§ 2169. Vaccine confidentiality. 1. As used in this section, unless\ncontext requires otherwise:\n (a) The term "consent" shall mean informed, affirmative, and voluntary\nauthorization.\n (b) The term "de-identified" shall mean that the information cannot\nidentify or be made to identify or be associated with a particular\nindividual, directly or indirectly, and is subject to technical\nsafeguards and policies and procedures that prevent re-identification,\nwhether intentionally or unintentionally, of any individual.\n (c) The term "disclosure" shall mean release, transfer, provision of,\naccess to, or divulging in any other manner of information outside the\nentity holding the information.\n (d) The term "immigration authority" means any entity, officer,\nemployee, or government employee or agent thereof charged with or\nengaged in enforcement of the federal Immigration and Nationality Act,\nincluding the United States Immigration and Customs Enforcement, United\nStates Department of Homeland Security, or United States Customs and\nBorder Protection, or agent, contractor, or employee thereof, or any\nsuccessor legislation or entity.\n (e) The term "law enforcement agent or entity" means any governmental\nentity or public servant, or agent, contractor or employee thereof,\nauthorized to investigate, prosecute, or make an arrest for a criminal\nor civil offense, or engaged in any such activity, but shall not mean\nthe department, the commissioner, a health district, a county department\nof health, a county health commissioner, a local board of health, a\nlocal health officer, the department of health and mental hygiene of the\ncity of New York, or the commissioner of the department of health and\nmental hygiene of the city of New York.\n (f) The term "personal information" shall mean information obtained\nfrom or about an individual, in connection with their registering for a\nvaccination, that directly or indirectly identifies, relates to,\ndescribes, is capable of being associated with, or could reasonably be\nlinked to a particular individual, household, or personal device.\nInformation is reasonably linkable to an individual, household, or\npersonal device if it can be used on its own or in combination with\nother reasonably available information, when such information is held by\nthe vaccine navigator, to identify an individual, household, or a\npersonal device.\n (g) The term "service attendant to the delivery of immunization" shall\nmean facilitating an immunization appointment, sending reminders about\nimmunization, arranging transportation to or from a vaccine provider, or\nreporting to the department, the New York City department of health and\nmental hygiene, or other local health agency on whose behalf such\nvaccine navigator is performing such services.\n (h) The term "use" shall mean, with respect to personal information,\nthe sharing, employment, application, utilization, examination or\nanalysis of such information within an entity that maintains such\ninformation.\n (i) The term "vaccine navigator" shall mean any person that collects\npersonal information from an individual in order to register that\nindividual for immunization or to help that individual register for\nimmunization, provided the department, a local public health agency, or\na person that administers vaccines or their designees are not vaccine\nnavigators.\n 2. (a) Except as provided in paragraph (d) of this subdivision, absent\nconsent from the individual seeking immunization, or if the individual\nlacks the capacity to make health care decisions, an individual\nauthorized to consent to health care for the individual or the\nindividual's legal representative, a vaccine navigator shall not use,\ndisclose, or maintain personal information except as necessary to\nprovide services attendant to the delivery of immunization.\n (b) A vaccine navigator may request consent from an individual, or if\nthe individual lacks the capacity to make health care decisions, an\nindividual authorized to consent to health care for the individual or\nthe individual's legal representative, to use, disclose, or maintain the\nindividual's personal information for purposes other than services\nattendant to the delivery of immunization provided that:\n (i) a vaccine navigator shall not refuse to provide a service\nattendant to the delivery of immunization for an individual who does not\nprovide such consent;\n (ii) a vaccine navigator shall not relate the price or quality of any\nservice attendant to the delivery of immunization to the privacy\nprotections afforded the individual, including by providing a discount\nor other incentive in exchange for such consent, provided that this\nparagraph does not prohibit the offering of incentives to individuals to\nget vaccinated; provided that such incentives shall not be conditioned\non an individual's consent to additional uses, disclosures, or\nmaintenance of their personal information except as necessary to provide\nthe incentive; and\n (iii) a vaccine navigator shall clearly delineate what personal\ninformation is adequate, relevant, and necessary to provide a service\nattendant to the delivery of immunization by clearly and conspicuously\nindicating in any solicitation for the information that all other\nrequests for personal information are optional.\n (c) Except as provided in paragraph (d) of this subdivision:\n (i) No vaccine navigator may provide personal information or otherwise\nmake personal information accessible, directly or indirectly, to a law\nenforcement agent or entity or immigration authority;\n (ii) No vaccine navigator may provide personal information or\notherwise make personal information accessible, directly or indirectly,\nto any other individual or entity, except as explicitly authorized by\nthis title; and\n (iii) Without consent under this subdivision, personal information and\nany evidence derived therefrom shall not be subject to or provided in\nresponse to any legal process or be admissible for any purpose in any\njudicial or administrative action or proceeding unless provided in\nresponse pursuant to warrants, court-ordered subpoenas, administrative\nsubpoenas, or grand jury subpoenas.\n (d) (i) This section does not bar otherwise lawful disclosure,\npossession or use of information pertaining to services attendant to the\ndelivery of immunization, including aggregate information, that is\nde-identified. Disclosure, possession or use under this subparagraph\nshall only be for a public health or public health research purposes.\n (ii) A vaccine navigator may only possess or use de-identified\ninformation pertaining to services attendant to the delivery of\nimmunization if the vaccine navigator maintains technical safeguards and\npolicies and procedures that prevent re-identification, whether\nintentional or unintentional, of any individual, as may be required by\nthe commissioner (or the New York city commissioner of health and mental\nhygiene, in the case of information collected by or under authority of\nthe New York city department of health and mental hygiene. The\ncommissioner (or the New York city commissioner as the case may be)\nshall require safeguards, policies and procedures under this paragraph\nas the commissioner deems practicable.\n (iii) Disclosure, possession and use of de-identified information\nunder this subdivision shall be only pursuant to approval by the\ncommissioner (or the New York city commissioner of health and mental\nhygiene in the case of information collected by or under authority of\nthe New York city department of health and mental hygiene) specifying\nthe purpose, nature and scope of the disclosure, possession and use and\nmeasures to ensure that it will comply with this section and the terms\nof the approval.\n (e) A vaccine navigator that maintains personal information shall\nestablish appropriate administrative, technical, and physical\nsafeguards, policies, and procedures that ensure the security of that\npersonal information. The safeguards, policies, and procedures must be\nappropriate to the volume and nature of the personal information\nmaintained and the size, revenue, and sophistication of the vaccine\nnavigator and must ensure that personal information is encrypted and\nprotected at least as much as or more than other confidential\ninformation in the vaccine navigator's possession. The commissioner or,\nin the city of New York, the commissioner of the department of health\nand mental hygiene may make regulations as reasonably necessary to\nrequire that personal information possessed, used, or under the control\nof a vaccine navigator shall be subject to technical safeguards,\npolicies, and procedures for storage, transmission, use, and protection\nof the information. The regulations must take into account the different\nsizes, revenues and sophistications of different vaccine navigators, as\nwell as the volume and nature of the personal information they maintain.\n (f) Nothing in this section shall limit a vaccine navigator that has a\npre-existing service provider-client, provider-patient, or familial\nrelationship or a friendship with an individual from processing that\nindividual's personal information as previously agreed to in the course\nof the pre-existing relationship.\n 3. Vaccine providers. A vaccine provider shall not delay or condition\nthe provision of any service attendant to the delivery of immunization\nby inviting or requiring an individual seeking vaccination to complete\nan application for a customer discount card or account or share personal\ninformation that will be stored outside of a record protected under the\nfederal Health Insurance Portability and Accountability Act of 1996, its\nimplementing regulations, or section eighteen of this chapter for\npurposes other than services attendant to the delivery of immunization,\nor by engaging in any other activity unrelated to the provision of such\na service that the commissioner designates by regulation.\n