The "Health Information Privacy Act" proposes to add a new Article 10 to the Public Health Law to create a private cause of action for the misuse of individually identifiable health information. The Act provides that all disclosures of health information made without informed consent, as defined in the Act, must be disclosed in a non-individually identifiable format and shall be limited to only the minimum amount of information necessary. All disclosures must be accompanied by a statement of disclosure and must be documented and recorded by the entity disclosing the information. Violations of the Act may result in criminal penalties of up to one year imprisonment and/or up to $5,000 in fines; civil liability for violation includes injunction, compensatory damages, punitive damages, and attorneys’ fees and costs.

One interesting question this bill raises is how it compares to the proposed federal privacy standards under HIPAA (see information on our website "ehealthlawtoday.com"). HIPAA preempts state law except to the extent the state law is more stringent than Federal law. The Act is more stringent in its protection of protected health information in at least two important ways: (1) the Act applies universally, not just to "covered entities", and (2) the Act applies to information in all forms, not just information kept or transmitted electronically. Additionally, the Act, unlike the federal privacy rule, does not provide for disclosures without consent for treatment or payment purposes. Finally, it is an interesting question of construction whether the Act’s private cause of action constitutes protection more stringent than HIPAA.

A9401: The "Internet Privacy Law"

The "Internet Privacy Law" proposes to amend New York’s General Business Law to restrict disclosure of personal information by operators of websites which voluntarily comply with the Law. The incentive offered for compliance is the right to advertise the compliance to the Internet public. Operators who advertise compliance with the Law are prohibited from releasing a person’s name, address, e-mail address, telephone number, social security number, or other identifying information to third parties without informed consent. Under the Law, individuals have the right to access, verify, and correct personal information about them and to know the identity of third parties to whom personal information was disclosed. Violations of the Law result in liability for all actual damages, but not less than $500, plus costs, disbursements, and reasonable attorneys’ fees. Individuals may also apply to the Attorney General for an injunction restricting violations; the Attorney General may impose civil penalties of up to $1,000.

S5590/A8130: The "Internet Privacy Practices Act"

Bills S5590 and A8130 both propose enactment of the "Internet Privacy Practice Act", which protects information of customers of state agencies. The Act calls for a model on-line privacy notice. The Act provides that state agencies shall not disclose (defined as sell or rent) personal information unless an individual has received notice and has consented to such disclosure. State agencies are also required to provide notice regarding information collected, possible disclosures of information, time which information will be maintained, procedures for individual access to information, means of collection of information, whether information is required to be provided, and steps being taken to protect confidentiality, integrity and quality of information.