N.Y. Public Health Law § 2183
2. Any covered entity that requires the use of an immunity passport shall delete any personal information derived from the immunity passport about the individual to whom the immunity passport pertains within twenty-four hours of receiving it, except that where a covered entity has an ongoing relationship with an individual, the covered entity may store the fact that the individual has received a COVID-19 vaccine, as well as a copy of the individual's immunity passport, provided that:
4.
(a) Except as provided in this subdivision, no covered entity or immunity passport provider may: