In October of 2019, New York Governor Andrew Cuomo signed legislation limiting the disclosure or sale of patient information by emergency responders. Specifically, under the New York law, emergency responders (ambulance and first response service providers) may not disclose or sell private patient information to third parties for marketing purposes.

What is the Scope of the New York Law?

Before passage of this New York law, emergency response providers were permitted to sell information that identified an individual patient (individually identifying information) such as addresses and phone numbers, prescriptions, and medical history. The new law prohibits the disclosure or sale of such information to third parties, except to healthcare providers, the patient’s insurer, and parties acting under appropriate legal authority.      

Under the new law, individually identifying information is protected from sales for marketing purposes, such as advertising, marketing, promotion, or other activity used to influence sales. 

  • “Individual identifying information” is defined as information identifying or tending to identify a patient. 
  • Under the new New York law, “marketing” is defined as, but is not limited to, “advertising, detailing, marketing, promotion, or any activity that is intended to be or could be used to influence business volume, sales or market share or evaluate the effectiveness of marketing practices or personnel, regardless of whether the beneficiary of the marketing is a governmental, for-profit, or not-for-profit entity.”

The new New York law does not prohibit patient data from being disclosed, sold, transferred, or exchanged to the patient in question, an individual who is authorized to make healthcare decisions on the patient’s behalf, or to a healthcare provider who provides care or treatment to the patient when the sale is meant for the purpose of such care.

Additionally, the collection, use, transfer, or sale of patient data by zip code, geographic region, or medical specialty for marketing purposes is permitted, providing it does not contain individual identifying information.

The legislation was first introduced in 2014, after several reports found that some New York emergency service providers may have been selling patient information for fundraising and marketing purposes.

Passage of this New York law comes on the heels of the July 2019 passage of the New York Stop Hacks and Improve Electronic Security Act, colloquially referred to as the “SHIELD Act.” The SHIELD Act amends existing New York data breach notification and cybersecurity laws, to provide greater health information privacy. 


Third Party Verification and Validation

Need Help with HIPAA?

Let our complete HIPAA solution handle it.