La privacy dalla parte delle aziende
con spiegazioni semplici e operative, AI assisted
Osservatorio a cura del dott. V. Spataro 



   demo 2025-01-21 ·  NEW:   Appunta · Stampa · Cita: 'Doc 99228' · pdf

NY State Assembly Bill 2025 A2613

abstract:



Documento annotato il 22.01.2025 Fonte: nysenate.gov
Link: https://www.nysenate.gov/legislation/bills/2025/A2




analisi:

L'analisi è riservata agli iscritti. Segui la newsletter dell'Osservatorio oppure il Podcast iscrizione gratuita 30 giorni

-




index:




testo:

Eestimated reading time: 16 min S T A T E O F N E W Y O R K _________________________ ...

 


Testo riservato. Per iscriversi:
all'Osservatorio - al Podcast (30 gg gratuito)

S T A T E O F N E W Y O R K ________________________________________________________________________ 2613 2025-2026 Regular Sessions I N A S S E M B L Y January 21, 2025 ___________ Introduced by M. of A. LUNSFORD, TAPIA, ROZIC -- read once and referred to the Committee on Health AN ACT to amend the public health law, in relation to providing addi- tional protections for sensitive health information and requiring all health information networks, electronic health record systems, and health care providers to provide patients with a right to restrict the disclosures of such patient's health information THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM- BLY, DO ENACT AS FOLLOWS: Section 1. The public health law is amended by adding two new sections 25 and 26 to read as follows: § 25. ....... OF INFORMATION DISCLOSED THROUGH HEALTH INFORMATION NETWORKS. 1. DEFINITIONS. FOR PURPOSES OF THIS SECTION: (A) "BUSINESS ASSOCIATE" SHALL HAVE THE SAME MEANING AS SET FORTH IN 45 CFR 160.103. (B) "CODIFIED SENSITIVE INFORMATION" MEANS PATIENT INFORMATION THAT, BY ASSOCIATED STANDARD CODES COMMONLY USED IN THE EXCHANGE OF PATIENT INFORMATION INCLUDING, BUT NOT LIMITED TO ICD-10 OR SNOMED, CAN BE IDEN- TIFIED AS SENSITIVE INFORMATION IN ACCORDANCE WITH SUBDIVISION THREE OF THIS SECTION. (C) "DISCLOSURE" MEANS THE RELEASE, TRANSFER, PROVISION OF ACCESS TO, OR DIVULGING IN ANY MANNER OF INFORMATION OUTSIDE THE ENTITY THAT DELIV- ERED THE HEALTH CARE AND THE PATIENT WHO RECEIVED THE CARE, AND SUCH TERM SHALL NOT INCLUDE ANY OF THE EXCEPTIONS SET FORTH IN THE DEFINITION OF "DISCLOSURE TO ANY OTHER PERSON" AS DEFINED IN PARAGRAPH (E) OF SUBDIVISION ONE OF SECTION EIGHTEEN OF THIS CHAPTER. (D) "ELECTRONIC HEALTH RECORDS SYSTEM" MEANS ANY ENTITY OPERATING IN THE STATE OF NEW YORK THAT ELECTRONICALLY STORES OR MAINTAINS PATIENT INFORMATION, ELECTRONIC HEALTH RECORDS, PERSONAL HEALTH RECORDS, HEALTH CARE CLAIMS, OR PAYMENT AND OTHER ADMINISTRATIVE DATA ON BEHALF OF A EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets [ ] is old law to be omitted. LBD04417-02-5 A. 2613 2
 
 HEALTH CARE PROVIDER, HEALTH CARE SERVICE PLAN, PHARMACEUTICAL COMPANY,
 CONTRACTOR, OR EMPLOYER.
  (E) "HEALTH CARE PROVIDER" SHALL HAVE THE SAME MEANING AS SET FORTH IN
 PARAGRAPH (B) OF SUBDIVISION ONE OF SECTION EIGHTEEN OF THIS TITLE AND
 FOR PURPOSES OF THIS SECTION SHALL REFER TO HEALTH CARE PROVIDERS THAT
 ARE LOCATED IN THE STATE OF NEW YORK AND USE A HEALTH INFORMATION
 NETWORK TO RECEIVE, HOLD OR EXCHANGE PATIENT INFORMATION ON THEIR
 BEHALF.
  (F) "HEALTH INFORMATION NETWORK" SHALL MEAN ANY ENTITY, INCLUDING A
 HEALTH INFORMATION TECHNOLOGY DEVELOPER OF CERTIFIED HEALTH INFORMATION
 TECHNOLOGY, THAT RECEIVES, HOLDS OR EXCHANGES PATIENT INFORMATION IN
 ELECTRONIC FORM ON BEHALF OF A HEALTH CARE PROVIDER AND MAKES SUCH
 INFORMATION AVAILABLE TO TWO OR MORE INDIVIDUALS OR ENTITIES THAT ARE
 UNAFFILIATED WITH THE HEALTH CARE PROVIDER FOR PURPOSES OF TREATMENT,
 PAYMENT, OR HEALTH CARE OPERATIONS, AS THOSE TERMS ARE DEFINED UNDER
 HIPAA, OR A QUALIFIED HEALTH INFORMATION NETWORK AS ESTABLISHED UNDER
 TEFCA, WHICH EXCHANGES PATIENT INFORMATION ON BEHALF OF A HEALTH CARE
 PROVIDER LOCATED IN THE STATE OF NEW YORK. AN ENTITY MAY QUALIFY AS A
 "HEALTH  INFORMATION NETWORK" IRRESPECTIVE OF WHETHER SUCH ENTITY
 RECEIVES FUNDING FROM THE DEPARTMENT. THE TERM "HEALTH INFORMATION
 NETWORK" SHALL NOT INCLUDE:
  (I) A HEALTH CARE PROVIDER;
  (II) AN ENTITY THAT MAKES PATIENT INFORMATION AVAILABLE SOLELY:
  (1) FROM ONE HEALTH CARE PROVIDER TO A SINGLE HEALTH CARE PROVIDER AS
 PART OF A REFERRAL, PRESCRIPTION, OR CONSULTATION;
  (2) AS NECESSARY FOR THE PAYMENT OF A HEALTH CARE CLAIM;
  (3) AMONG AFFILIATES OF A SINGLE HEALTH CARE PROVIDER;
  (4) TO INDIVIDUALS AND ENTITIES UNDER CONTRACT WITH THE ENTITY WHO
 MEET THE DEFINITION OF A "BUSINESS ASSOCIATE" UNDER HIPAA AND WHO PROC-
 ESS PATIENT INFORMATION ONLY AS DIRECTED BY A HEALTH CARE PROVIDER AND
 DO NOT DISCLOSE PATIENT INFORMATION; OR
  (5) AS NECESSARY TO OPERATE CLINICAL DATA REGISTRIES, PROVIDE ORGAN
 DONATION COORDINATION SERVICES AND OTHER SIMILAR SERVICES AS DEEMED
 APPROPRIATE BY THE DEPARTMENT IN REGULATION;
  (III) A HEALTH INSURER OR A HEALTH MAINTENANCE ORGANIZATION, WHEN
 ACTING AS A HEALTH INSURER, TO THE EXTENT IT EXCHANGES PATIENT INFORMA-
 TION VIA HIPAA STANDARD TRANSACTIONS; AND
  (IV) AN ENTITY THAT MAKES PATIENT INFORMATION AVAILABLE SOLELY TO AND
 BETWEEN HEALTH INFORMATION NETWORKS AND HAS NO ABILITY TO ACCESS, MODI-
 FY, OR FURTHER DISCLOSE PATIENT INFORMATION, INCLUDING, BUT NOT LIMITED
 TO, THE RECOGNIZED COORDINATING ENTITY UNDER TEFCA.
  (G) "HIPAA" MEANS THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY
 ACT OF 1996 AND ITS IMPLEMENTING REGULATIONS AT 45 C.F.R. PARTS 160,
 162, AND 164.
  (H) "NON-CODIFIED SENSITIVE INFORMATION" MEANS PATIENT INFORMATION
 THAT CONTAINS OR REVEALS SENSITIVE INFORMATION, BUT THAT IS NOT ASSOCI-
 ATED WITH STANDARDIZED CODES AND SHALL INCLUDE, BUT IS NOT LIMITED TO
 NOTES, VISIT SUMMARIES, LABORATORY RESULTS AND IMAGES.
  (I) "PATIENT INFORMATION" SHALL HAVE THE SAME MEANING AS SET FORTH IN
 PARAGRAPH (E) OF SUBDIVISION ONE OF SECTION EIGHTEEN OF THIS CHAPTER.
  (J) "QUALIFIED PERSON" SHALL HAVE THE SAME MEANING AS SET FORTH IN
 PARAGRAPH (G) OF SUBDIVISION ONE OF SECTION EIGHTEEN OF THIS TITLE.
  (K) "SENSITIVE INFORMATION" MEANS PATIENT INFORMATION THAT CONTAINS OR
 REVEALS REPRODUCTIVE HEALTH SERVICES AS DEFINED IN PARAGRAPH (A) OF
 SUBDIVISION ONE OF SECTION SIXTY-FIVE HUNDRED THIRTY-ONE-B OF THE EDUCA-
 TION LAW, GENDER-AFFIRMING CARE AS DEFINED IN PARAGRAPH (C) OF SUBDIVI-
 A. 2613               3
 SION ONE OF SECTION SIXTY-FIVE HUNDRED THIRTY-ONE-B OF THE EDUCATION
 LAW, CARE PROTECTED UNDER 42 CFR PART 2, DIAGNOSIS AND TREATMENT FOR A
 SEXUALLY TRANSMITTED INFECTION OR HIV, MENTAL HEALTH SERVICES, ALCOHOL
 OR SUBSTANCE USE TREATMENT, AND ANY OTHER HEALTH CARE SERVICES DETER-
 MINED BY THE COMMISSIONER THROUGH REGULATIONS, IN CONSULTATION WITH
 HEALTH CARE PROVIDERS, PATIENT ADVOCATES, HEALTH INFORMATION NETWORKS
 AND OTHER RELEVANT STAKEHOLDERS.
  (L) "TEFCA" MEANS THE TRUSTED EXCHANGE FRAMEWORK AND COMMON AGREEMENT
 AUTHORIZED BY THE 21ST CENTURY CURES ACT.
  2. PATIENT RIGHT TO RESTRICT DISCLOSURES BY HEALTH INFORMATION
 NETWORKS. WITHIN ONE HUNDRED EIGHTY DAYS FROM THE EFFECTIVE DATE OF THIS
 SECTION, THE DEPARTMENT SHALL ESTABLISH RULES AND REGULATIONS REQUIRING
 ANY HEALTH INFORMATION NETWORK TO:
  (A) PROVIDE QUALIFIED PERSONS WITH THE MEANS OF REQUESTING, WITHOUT
 UNDUE EFFORT, RESTRICTIONS ON DISCLOSURES OF PATIENT INFORMATION FROM
 ALL HEALTH INFORMATION NETWORKS;
  (B) SUBJECT TO ANY REGULATORY EXCEPTIONS ESTABLISHED BY THE DEPART-
 MENT, ABIDE BY THE TERMS OF A QUALIFIED PERSON'S REQUESTED RESTRICTION
 MADE UNDER PARAGRAPH (A) OF THIS SUBDIVISION; AND
  (C) SUBJECT TO ANY REGULATORY EXCEPTIONS ESTABLISHED BY THE DEPART-
 MENT, PROVIDE OR CAUSE TO BE PROVIDED TO QUALIFIED PERSONS, UPON
 REQUEST, A REPORT OR NOTIFICATIONS DETAILING DISCLOSURES OF THE APPLICA-
 BLE PATIENT'S PATIENT INFORMATION BY OR THROUGH ALL HEALTH INFORMATION
 NETWORKS.
  3. ADDITIONAL PROTECTIONS FOR CODIFIED SENSITIVE INFORMATION BY HEALTH
 INFORMATION NETWORKS. (A) WITHIN ONE HUNDRED EIGHTY DAYS FROM THE EFFEC-
 TIVE DATE OF THIS SECTION, THE DEPARTMENT SHALL ESTABLISH RULES AND
 REGULATIONS, CONSISTENT WITH STATE AND FEDERAL LAW AND REGULATIONS,
 INCLUDING BUT NOT LIMITED TO ARTICLE THIRTY-THREE OF THE MENTAL HYGIENE
 LAW AND SECTION TWENTY-SEVEN HUNDRED EIGHTY-TWO OF THIS CHAPTER, REQUIR-
 ING ANY HEALTH INFORMATION NETWORK TO:
  (I) DEVELOP THE CAPACITY TO LIMIT THE DISCLOSURE OF CODIFIED SENSITIVE
 INFORMATION WHILE ALLOWING FOR THE DISCLOSURE OF A PATIENT'S OTHER
 HEALTH INFORMATION;
  (II) WHEN DIRECTED BY A QUALIFIED PERSON, LIMIT USER ACCESS PRIVILEGES
 TO CODIFIED SENSITIVE INFORMATION TO ONLY THOSE HIPAA COVERED ENTITIES
 WHOM THE QUALIFIED PERSON HAS SPECIFICALLY AUTHORIZED TO ACCESS THE
 CODIFIED SENSITIVE INFORMATION;
  (III) PROVIDE THE ABILITY TO AUTOMATICALLY DISABLE ACCESS TO CODIFIED
 SENSITIVE INFORMATION BY AN INDIVIDUAL OR ENTITY LOCATED OUTSIDE THE
 STATE OF NEW YORK AS DIRECTED BY A QUALIFIED PERSON; AND
  (IV) UNLESS OTHERWISE ORDERED BY A COURT OF COMPETENT JURISDICTION,
 NOTIFY THE QUALIFIED PERSON AND THE PROVIDER WHO RENDERED THE HEALTH
 CARE DOCUMENTED IN THE CODIFIED SENSITIVE INFORMATION AT LEAST THIRTY
 DAYS PRIOR TO COMPLYING WITH A CIVIL, CRIMINAL, OR REGULATORY INQUIRY,
 INVESTIGATION, SUBPOENA, OR SUMMONS FOR CODIFIED SENSITIVE INFORMATION.
  (B) SUCH RULES AND REGULATIONS SHALL ALSO:
  (I) ESTABLISH A LIST OF PROCEDURE CODES, DIAGNOSIS CODES, MEDICATION
 CODES, AND OTHER APPROPRIATE CODES THAT CONSTITUTE CODIFIED SENSITIVE
 INFORMATION;
  (II) SET FORTH EXCEPTIONS TO THE REQUIREMENT TO BLOCK THE DISCLOSURE
 OF CODIFIED SENSITIVE INFORMATION AS REQUIRED BY PARAGRAPH (A) OF THIS
 SUBDIVISION, INCLUDING FOR DISCLOSURES TO INDIVIDUALS AND ENTITIES UNDER
 CONTRACT WITH A HEALTH INFORMATION NETWORK WHO MEET THE DEFINITION OF A
 "BUSINESS ASSOCIATE" UNDER HIPAA AND WHO DO NOT RE-DISCLOSE SUCH PATIENT
 INFORMATION; AND
 A. 2613               4
  (III) ESTABLISH GUIDELINES FOR THE AUTHORIZATION NECESSARY TO LIMIT
 DISCLOSURE OF CODIFIED SENSITIVE INFORMATION PURSUANT TO SUBPARAGRAPHS
 (II) AND (III) OF PARAGRAPH (A) OF THIS SUBDIVISION.
  4. ADDITIONAL PROTECTIONS FOR SENSITIVE INFORMATION BY ELECTRONIC
 HEALTH RECORDS SYSTEMS. (A) WITHIN ONE HUNDRED EIGHTY DAYS OF THE EFFEC-
 TIVE DATE OF THIS SECTION, THE DEPARTMENT SHALL ESTABLISH RULES AND
 REGULATIONS, CONSISTENT WITH STATE AND FEDERAL LAW AND REGULATIONS,
 INCLUDING BUT NOT LIMITED TO ARTICLE THIRTY-THREE OF THE MENTAL HYGIENE
 LAW AND SECTION TWENTY-SEVEN HUNDRED EIGHTY-TWO OF THIS CHAPTER, REQUIR-
 ING ANY ELECTRONIC HEALTH RECORDS SYSTEM TO:
  (I) DEVELOP THE CAPACITY TO PROVIDE QUALIFIED PERSONS WITH THE MEANS
 OF REQUESTING, WITHOUT UNDUE EFFORT, RESTRICTIONS ON DISCLOSURES OF
 PATIENT INFORMATION;
  (II) DEVELOP THE CAPACITY TO LIMIT THE DISCLOSURE OF CODIFIED SENSI-
 TIVE INFORMATION WHILE ALLOWING FOR THE DISCLOSURE OF A PATIENT'S OTHER
 HEALTH INFORMATION;
  (III) WHEN DIRECTED BY A QUALIFIED PERSON, LIMIT USER ACCESS PRIVI-
 LEGES TO CODIFIED SENSITIVE INFORMATION TO ONLY THOSE HIPAA COVERED
 ENTITIES WHOM THE QUALIFIED PERSON HAS SPECIFICALLY AUTHORIZED TO ACCESS
 THE SENSITIVE INFORMATION;
  (IV) PROVIDE THE ABILITY TO AUTOMATICALLY DISABLE ACCESS TO CODIFIED
 SENSITIVE INFORMATION BY AN INDIVIDUAL OR ENTITY LOCATED OUTSIDE THE
 STATE OF NEW YORK AS DIRECTED BY A QUALIFIED PERSON; AND
  (V) UNLESS OTHERWISE ORDERED BY A COURT OF COMPETENT JURISDICTION,
 NOTIFY THE QUALIFIED PERSON AND THE PROVIDER WHO RENDERED THE HEALTH
 CARE DOCUMENTED IN THE CODIFIED SENSITIVE INFORMATION AT LEAST THIRTY
 DAYS PRIOR TO COMPLYING WITH A CIVIL, CRIMINAL, OR REGULATORY INQUIRY,
 INVESTIGATION, SUBPOENA, OR SUMMONS FOR CODIFIED SENSITIVE INFORMATION.
  (B) WITHIN ONE YEAR OF THE EFFECTIVE DATE OF THIS SECTION, THE DEPART-
 MENT SHALL ESTABLISH RULES AND REGULATIONS, CONSISTENT WITH STATE AND
 FEDERAL LAW AND REGULATIONS, INCLUDING BUT NOT LIMITED TO ARTICLE THIR-
 TY-THREE OF THE MENTAL HYGIENE LAW AND SECTION TWENTY-SEVEN HUNDRED
 EIGHTY-TWO OF THIS CHAPTER, REQUIRING ANY ELECTRONIC HEALTH RECORDS
 SYSTEM TO:
  (I) DEVELOP THE CAPACITY TO LIMIT THE DISCLOSURE OF NON-CODIFIED
 SENSITIVE INFORMATION WHILE ALLOWING FOR THE DISCLOSURE OF A PATIENT'S
 OTHER HEALTH INFORMATION;
  (II) WHEN DIRECTED BY A QUALIFIED PERSON, LIMIT USER ACCESS PRIVILEGES
 TO NON-CODIFIED SENSITIVE INFORMATION TO ONLY THOSE HIPAA COVERED ENTI-
 TIES WHOM THE QUALIFIED PERSON HAS SPECIFICALLY AUTHORIZED TO ACCESS THE
 NON-CODIFIED SENSITIVE INFORMATION;
  (III) PROVIDE THE ABILITY TO AUTOMATICALLY DISABLE ACCESS TO NON-CODI-
 FIED SENSITIVE INFORMATION BY AN INDIVIDUAL OR ENTITY LOCATED OUTSIDE
 THE STATE OF NEW YORK AS DIRECTED BY A QUALIFIED PERSON; AND
  (IV) UNLESS OTHERWISE ORDERED BY A COURT OF COMPETENT JURISDICTION,
 NOTIFY THE QUALIFIED PERSON AND THE PROVIDER WHO RENDERED THE HEALTH
 CARE DOCUMENTED IN THE NON-CODIFIED SENSITIVE INFORMATION AT LEAST THIR-
 TY DAYS PRIOR TO COMPLYING WITH A CIVIL, CRIMINAL, OR REGULATORY
 INQUIRY, INVESTIGATION, SUBPOENA, OR SUMMONS FOR NON-CODIFIED SENSITIVE
 INFORMATION.
  (C) THE RULES AND REGULATIONS REQUIRED BY PARAGRAPHS (A) AND (B) OF
 THIS SUBDIVISION SHALL ALSO:
  (I) SET FORTH EXCEPTIONS TO THE REQUIREMENT TO BLOCK THE DISCLOSURE OF
 CODIFIED AND NON-CODIFIED SENSITIVE INFORMATION AS REQUIRED BY PARA-
 GRAPHS (A) AND (B) OF THIS SUBDIVISION, INCLUDING FOR DISCLOSURES TO
 INDIVIDUALS AND ENTITIES UNDER CONTRACT WITH A HEALTH INFORMATION
 A. 2613               5
 NETWORK WHO MEET THE DEFINITION OF A "BUSINESS ASSOCIATE" UNDER HIPAA
 AND WHO DO NOT RE-DISCLOSE SUCH PATIENT INFORMATION; AND
  (II) ESTABLISH GUIDELINES FOR THE AUTHORIZATION NECESSARY TO LIMIT
 DISCLOSURE OF CODIFIED AND NON-CODIFIED SENSITIVE INFORMATION PURSUANT
 TO SUBPARAGRAPHS (III) AND (IV) OF PARAGRAPH (A) AND SUBPARAGRAPHS (II)
 AND (III) OF PARAGRAPH (B) OF THIS SECTION.
  5. AUTHORIZATION. NOTWITHSTANDING SECTION EIGHTEEN OF THIS TITLE AND
 SUBDIVISION TWENTY-THREE OF SECTION SIXTY-FIVE HUNDRED THIRTY OF THE
 EDUCATION LAW, A HEALTH INFORMATION NETWORK THAT ABIDES BY A QUALIFIED
 PERSON'S REQUEST TO LIMIT DISCLOSURE OF SENSITIVE INFORMATION SHALL NOT
 BE OTHERWISE REQUIRED TO OBTAIN AUTHORIZATION FOR THE DISCLOSURE OF
 PATIENT INFORMATION, UNLESS AUTHORIZATION IS REQUIRED IN ACCORDANCE WITH
 SUBDIVISIONS THREE OR FOUR OF THIS SECTION, ARTICLE TWENTY-SEVEN-F OF
 THIS CHAPTER, THE PROVISIONS OF SECTION SEVENTEEN OF THIS TITLE RELATED
 TO PROHIBITING THE RELEASE TO AN INFANT PATIENT'S PARENT OR GUARDIAN OF
 INFORMATION RELATED TO THE TREATMENT OF SUCH INFANT PATIENT FOR VENEREAL
 DISEASE OR THE PERFORMANCE OF AN ABORTION OPERATION UPON SUCH INFANT
 PATIENT, SECTION 33.13 OF THE MENTAL HYGIENE LAW, SECTION SEVENTY-NINE-L
 OF THE CIVIL RIGHTS LAW, SECTION THREE HUNDRED NINETY-FOUR-E OF THE
 GENERAL BUSINESS LAW, 42 CFR PART 2, HIPAA, OR OTHER RELEVANT FEDERAL,
 STATE, OR LOCAL LAWS.
  § 26. ....... OF PATIENT INFORMATION HELD BY HEALTH CARE PROVIDERS.
 1. DEFINITIONS. FOR PURPOSES OF THIS SECTION:
  (A) "DISCLOSURE" MEANS THE RELEASE, TRANSFER, PROVISION OF ACCESS TO,
 OR DIVULGING IN ANY MANNER OF INFORMATION OUTSIDE THE ENTITY THAT DELIV-
 ERED THE HEALTH CARE AND THE PATIENT WHO RECEIVED THE CARE, AND SUCH
 TERM SHALL NOT INCLUDE ANY OF THE EXCEPTIONS SET FORTH IN THE DEFINITION
 OF "DISCLOSURE TO ANY OTHER PERSON" AS DEFINED IN PARAGRAPH (E) OF
 SUBDIVISION ONE OF SECTION EIGHTEEN OF THIS CHAPTER.
  (B) "HEALTH CARE PROVIDER" SHALL HAVE THE SAME MEANING AS SET FORTH IN
 PARAGRAPH (B) OF SUBDIVISION ONE OF SECTION EIGHTEEN OF THIS CHAPTER.
  (C) "HIPAA" SHALL HAVE THE SAME MEANING AS SET FORTH IN PARAGRAPH (G)
 OF SUBDIVISION ONE OF SECTION TWENTY-FIVE OF THIS TITLE.
  (D) "PATIENT INFORMATION" SHALL HAVE THE SAME MEANING AS SET FORTH IN
 PARAGRAPH (E) OF SUBDIVISION ONE OF SECTION EIGHTEEN OF THIS TITLE.
  (E) "QUALIFIED PERSON" SHALL HAVE THE SAME MEANING AS SET FORTH IN
 PARAGRAPH (G) OF SUBDIVISION ONE OF SECTION EIGHTEEN OF THIS TITLE.
  (F) "SENSITIVE INFORMATION" SHALL HAVE THE SAME MEANING AS SET FORTH
 IN PARAGRAPH (K) OF SUBDIVISION ONE OF SECTION TWENTY-FIVE OF THIS
 TITLE.
  2. PATIENT RIGHT TO RESTRICT DISCLOSURES BY HEALTH CARE PROVIDERS.
 (A) WITHIN ONE HUNDRED EIGHTY DAYS FROM THE EFFECTIVE DATE OF THIS
 SUBDIVISION, THE DEPARTMENT SHALL ESTABLISH RULES AND REGULATIONS THAT
 REQUIRE HEALTH CARE PROVIDERS TO TAKE REASONABLE STEPS TO:
  (I)  PROVIDE  QUALIFIED  PERSONS  WITH THE MEANS OF REQUESTING
 RESTRICTIONS ON DISCLOSURES OF PATIENT INFORMATION CONSISTENT WITH THE
 OBLIGATIONS IMPOSED BY SECTION TWENTY-FIVE OF THIS ARTICLE;
  (II) NOTIFY QUALIFIED PERSONS OF THEIR RIGHT TO RESTRICT THE DISCLO-
 SURE OF PATIENT INFORMATION;
  (III) SUBJECT TO ANY REGULATORY EXCEPTIONS ESTABLISHED BY THE DEPART-
 MENT, ABIDE BY THE TERMS OF A QUALIFIED PERSON'S REQUESTED RESTRICTION;
 AND
  (IV) UNLESS OTHERWISE ORDERED BY A COURT OF COMPETENT JURISDICTION,
 NOTIFY THE QUALIFIED PERSON AT LEAST THIRTY DAYS PRIOR TO COMPLYING WITH
 A CIVIL, CRIMINAL, OR REGULATORY INQUIRY, INVESTIGATION, SUBPOENA, OR
 SUMMONS FOR SENSITIVE INFORMATION.
 A. 2613               6
  (B) THE DEPARTMENT'S RULES AND REGULATIONS SHALL SET FORTH EXCEPTIONS
 TO A QUALIFIED PERSON'S RIGHT TO RESTRICT DISCLOSURES AND SHALL INCLUDE,
 AT A MINIMUM, EXCEPTIONS FOR:
  (I) DISCLOSURES TO PUBLIC HEALTH AUTHORITIES LOCATED IN THE STATE OF
 NEW YORK IN ACCORDANCE WITH NEW YORK LAW;
  (II) DISCLOSURES NECESSARY TO FACILITATE PAYMENT OF A HEALTH CARE
 CLAIM;
  (III) DISCLOSURES NECESSARY TO ENSURE THAT A PROVIDER IS IN COMPLIANCE
 WITH APPLICABLE QUALITY OF CARE, LICENSURE OR ACCREDITATION STANDARDS;
 AND
  (IV) DISCLOSURES STRICTLY NECESSARY TO FILL A PRESCRIPTION OR PROVIDE
 A SERVICE.
  (C) THE DEPARTMENT SHALL ESTABLISH PHASE-IN PERIODS FOR HEALTH CARE
 PROVIDERS TO IMPLEMENT THE REQUIREMENTS OF THIS SUBDIVISION, TAKING INTO
 ACCOUNT THE TECHNICAL FEASIBILITY OF IMPLEMENTING RESTRICTIONS AMONG
 VARIOUS SECTORS, INCLUDING (I) SMALL HEALTH CARE PROVIDERS; AND (II)
 HEALTH CARE PROVIDERS IN SECTORS THAT DO NOT TYPICALLY UTILIZE CERTIFIED
 HEALTH INFORMATION TECHNOLOGY, AS WELL AS THE TIME IT TAKES FOR THE
 HEALTH INFORMATION SYSTEMS OR ELECTRONIC HEALTH RECORD SYSTEMS TO DEVEL-
 OP AND IMPLEMENT THE CAPACITY TO SEGMENT HEALTH RECORDS.
  (D) THE DEPARTMENT SHALL PROVIDE GUIDANCE TO HEALTH CARE PROVIDERS,
 INCLUDING MODEL NOTICES HEALTH CARE PROVIDERS MAY USE TO NOTIFY QUALI-
 FIED PERSONS TO PERMIT THEM TO EXERCISE THEIR RIGHTS UNDER THIS SUBDIVI-
 SION.  SUCH GUIDANCE SHALL RECOMMEND MORE PROMINENT NOTICES AND MEANS
 FOR A QUALIFIED PERSON TO EXERCISE THEIR RIGHTS IN HEALTH CARE SETTINGS
 WHERE SENSITIVE INFORMATION IS FREQUENTLY GENERATED AS PART OF PATIENTS'
 HEALTH CARE RECORDS.
  3. AUTHORIZATION FOR A HEALTH CARE PROVIDER'S DISCLOSURE OF PATIENT
 INFORMATION. NOTWITHSTANDING SECTION EIGHTEEN OF THIS TITLE AND SUBDIVI-
 SION TWENTY-THREE OF SECTION SIXTY-FIVE HUNDRED THIRTY OF THE EDUCATION
 LAW, IF A HEALTH CARE PROVIDER HAS PROVIDED ACTUAL NOTICE TO A QUALIFIED
 PERSON OF SUCH PERSON'S RIGHT TO RESTRICT DISCLOSURES OF PATIENT INFOR-
 MATION IN ACCORDANCE WITH THE REQUIREMENTS OF SUBDIVISION TWO OF THIS
 SECTION AND ABIDES BY A QUALIFIED PERSON'S REQUEST TO RESTRICT DISCLO-
 SURES, NO AUTHORIZATION SHALL BE REQUIRED FOR SUCH HEALTH CARE PROVIDER
 TO DISCLOSE A PATIENT'S OTHER PATIENT INFORMATION UNLESS AUTHORIZATION
 IS REQUIRED BY THIS SECTION OR SECTION TWENTY-FIVE OF THIS TITLE, ARTI-
 CLE TWENTY-SEVEN-F OF THIS CHAPTER, THE PROVISIONS OF SECTION SEVENTEEN
 OF THIS TITLE RELATING TO PROHIBITING THE RELEASE TO AN INFANT PATIENT'S
 PARENT OR GUARDIAN OF INFORMATION RELATED TO THE TREATMENT OF SUCH
 INFANT PATIENT FOR VENEREAL DISEASE OR THE PERFORMANCE OF AN ABORTION
 OPERATION UPON SUCH INFANT PATIENT, SECTION 33.13 OF THE MENTAL HYGIENE
 LAW, SECTION SEVENTY-NINE-L OF THE CIVIL RIGHTS LAW, SECTION THREE
 HUNDRED NINETY-FOUR-E OF THE GENERAL BUSINESS LAW, 42 CFR PART 2, HIPAA,
 OR OTHER RELEVANT FEDERAL, STATE, OR LOCAL LAWS.
  4. AUTHORIZATION FOR A HEALTH CARE PROVIDER'S REQUEST FOR PATIENT
 INFORMATION. NOTWITHSTANDING SECTION EIGHTEEN OF THIS TITLE AND SUBDIVI-
 SION TWENTY-THREE OF SECTION SIXTY-FIVE HUNDRED THIRTY OF THE EDUCATION
 LAW, IF A HEALTH CARE PROVIDER PROVIDES ACTUAL NOTICE TO QUALIFIED
 PERSONS THAT IT MAKES ROUTINE REQUESTS FOR PATIENT INFORMATION FROM
 OTHER INDIVIDUALS OR ENTITIES, NO AUTHORIZATION SHALL BE REQUIRED TO
 MAKE A REQUEST FOR PATIENT INFORMATION UNLESS AUTHORIZATION IS REQUIRED
 BY THIS SECTION OR SECTION TWENTY-FIVE OF THIS  TITLE,  ARTICLE
 TWENTY-SEVEN-F OF THIS CHAPTER, THE PROVISIONS OF SECTION SEVENTEEN OF
 THIS TITLE RELATING TO PROHIBITING THE RELEASE TO AN INFANT PATIENT'S
 PARENT OR GUARDIAN OF INFORMATION RELATED TO THE TREATMENT OF SUCH
 A. 2613               7
 INFANT PATIENT FOR VENEREAL DISEASE OR THE PERFORMANCE OF AN ABORTION
 OPERATION UPON SUCH INFANT PATIENT, SECTION 33.13 OF THE MENTAL HYGIENE
 LAW, SECTION SEVENTY-NINE-L OF THE CIVIL RIGHTS LAW, SECTION THREE
 HUNDRED NINETY-FOUR-E OF THE GENERAL BUSINESS LAW, 42 CFR PART 2, HIPAA,
 OR OTHER RELEVANT FEDERAL, STATE, OR LOCAL LAWS.
  5. DISCLOSURE OF DE-IDENTIFIED PATIENT INFORMATION. NOTHING IN THIS
 SECTION SHALL PROHIBIT A HEALTH CARE PROVIDER'S DISCLOSURE OF DE-IDENTI-
 FIED PATIENT INFORMATION FOR THE PURPOSES OF QUALITY ASSURANCE OR
 IMPROVEMENT ACTIVITIES, CLINICAL TRIALS OR RESEARCH. FOR PURPOSES OF
 THIS SECTION, "DE-IDENTIFIED" MEANS THAT THE INFORMATION CANNOT IDENTIFY
 OR BE MADE TO IDENTIFY OR BE ASSOCIATED WITH A PARTICULAR INDIVIDUAL,
 DIRECTLY OR INDIRECTLY AND IS SUBJECT TO TECHNICAL SAFEGUARDS AND POLI-
 CIES AND PROCEDURES THAT PREVENT RE-IDENTIFICATION, WHETHER INTEN-
 TIONALLY OR UNINTENTIONALLY, OF ANY INDIVIDUAL.
  § 2. Severability. If any provision of this act, or any application of
 any provision of this act, is held to be invalid, or ruled to violate or
 be inconsistent with any applicable federal law or regulation, that
 shall not affect the validity or effectiveness of any other provision of
 this act, or of any other application of any provision of this act. It
 is hereby declared to be the intent of the legislature that this act
 would have been enacted even if such invalid provisions had not been
 included herein.
  § 3. This act shall take effect immediately.


Link: https://www.nysenate.gov/legislation/bills/2025/A2

Testo del 2025-01-21 Fonte: nysenate.gov




Commenta



i commenti sono anonimi e inviati via mail e cancellati dopo aver migliorato la voce alla quale si riferiscono: non sono archiviati; comunque non lasciare dati particolari. Si applica la privacy policy.


Ricevi gli aggiornamenti su NY State Assembly Bill 2025 A2613 e gli altri post del sito:

Email: (gratis Info privacy)






Nota: il dizionario è aggiornato frequentemente con correzioni e giurisprudenza










La privacy dalle basi fino all'attualità.
Udemy lo consiglia alle aziende.
adv IusOnDemand