive regulatory framework to protect regulated health information (RHI) of individuals in New York.
  • Prohibit certain uses (notably selling RHI) without explicit authorization and set strict criteria for lawful processing.
  • Empower individuals with clear rights to access, delete, and control processing of their health information.
  • Require transparent, accessible communications and strong security and contracts with processors.

Key provisions and changes

Definitions (Sec. 1120)

  • Deidentified information:
    • Requires technical safeguards, public commitment to deidentification, contractual obligations on recipients, and that reidentification would negate deidentification.
  • Regulated health information (RHI):
    • Broadly includes data linked to identifiable individuals connected to health status, services, or health-related identifiers (including biometric, genetic, location data, gender/reproductive health, etc.).
    • Excludes deidentified information.
  • Processing scope:
    • Encompasses collection, use, sharing, sale, monetization, analysis, retention, transmission, etc.
  • Regulated entity and service provider concepts:
    • Regulated entity: controls processing of RHI of NY residents or while present in NY or collecting/taking services in NY.
    • Service provider: processes RHI on behalf of a regulated entity; may also be a regulated entity.
  • Other terms: selling, third party, individual, verifiable (identity verification standards).

Communications to individuals (Sec. 1121)

  • Notices and forms must be in plain language, accessible, and offered in the languages in which the entity operates.
  • Communications must be accessible to people with disabilities and delivered via interfaces the individual regularly uses.
  • Processing notices and authorization forms must be publicly accessible on the entity’s website (or provide a sample form).

Lawfulness of processing (Sec. 1122)

  • Prohibitions:
    • Cannot sell RHI to a third party.
    • Cannot process RHI unless:
    • the individual provides valid authorization, or
    • processing is strictly necessary for specified purposes (e.g., product/service improvement, internal business operations excluding marketing/advertising/research, security, protecting vital interests, legal claims, or complying with law).
  • Authorization regime (subdiv. 2):
    • Authorization requests must be separate, plain, and include specifics about data, purposes, service providers, third parties, consideration, non-discrimination, expiration (up to 1 year), revocation mechanism, access/deletion rights, etc.
    • Valid authorization must include detailed disclosures and require an affirmative signature; individuals must be able to revoke, with immediate cessation of processing upon verification, and an account-based revocation interface.
    • Copy of authorization must be provided; processing limited to disclosed scope; new authorization required for material changes.
    • Non-contingent access to products/services; no discrimination for withholding authorization.
  • Permissible purposes (subpar. 3):
    • Notices must describe data types, processing, purposes, disclosures, and access/deletion mechanisms.
    • Material alterations to permissible processing require a clear notice and the option to delete health information.

Individual rights (Sec. 1123)

  • Access: Verifiable requests yield copies of all RHI maintained by the entity or its processors within 30 days (extendable by 30 days with notice).
  • Deletion: Right to delete RHI; deletion requests treated as requests to delete online accounts; must delete within 30 days and notify service providers/third parties that processed RHI within the prior year.
  • Service providers/third parties must delete upon notice, subject to legal obligations.
  • Rights exercisable by the individual or an authorized agent.

Security (Sec. 1124)

  • Entities must implement reasonable administrative, technical, and physical safeguards.
  • Required to dispose of RHI according to a retention schedule within 60 days after it is no longer needed for the stated purposes or authorization.

Service providers (Sec. 1125)

  • Processing by service providers must be governed by a written contract detailing processing purpose, duration, and rights/obligations.
  • Provisions include confidentiality, data protection, processing limits, no mixing of data with other sources, honoring rights, return/delete at end of services, data transfer transparency, and cooperation for assessments.
  • Allow voluntary assessments or independent audits; provide briefing to regulated entity; notify about further disclosures; extend same obligations to subsequent processors.

Exemptions (Sec. 1126)

  • Lists numerous exemptions aligned with existing privacy and health privacy frameworks (e.g., HIPAA/HITECH, HHS rules, TEFCA, FDA-related activities, public health activities, clinical trials, patient safety work product, research with deidentification, certain employment records, emergency contact information, and other federally protected data contexts).
  • Attorney General may add further exemptions when compatible with stronger privacy protections.

Enforcement (Sec. 1127)

  • NY Attorney General can bring actions for violations, seeking injunctions, restitution, disgorgement, civil penalties (up to $15,000 per violation), and other relief.
  • Remedies in addition to other available remedies; statute of limitations generally six years from awareness of the violation.
  • AG may issue subpoenas and require data responses; rules and regulations to enforce the act may be issued by AG.

Contracts and waivers (Sec. 1128)

  • Any contract provisions or waivers inconsistent with the act are void and unenforceable.

Construction and effective date (Sec. 1129; Sec. 2-3)

  • The act does not limit disclosures required for public health surveillance, disease reporting, or health oversight, and aligns with federal health privacy disclosures (e.g., HIPAA 45 CFR 164.512).
  • Effective date: 6 months after enactment; regulations and implementation steps may be completed by that date.
  • Immediate authority for rulemaking to implement the act’s requirements.

Who is affected

  • Regulated entities that process health-related information of New York residents or in NY.
  • Service providers that process RHI on behalf of regulated entities.
  • Individuals whose health information is collected, processed, or stored by these entities.
  • Third parties and potential contractors involved in processing RHI.
  • Government enforcement through the New York Attorney General.

Procedural and timeline notes

  • Enactment results in a new article (Article 42-A) within the General Business Law.
  • Effective date: six months after enactment, with AG authority to issue implementing regulations immediately.
  • Violations subject to civil penalties and potential remedies described; six-year lookback for enforcement.
  • The bill includes extensive rulemaking authority for the AG to refine definitions, exemptions, and enforcement procedures.

If you’d like, I can provide a side-by-side comparison with existing NY privacy laws (e.g., SHIELD Act) or HIPAA-related federal protections to highlight where A 10357 strengthens or aligns with current rules.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.