HOUSE OF REPRESENTATIVES |
H.B. NO. |
1566 |
THIRTY-SECOND LEGISLATURE, 2024 |
|
|
STATE OF HAWAII |
|
|
|
|
|
|
||
|
A BILL FOR AN ACT
relating to consumer health data.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:
SECTION 1. The legislature finds that privacy is a fundamental right and an essential element of individual freedom. The legislature further finds that information relating to an individual's health conditions or attempts to obtain health care services is among the most personal and sensitive categories of data collected. While consumer health data is protected by the federal Health Information Portability and Accountability Act (HIPAA), HIPAA only covers health data collected by specific health care entities, including most health care providers. Health data collected by noncovered entities, including certain mobile applications and websites, are not afforded the same protections.
The purpose of this Act is to close the gap between consumer knowledge and industry practice by providing privacy protections for Hawaii residents and their consumer health data by:
(2) Providing consumers with the right to have their health data deleted;
(3) Prohibiting the sale of consumer health data without valid authorization signed by the consumer; and
(5) Prohibiting the utilization of a geofence around a facility that provides health care services.
SECTION 2. The Hawaii Revised Statutes is amended by adding a new chapter to be appropriately designated and to read as follows:
"Chapter
consumer health data protection
§ -1 Definitions. As used in this chapter:
"Abortion" shall have the same meaning as defined in section 453-16.
"Affiliate" means a legal entity that shares common branding with another legal entity and controls, is controlled by, or is under common control with another legal entity. For the purposes of this definition, "control" or "controlled" means:
(1) Ownership of, or the power to vote, more than fifty per cent of the outstanding shares of any class of voting security of a company;
(2) Control in any manner over the election of a majority of the directors of individuals exercising similar functions; or
(3) The power to exercise controlling influence over the management of a company.
"Authenticate" means to use reasonable means to determine that a request to exercise any of the rights afforded in this chapter is being made by, or on behalf of, the consumer who is entitled to exercise these consumer rights with respect to the consumer health data at issue.
"Biometric data" means data that is generated from the measurement or technological processing of an individual's physiological, biological, or behavioral characteristics and that identifies a consumer, whether individually or in combination with other data. "Biometric data" includes but is not limited to:
(1) Imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template can be extracted; or
(2) Keystroke patterns or rhythms and gait patterns or rhythms that contain identifying information.
"Collect" means to buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data in any manner.
"Consent" means a clear and affirmative act that signifies a consumer's freely given, specific, informed, opt-in, voluntary, and unambiguous agreement, which may include consent provided by electronic means.
"Consumer" means a natural person who is either a resident of Hawaii or whose consumer health data is collected in Hawaii and who acts only in an individual or household context, including by any unique identifier. "Consumer" does not include an individual acting in an employment context.
"Consumer health data" means personal information that is linked or reasonably linked to a consumer and that identifies the consumer's past, present, or future physical or mental health status. "Consumer health data" does not include personal information that is used to engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, human subjects research ethics review board, or a similar independent oversight entity that determines that the regulated entity or small business has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification.
"Deceptive design" means a user interface designed or manipulated with the effect of subverting or impairing user autonomy, decision-making, or choice.
"Deidentified data" means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable consumer, or a device linked to the consumer, if the regulated entity or small business that possesses this data:
(1) Takes reasonable measures to ensure that the data cannot be associated with a consumer;
(2) Publicly commits to process the data only in a deidentified fashion and not attempt to reidentify the data; and
(3) Contractually obligates any recipients of the data to satisfy the criteria for deidentified data.
"Gender-affirming care information" means personal information relating to seeking or obtaining past, present, or future gender-affirming care services, including but not limited to:
(1) Precise location information that could reasonably indicate a consumer's attempt to acquire or receive gender-affirming care services;
(2) Efforts to research or obtain gender-affirming care services; or
(3) Any gender-affirming care information that is derived, extrapolated, or inferred, including from non-health information, such as proxy, derivative, inferred, emergent, or algorithmic data.
"Gender-affirming care services" means health services or products that support and affirm an individual's gender identity, including but not limited to social, psychological, behavioral, cosmetic, medical, or surgical interventions. "Gender affirming care services" includes but is not limited to treatments for gender dysphoria, gender-affirming hormone therapy, and gender-affirming surgical procedures.
"Genetic data" means any data, regardless of its format, that concerns a consumer's genetic characteristics. "Genetic data" includes but is not limited to:
(1) Raw sequence data that result from the sequencing of a consumer's complete extracted deoxyribonucleic acid (DNA) or a portion of the extracted DNA;
(2) Genotypic and phenotypic information that results from analyzing the raw sequence data; and
(3) Self-reported health data that a consumer submits to a regulated entity or small business and that is analyzed in connection with consumer's raw sequence data.
"Geofence" means technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, Wi-Fi data, or any other form of spatial or location detection to establish a virtual boundary around a specific physical location that is two thousand feet or less from the perimeter of the physical location, or to locate a consumer within a virtual boundary.
"Health care services" means any service provided to a consumer to assess, measure, improve, or learn about a consumer's mental or physical health, including the consumer's physical or mental health status.
"Homepage" means the introductory page of an internet website and any internet webpage where personal information is collected. For purposes of an online service, such as a mobile application, "homepage" means the application's platform page or download page, and a link within the application, such as from the application configuration, about, information, or settings page.
"Person" means natural persons, corporations, trusts, unincorporated associations, and partnerships. "Person" does not include government agencies, tribal nations, or contracted service providers when processing consumer health data on behalf of a government agency.
"Personal information" means information that identifies or is reasonably capable of being associated or linked, directly or indirectly, with a particular consumer, including but not limited to data associated with a persistent unique identifier, such as a cookie ID, an IP address, a device identifier, or any other form of persistent unique identifier. "Personal information" does not include publicly available information or deidentified data.
"Physical or mental health status" means a consumer's physical or mental health and includes but is not limited to:
(1) Individual health conditions, treatment, diseases, or diagnosis;
(2) Social, psychological, behavioral, and medical interventions;
(3) Health-related surgeries or procedures;
(4) Use or purchase of prescribed medication;
(5) Bodily functions, vital signs, symptoms, or measurements of physical or mental health status;
(6) Diagnoses or diagnostic testing, treatment, or medication;
(7) Gender-affirming care information;
(8) Gender-affirming care services;
(9) Reproductive or sexual health information;
(10) Reproductive or sexual health information;
(11) Biometric data;
(12) Genetic data;
(13) Precise location information that could reasonably indicate a consumer's attempt to acquire or receive health care services or supplies;
(14) Data that identifies a consumer seeking health care services; or
(15) Any information that a regulated entity or small business, or their respective processor, processes to associate or identify a consumer with the consumer's health data that is derived or extrapolated from non-health information such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning.
"Precise location information" means information derived from technology, including but not limited to global positioning system level altitude and longitude coordinates or other mechanisms, that directly identifies the specific location of an individual with precision and accuracy withing a radius of 1,750 feet. "Precise location information" does not include the content of communications, or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.
"Process" or "processing" means any operation or set of operations performed on consumer health data.
"Processor" means a person that processes consumer health data on behalf of a regulated entity or small business.
"Publicly available information" means information that is lawfully made available through federal, state, or county government records or widely distributed media and for which a regulated entity or small business has a reasonable basis to believe the consumer has lawfully made available to the general public. "Publicly available information" does not include any biometric data collected about a consumer by a business without the consumer's consent.
"Regulated entity" means any legal entity that:
(1) Conducts business in Hawaii or produces or provides products or services that are targeted to consumers in Hawaii; and
(2) Alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.
"Regulated entity" does not include government agencies, tribal nations, or contracted service providers when processing consumer health data on behalf of the government agency.
"Reproductive or sexual health information" means personal information relating to seeking or obtaining past, present, or future reproductive or sexual health services. "Reproductive or sexual health information" includes but is not limited to:
(1) Precise location information that could reasonably indicate a consumer's attempt to acquire or receive reproductive or sexual health services;
(2) Efforts to research or obtain reproductive or sexual health services; or
(3) Any reproductive or sexual health information that is derived, extrapolated, or inferred, including from non-health information such as proxy, derivative, inferred, emergent, or algorithmic data.
"Reproductive or sexual health services" means health services or products that support or relate to a consumer's reproductive system or sexual well-being, including but not limited to:
(1) Individual health conditions, status, disease, or diagnosis;
(2) Social, psychological, behavioral, and medical interventions;
(3) Health-related surgeries or procedures, including but not limited to abortions;
(4) Use or purchase of medication, including but not limited to medications for the purposes of abortion;
(5) Bodily functions, vital signs, symptoms, or measurements of reproductive or sexual health status or information;
(6) Diagnoses or diagnostic testing, treatment, or medication; and
(7) Medical or nonmedical services related to and provided in conjunction with an abortion, including but not limited to associated diagnostics, counseling, supplies, and follow-up services.
"Sell" or "sale" means the exchange of consumer health data for monetary or other valuable consideration. "Sell" or "sale" does not include the exchange of consumer health data for monetary or other valuable consideration:
(1) To a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the regulated entity's or small business's assets that complies with the requirements and obligations in this chapter; or
(2) By a regulated entity or small business to a processor when the exchange is consistent with the purpose for which the consumer health data was collected and disclosed to the consumer.
"Share" or "sharing" means to release, disclose, disseminate, divulge, make available, provide access to, license, or otherwise communicate orally, in writing, or by electronic or other means, consumer health data by a regulated entity or small business to a third party or affiliate. "Share" or "sharing" does not include:
(1) The disclosure of consumer health data by a regulated entity or small business to a processor when sharing is to provide goods or services in a manner consistent with the purpose for which the consumer health data was collected and disclosed to the consumer;
(2) The disclosure of consumer health data to a third party with whom the consumer has a direct relationship when:
(A) The disclosure is for the purposes of providing a product or service requested by the consumer;
(B) The regulated entity or the small business maintains control and ownership of the data; and
(C) The third party uses the consumer health data only at direction from the regulated entity or small business and consistent with the purposes for which it was collected and consented to by the consumer; or
(3) The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the regulated entity's or small business's assets and complies with the requirements and obligations of this chapter.
"Small business" means a regulated entity that:
(1) Collects, process, sells, or shares consumer health data of less than one hundred thousand consumers during a calendar year; or
(2) Derives less than fifty per cent of gross revenue from the collection, processing, selling, or sharing of consumer health data, and controls, processes, sells, or shares consumer health data of less than twenty-five thousand consumers.
"Third party" means an entity other than a consumer, regulated entity, processor, small business, or affiliate of the regulated entity or small business.
§ -2
Consumer health data privacy policy; disclosure; requirements. (a) Beginning ,
2025, a regulated entity or small businesses shall maintain a consumer health
data privacy policy that clearly and conspicuously discloses:
(1) The categories of consumer health data collected and the purpose for which the data is collected, including how the data will be used;
(2) The categories of sources from which the consumer health data is collected;
(3) The categories of consumer health data that is shared;
(4) A list of the categories of third parties and specific affiliates with whom the regulated entity or small business shares the consumer health data; and
(5) How a consumer can exercise the rights provided in section -4.
(b) A regulated entity or small business shall prominently display a link to its consumer health data privacy policy on its homepage.
(c) A regulated entity or small business shall not collect, use, or share additional categories of consumer health data not disclosed in the consumer health data privacy policy without first disclosing the additional categories and obtaining the consumer's affirmative consent prior to the collection, use, or sharing of the consumer health data.
(d) A regulated entity or small business shall not collect, use, or share consumer health data for additional purposes not disclosed in the consumer health data privacy policy without first disclosing the additional purposes and obtaining the consumer's affirmative consent prior to the collection, use, or sharing of the consumer health data.
(e) It is a violation of this chapter for a regulated entity or small business to contract with a processor to process consumer health data in a manner that is inconsistent with the regulated entity's or small business's consumer health data privacy policy.
§ ‑3 Consumer health data; collection; sharing; consent. (a) Beginning , 2025, a regulated entity or small business shall not collect any consumer health data except:
(1) With consent from the consumer for the collection of the consumer health data for a specified purpose; or
(2) To the extent necessary to provide a product or service that the consumer to whom the consumer health data relates has requested from the regulated entity or small business.
(b) No regulated entity or small business shall share any consumer health data except:
(1) With consent from the consumer for the sharing that is separate and distinct from the consent obtained to collect consumer health data; or
(2) To the extent necessary to provide a product or service that the consumer to whom the consumer health data relates has requested from the regulated entity or small business.
(c) Consent required under this section shall be obtained prior to the collection or sharing, as applicable, of any consumer health data. The request for consent shall clearly and conspicuously disclose:
(1) The categories of consumer health data collected or shared;
(2) The purpose of the collection or sharing of the consumer health data, including the specific ways in which the consumer health data will be used;
(3) The categories of entities with whom the consumer health data is shared; and
(4) How the consumer can withdraw consent from future collection or sharing of the consumer's health data.
(d) For purposes of this chapter, consent shall not be obtained by:
(1) A consumer's acceptance of a general or broad terms of use agreement or a similar document that contains descriptions of personal data processing along with other unrelated information;
(2) A consumer hovering over, muting, pausing, or closing a given piece of content; or
(3) A consumer's agreement obtained through the use of deceptive designs.
(e) A regulated entity or small business shall not unlawfully discriminate against a consumer for exercising any rights included in this chapter.
§ -4 Consumer rights. (a) Beginning , 2025, a consumer shall have the right to:
(1) Confirm whether a regulated entity or small business is collecting, sharing, or selling consumer health data concerning the consumer;
(2) Access the consumer health data collected, shared, or sold by the regulated entity or small business, including:
(A) A list of all third parties and affiliates with whom the regulated entity or small business has shared or sold the consumer health data; and
(B) An active email address or other online mechanism that the consumer may use to contact the third parties and affiliates to whom the regulated entity or small business has shared or sold the consumer health data;
(3) Withdraw consent from the regulated entity's or small business's collection and sharing of consumer health data concerning the consumer; and
(4) Have the consumer health data concerning the consumer deleted.
(b) A consumer may exercise the right to have consumer health data deleted by informing the regulated entity or small business of the consumer's request for deletion. Upon being informed by the consumer that the consumer is exercising the right to have the consumer's consumer health data deleted, the regulated entity or small business shall:
(1) Delete the consumer health data from its records, including from all parts of the regulated entity's or small business's network, including archived or backup systems; provided that if the consumer health data is stored on archived or backup systems, then the request for deletion may be delayed to enable restoration of the archived or backup systems; provided further that the delay shall not exceed six months from authenticating the deletion request; and
(2) Notify all affiliates, processors, contractors, and other third parties with whom the regulated entity or small business has shared consumer health data of the deletion request; provided that upon receipt of notice by the affiliate, processor, contractor, or other third party of the consumer's deletion request, the affiliate, processor, contractor, or other third party shall honor the consumer's deletion request and delete the consumer health data from its records, subject to the same requirements of this chapter applicable to a regulated entity or small business.
(c) A consumer may exercise the rights set forth in this section by submitting a request, at any time, to a regulated entity or small business. The request shall be made by a secure and reliable means established by the regulated entity or small business and described in its consumer health data privacy policy. The method shall take into account the ways in which consumers normally interact with the regulated entity or small business, the need for secure and reliable communication of the requests, and the ability of the regulated entity or small business to authenticate the identity of the consumer making the request. The regulated entity or small business shall not require the consumer to create a new account to exercise the consumer rights under this section, but may require the consumer to use an existing account.
(d) If a regulated entity or small business is unable to authenticate the request using commercially reasonable efforts, the regulated entity or small business shall not be required to comply with a request to initiate an action under this section and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request.
(e) Information provided in response to a consumer request shall be provided by a regulated entity or small business free of charge, up to twice annually per consumer. If requests from a consumer are manifestly unfounded, excessive, or repetitive, the regulated entity or small business may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The regulated entity or small business shall bear the burden of demonstrating the manifestly unfounded, excessive, or repetitive nature of the request.
(f) A regulated entity or small business shall comply with the consumer's requests under subsection (a) within forty-five days of receipt of the request submitted pursuant to subsection (c); provided that any steps taken to authenticate a consumer request shall not extend the forty-five day requirement of this subsection. The response period may be extended by an additional forty-five days when reasonably necessary, taking into account the complexity and number of the consumer's request, so long as the regulated entity or small business informs the consumer of any extension within the initial forty-five-day period, together with the reason for the extension.
(g) A regulated entity or small business shall establish a process for a consumer to appeal the regulated entity's or small business's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the refusal. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within forty-five days of receipt of an appeal, the regulated entity or small business shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the regulated entity or small business shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the attorney general to submit a complaint.
§ -5 Access to consumer data. Beginning , 2025, a regulated entity or small business shall:
(1) Restrict access to consumer health data by the employees, processors, and contractors of the regulated entity or small business to only those employees, processors, and contractors for which access is necessary to further the purposes for which the consumer provided consent or, where necessary, to provide a product or service that the consumer to whom the consumer health data relates has requested from the regulated entity or small business; and
(2) Establish, implement, and maintain administrative, technical, and physical data security practices that, at a minimum, satisfy reasonable standards of care within the regulated entity's or small business's industry to protect the confidentiality, integrity, and accessibility of consumer health data appropriate to the volume and nature of the consumer health data at issue.
§ -6 Consumer health data; processors. (a) Beginning , 2025, a processor shall only process consumer health data pursuant to a binding contract between the processor and the regulated entity or small business that sets forth the processing instructions and limits the actions the processor takes with respect to the consumer health data it is processing; provided that the processor shall only process the consumer health data in the manner provided by the binding contract between the processor and the regulated entity or small business.
(b) The processor shall, so far as possible, assist the regulated entity or small business by appropriate technical and organizational measures to fulfill the regulated entity's or small business's obligations under this chapter.
(c) Failure by the processor to adhere to the regulated entity's or small business's instructions or process consumer health data in a manner that is within the scope of the processor's contract with the regulated entity or small business shall result in the processor being considered a regulated entity or small business for purposes of the requirements of this chapter.
§ -7 Sale of data; valid authorization required. (a) Beginning , 2025, it shall be unlawful for any person to sell or offer to sell consumer health data without first obtaining valid authorization from the consumer to whom the health data concerns. Any sale of consumer health data shall be consistent with the valid authorization signed by the consumer. The authorization by the consumer shall be separate and distinct from the consumer's consent to collect health data pursuant to section -3.
(b) A valid authorization to sell consumer health data shall be provided in a written document in plain language and shall include the following:
(1) The specific consumer health data concerning the consumer that the person intends to sell;
(2) The name and contact information of the person collecting and selling the consumer health data;
(3) The name and contact information of the person purchasing the consumer health data identified in paragraph (2);
(4) A description of the purposes for the sale, including how the consumer health data will be gathered and how the consumer health data will be used by the purchaser identified in paragraph (3) when sold;
(5) A statement that the provision of goods or services shall not be conditioned on the consumer signing the valid authorization;
(6) A statement that the consumer has a right to revoke the valid authorization at any time and a description of how to submit a revocation of that valid authorization;
(7) A statement that the consumer health data sold pursuant to the valid authorization may be subject to redisclosure by the purchaser and may no longer be protected by this section;
(8) An expiration date for the valid authorization that expires one year from when the consumer signs the valid authorization; and
(9) The signature of the consumer and date on which the valid authorization was signed.
(c) Authorization shall not be valid if:
(1) The expiration date of the document has passed;
(2) The authorization does not include all the information required by this section;
(3) The consumer has revoked the authorization;
(4) The authorization has been combined with other documents to create a compound authorization; or
(5) The provision of goods or services is conditioned on the consumer signing the authorization.
(d) A copy of the signed valid authorization must be provided to the consumer.
(e) The seller and purchaser of consumer health data shall retain a copy of all valid authorizations for sale of consumer health data for six years from the date of the signature on the authorization or the date when the authorization was last in effect, whichever is later.
§ -8 Geofencing prohibited. It shall be unlawful for any person to implement a geofence around an entity that provides in-person health care services where the geofence is used to:
(1) Identify or track consumers seeking health care services;
(2) Collect consumer health data from consumers; or
(3) Send notifications, messages, or advertisements to consumers related to their consumer health data or health care services.
§ -9 Unfair competition; unfair or deceptive acts or practices. Any person who violates this chapter shall be deemed to have engaged in an unfair method of competition and unfair or deceptive act or practice in the conduct of any trade or commerce within the meaning of section 480-2 and shall be subject to penalties and remedies under chapter 480.
§ -10 Exceptions. (a) This chapter shall not apply to:
(1) Information
that meets the definition of:
(A) Protected health information for the purposes of the Health Insurance Portability and Accountability of 1996 and the regulations adopted thereunder;
(B) Patient identifying information collected, used, or disclosed in accordance with title 21 Code of Federal Regulations part 50, title 21 Code of Federal Regulations part 56, title 42 Code of Federal Regulations part 2, and title 45 Code of Federal Regulations part 46;
(C) Identifiable private information that is otherwise information collected as part of human subjects research pursuant to the Good Clinical Practice guidelines issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use;
(D) De-identified information collected for the purposes of chapter 323B;
(E) De-identified information collected for the purposes of the all-claims, all-payer database established pursuant to section 346-421(d);
(F) Patient safety work product for the purposes of title 42 Code of Federal Regulations part 3; and
(G) Information that is de-identified in accordance with the requirements for de-identification pursuant to title 45 Code of Federal Regulations part 165.
(2) Information and documents created specifically for, and collected and maintained by:
(A) A professional review body for purposes of chapter 671D;
(B) A
quality assurance committee for purposes of section 663-1.7; or
(C) A health care facility for reporting of health care-associated infections pursuant to section 325-2.5;
(3) Information and documents created for the purposes of the federal Health Care Quality Improvement Act of 1986 and the regulations adopted thereunder;
(4) Information originating from, and intermingled to be indistinguishable with, information under paragraphs (1) and (2) that is maintained by:
(A) A health care facility or health care provider;
(B) A program or qualified service organization defined by title 42 Code of Federal Regulations part 2; or
(C) Information that is used only for public health activities and purposes as described in title 45 Code of Federal Regulations section 164.512, or that is part of a limited data set and is used, disclosed, and maintained in the manner required by title 45 Code of Federal Regulations section 164.514; and
(5) Personal information that is governed by and collected, used, or disclosed pursuant to the following federal laws and regulations:
(A) The Gramm-Leach-Bliley Act (32 U.S.C. 6801 et seq.) and implementing regulations;
(B) Part C of title XI of the Social Security Act (42 U.S.C. 1320d et seq.);
(C) The Fair Credit Reporting Act (15 U.S.C. 1681, et seq.)and implementing regulations; and
(D) The Family Educational Rights and Privacy Act (20 U.S.C. 1232g) and implementing regulations;
(b) Nothing in this chapter shall be construed to prohibit a regulated entity, small business, or processor from collecting, using, or disclosing consumer health data to prevent, detect, protect against, or respond to security incidents; identify theft, fraud, harassment, malicious or deceptive activities, or any other activity that is illegal under state or federal law; preserve the integrity or security of systems; or investigate, report, or prosecute persons responsible for any action that is illegal under state or federal law; provided that if a regulated entity or small business processes consumer health data pursuant to this subsection, the regulated entity or small business shall bear the burden of demonstrating that the processing of consumer health data qualifies for the exemption and complies with the requirements of this section."
SECTION 3. If any provision of this Act, or the application thereof to any person or circumstance, is held invalid, the invalidity does not affect other provisions or applications of the Act that can be given effect without the invalid provision or application, and to this end the provisions of this Act are severable.
SECTION 4. This Act shall take effect upon its approval.
INTRODUCED BY: |
_____________________________ |
|
|
Report Title:
Consumer Health Data; Protections; Valid Authorization; Sale of Data; Consumer Rights; Geofencing
Description:
Establishes requirements, including additional disclosures and consumer consent regarding the collection, sharing, and use of consumer health data information. Establishes rights for consumers regarding their health data, including the right to have health data deleted. Prohibits the sale of consumer health data without a consumer's signed valid authorization. Prohibits the erection of a geofence around health care centers.
The summary description
of legislation appearing on this page is for informational purposes only and is
not legislation or evidence of legislative intent.