103RD GENERAL ASSEMBLY
State of Illinois
2023 and 2024
HB3603

 

Introduced 2/17/2023, by Rep. Ann M. Williams

 

SYNOPSIS AS INTRODUCED:
 
New Act

    Amends the Protect Health Data Privacy Act. Provides that a regulated entity shall disclose and maintain a health data privacy policy that, in plain language, clearly and conspicuously disclosures specified information. Provides that a regulated entity shall prominently publish its health data privacy policy on its website homepage. Provides that a regulated entity shall not collect, share, sell, or store categories of health data not disclosed in the health data privacy policy without first disclosing the categories of health data and obtaining the consumer's consent prior to the collection, sharing, selling, or storing of such data. Prohibits the collection, sharing, selling, or storing of health data. Describes the regulated entity's duty to obtain consent; the consumer's right to withdraw consent; prohibitions on discrimination; prohibitions on geofencing; a private right of action; enforcement by the Attorney General; and conflicts with other laws. Makes other changes.


LRB103 29143 CPF 55529 b

 

 

A BILL FOR

 

HB3603LRB103 29143 CPF 55529 b

1    AN ACT concerning safety.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 1. Short title. This Act may be cited as the
5Protect Health Data Privacy Act.
 
6    Section 5. Definitions. As used in this Act:
7    "Collect" means to buy, rent, lease, access, retain,
8receive, acquire, or otherwise process health data in any
9manner.
10    "Consent" means a clear affirmative act by a consumer that
11unambiguously communicates the consumer's express, freely
12given, informed, opt-in, voluntary, specific, and unambiguous
13written agreement, which may include written consent provided
14by electronic means, to the collection, sale, sharing or
15storage of health data. Consent may not be implied, and
16consent cannot be obtained by:
17        (1) acceptance of a general or broad terms of use
18    agreement or a similar document that contains descriptions
19    of personal data processing along with other, unrelated
20    information;
21        (2) hovering over, muting, pausing, or closing a given
22    piece of digital content; or
23        (3) agreement obtained through the use of deceptive

 

 

HB3603- 2 -LRB103 29143 CPF 55529 b

1    designs.
2    "Consumer" means a person who is a resident of the State,
3however identified, including by any unique identifier. A
4person located in the State when the person's health data is
5collected by a regulated entity will create a presumption that
6the person is a resident of the State for purposes of enforcing
7this Act.
8    "Deceptive design" means any user interface or element
9thereof that has the effect of subverting, impairing, or
10impeding an individual's autonomy, decision-making, or choice.
11    "Deidentified data" means data that cannot be used to
12infer information about, or otherwise be linked to, an
13identified or identifiable individual, or a device linked to
14such individual. A regulated entity that possesses
15deidentified data shall: (i) take reasonable measures to
16ensure that such data cannot be associated with an individual;
17(ii) publicly commit to process such data only in a
18deidentified fashion and not attempt to reidentify such data;
19and, (iii) contractually obligate any recipients of such data
20to satisfy the criteria set forth in items (i) and (ii).
21    "Geofence" means technology that uses global positioning
22coordinates, cell tower connectivity, cellular data, radio
23frequency identification, wireless Internet data, or any other
24form of location detection to establish a virtual boundary
25around a specific physical location.
26    "Health data" means information regarding, relating to,

 

 

HB3603- 3 -LRB103 29143 CPF 55529 b

1derived, or extrapolated from the past, present, or future
2physical or mental health of a consumer, including, but not
3limited to, any information relating to:
4        (1) individual health conditions, treatment, status,
5    diseases, or diagnoses;
6        (2) health related surgeries or procedures;
7        (3) use or purchase of medication;
8        (4) social, psychological, behavioral, and medical
9    interventions;
10        (5) bodily functions, vital signs, measurements, or
11    symptoms;
12        (6) diagnoses or diagnostic testing, treatment, or
13    medication;
14        (7) efforts to research or obtain health services or
15    supplies;
16        (8) health services or products that support or relate
17    to lawful health care, as defined by Public Act 102-1117;
18        (9) location information that could reasonably
19    indicate a consumer's attempt to acquire or receive health
20    services or supplies; and
21        (10) any information described in paragraphs (1)
22    through (9) that is derived or extrapolated from nonhealth
23    information, including by use of algorithms or machine
24    learning.
25    "Health data" does not include personal information
26collected with the consumer's consent that is used to engage

 

 

HB3603- 4 -LRB103 29143 CPF 55529 b

1in public or peer-reviewed scientific, historical, or
2statistical research in the public interest that adheres to
3all other applicable ethics and privacy laws and is approved,
4monitored, and governed by an institutional review board,
5human subjects research ethics review board, or a similar
6independent oversight entity that determines that the
7regulated entity has implemented reasonable safeguards to
8mitigate privacy risks associated with research, including any
9risks associated with reidentification.
10    "Health services" means any service, medical care, or
11information related to a consumer's health data provided to a
12consumer.
13    "Homepage" means the introductory page of an Internet
14website and any Internet web page where personal information
15is collected. In the case of an online service, such as a
16mobile application, homepage means the application's platform
17page or download page, such as from the application
18configuration, "About," "Information," or settings page, and
19any other location that allows consumers to review the notice.
20    "Personal information" means information that identifies,
21relates to, describes, is reasonably capable of being
22associated with, or linked, directly or indirectly, with a
23particular consumer or household. "Personal information" does
24not include publicly available information or deidentified
25data. "Publicly available" means information that is lawfully
26made available from federal, State, or local government

 

 

HB3603- 5 -LRB103 29143 CPF 55529 b

1records.
2    "Regulated entity" means any individual, partnership,
3corporation, limited liability company, association, or other
4group, however organized, that: (i) conducts business in the
5State or produces products or services that are available to
6consumers in the State, and (ii) for any purpose, handles,
7collects, shares, sells, stores or otherwise deals with health
8data. "Regulated entity" does not mean government agencies,
9tribal nations, a clerk of the court, or a judge or justice
10thereof.
11    "Sell" or "sale" means when a regulated entity, directly
12or indirectly, receives any form of remuneration or other
13valuable consideration from the use of health data or from the
14recipient of the health data in exchange for the health data.
15"Sell" does not include:
16        (1) the sharing of health data to a recipient where
17    the regulated entity maintains control and ownership of
18    the health data;
19        (2) the sharing of health data to comply with
20    applicable laws or regulations;
21        (3) the recipient uses the health data only at the
22    direction of the regulated entity and consistent with the
23    purpose for which it was collected and disclosed to the
24    consumer; and
25        (4) the transfer of health data to a third party as an
26    asset as part of a merger, acquisition, bankruptcy, or

 

 

HB3603- 6 -LRB103 29143 CPF 55529 b

1    other transaction in which the third party assumes control
2    of all or part of the regulated entity's assets that shall
3    comply with the requirements and obligations in this Act.
4    "Share" means to release, disclose, disseminate, divulge,
5loans, make available, provide access to, license, or
6otherwise communicate orally, in writing, or by electronic or
7other means, health data by a regulated entity to a third party
8except where the regulated entity maintains exclusive control
9and ownership of the health data. "Share" does not include:
10        (1) the disclosure of health data to an entity who
11    collects or processes the personal data on behalf of the
12    regulated entity, when the regulated entity maintains
13    control and ownership of the data and the third party
14    maintains or uses the health data only for the regulated
15    entity's distinct purposes;
16        (2) the disclosure of health data to a third party
17    with whom the consumer has a direct relationship for
18    purposes of and only to the extent necessary for providing
19    a product or service requested by the consumer when the
20    regulated entity maintains control and ownership of the
21    data and the third party maintains or uses the health data
22    only for the regulated entity's distinct purposes; or
23        (3) the disclosure or transfer of personal data to a
24    third party as an asset that is part of a merger,
25    acquisition, bankruptcy, or other transaction in which the
26    third party assumes control of all or part of the

 

 

HB3603- 7 -LRB103 29143 CPF 55529 b

1    regulated entity's assets and shall comply with the
2    requirements and obligations in this Act.
3    "Third party" means an entity other than a consumer,
4regulated entity, service provider, or affiliate of the
5regulated entity.
 
6    Section 10. Scope.
7    (a) This Act applies to consumers seeking, researching, or
8obtaining health services within the State, or information
9about health services available in the State and regulated
10entities.
11    (b) This Act does not affect an individual's right to
12voluntarily share the individual's own health care information
13with another person.
 
14    Section 15. Health data privacy policy required.
15    (a) A regulated entity shall disclose and maintain a
16health data privacy policy that, in plain language, clearly
17and conspicuously discloses:
18        (1) the specific types of health data collected and
19    the purpose for which the data is collected and used;
20        (2) the categories of sources from which the health
21    data is collected;
22        (3) the specific types of health data that are shared,
23    sold, and stored;
24        (4) the categories of third parties with whom the

 

 

HB3603- 8 -LRB103 29143 CPF 55529 b

1    regulated entity collects, shares, sells, and stores
2    health data, and the process to withdraw consent from
3    having health data collected, shared, sold, and stored;
4        (5) a list of the specific third parties to which the
5    regulated entity shares health data, and an active
6    electronic mail address or other online mechanism that the
7    consumer may use to contact these third parties free of
8    charge;
9        (6) how a consumer may exercise the rights provided in
10    this Act, including, but not limited to, identifying 2 or
11    more designated methods for a consumer to contact the
12    regulated entity in connection with the exercise of any
13    rights provided in this Act;
14        (7) the length of time the regulated entity intends to
15    retain each category of health data, or if that is not
16    possible, the criteria used to determine that period
17    provided that a regulated entity shall not retain health
18    data for each disclosed purpose for which the health data
19    was collected for longer than is reasonably necessary to
20    fulfill that disclosed purpose; and
21        (8) whether the regulated entity collects health data
22    when the consumer is not directly interacting with the
23    regulated entity or its services.
24    (b) A regulated entity shall prominently publish its
25health data privacy policy on its website homepage. Such
26health data privacy policy must be distinguishable from other

 

 

HB3603- 9 -LRB103 29143 CPF 55529 b

1matters.
2    (c) A regulated entity shall not collect, share, sell, or
3store additional categories of health data not disclosed in
4the health data privacy policy without first disclosing the
5additional categories of health data and obtaining the
6consumer's consent prior to the collection, sharing, selling,
7or storing of such health data.
8    (d) A regulated entity shall not collect, share, sell, or
9store health data for additional purposes not disclosed in the
10health data privacy policy without first disclosing the
11additional purposes and obtaining the consumer's affirmative
12consent prior to the collection, sharing, selling, or storing
13of such health data.
14    (e) It is a violation of this Act for a regulated entity to
15contract with a service provider to process consumer health
16data in a manner that is inconsistent with the regulated
17entity's consumer health data privacy policy.
 
18    Section 20. Prohibition on collection, sharing, selling,
19or storing of health data.
20    (a) A regulated entity shall not collect health data,
21except:
22        (1) with the consent of the consumer to whom such
23    information relates for a specified purpose; or
24        (2) as is strictly necessary to provide a product or
25    service that the consumer to whom such health data relates

 

 

HB3603- 10 -LRB103 29143 CPF 55529 b

1    has specifically requested from such regulated entity.
2    (b) A regulated entity shall not share any health data
3except:
4        (1) with consent from the consumer for such sharing
5    that is separate and distinct from the consent obtained to
6    collect health data; or
7        (2) to the extent strictly necessary to provide a
8    product or service that the consumer to whom such health
9    data relates has specifically requested from such
10    regulated entity.
11    (c) A regulated entity shall not sell health data to any
12third party without entering into a separate written agreement
13with the consumer to whom such health data relates, in which
14the consumer expressly consents to and authorizes the
15regulated entity to sell such health data.
16    (d) A regulated entity shall not store any health data
17except:
18        (1) with consent from the consumer for such sharing
19    that is separate and distinct from the consent obtained to
20    collect health data; or
21        (2) to the extent strictly necessary to provide a
22    product or service that the consumer to whom such health
23    data relates has specifically requested from such
24    regulated entity.
 
25    Section 25. Consent required.

 

 

HB3603- 11 -LRB103 29143 CPF 55529 b

1    (a) A regulated entity shall not seek consent to collect,
2share, sell, or store health data without first disclosing its
3health data privacy policy as required under Section 15.
4    (b) Consent obtained prior to collection, sharing,
5selling, or storing. Consent required under this Section must
6be obtained prior to the collection, sharing, selling, or
7storing, as applicable, of any health data, and the request
8for consent must clearly and conspicuously disclose, separate
9and apart from its health data privacy policy:
10        (1) the categories of health data collected, sold,
11    shared, or stored;
12        (2) the purpose of the collection, selling, sharing,
13    or storage of the health data, including the specific ways
14    in which it will be used; and
15        (3) how the consumer can withdraw consent from future
16    collection, selling, sharing or storage of their health
17    data.
18    (c) Consent required under this Section must be obtained
19prior to the use of any health data for any purpose not
20specified prior to obtaining a consumer's consent for the use
21of such health data for any new purpose.
 
22    Section 30. Right to withdraw consent. A consumer has the
23right to withdraw consent from the collection and sharing of
24the consumer's health data.
 

 

 

HB3603- 12 -LRB103 29143 CPF 55529 b

1    Section 35. Prohibition on discrimination. It shall be
2unlawful for a regulated entity to discriminate against a
3consumer solely because they have not provided consent
4pursuant to this Act, or have exercised any other rights
5provided by this Act or guaranteed by law. Discrimination
6includes, but is not limited to:
7        (1) providing different, or a different level or
8    quality of, goods or services to the consumer;
9        (2) denying or limiting goods or services to the
10    consumer;
11        (3) imposing additional requirements or restrictions
12    on the individual that would not be necessary if the
13    consumer provided their consent;
14        (4) providing materially different treatment to
15    consumers who provide consent as compared to consumers who
16    do not provide consent;
17        (5) suggesting that the consumer will receive a
18    different price or rate for goods or services or a
19    different level or quality of goods or services; or
20        (6) charging different prices or rates for goods or
21    services, including through the use of discounts or other
22    benefits or imposing penalties.
 
23    Section 40. Right to confirm. A consumer has the right to
24confirm whether a regulated entity is collecting, selling,
25sharing, or storing any of the consumer's health data, and to

 

 

HB3603- 13 -LRB103 29143 CPF 55529 b

1confirm that a regulated entity has deleted the consumer's
2health data following a deletion request pursuant to Section
345 of this Act. A regulated entity that receives a consumer
4request to confirm shall respond within 30 calendar days from
5receiving the request to confirm from the consumer. The
6regulated entity shall, without reasonable delay, promptly
7take all steps necessary to verify the consumer's request, but
8this shall not extend the regulated entity's duty to respond
9within 30 days of receipt of the consumer's request. The time
10period to provide the required confirmation may be extended
11once by an additional 30 calendar days when reasonably
12necessary, provided the consumer is provided notice of the
13extension within the first 30-day period.
 
14    Section 45. Right to deletion.
15    (a) A consumer has the right to have the consumer's health
16data that is collected by a regulated entity deleted by
17informing the regulated entity of the consumer's request for
18deletion.
19    (b) A regulated entity that collects health data about
20consumers shall disclose the consumer's rights to request the
21deletion of the consumer's health data.
22    (c) Except as otherwise specified in subsection (f), a
23regulated entity that receives a consumer request to delete
24any of the consumer's health data shall without unreasonable
25delay, and no more than 30 calendar days from receiving the

 

 

HB3603- 14 -LRB103 29143 CPF 55529 b

1deletion request:
2        (1) delete the consumer's health data from its
3    records, including from all parts of the regulated
4    entity's network or backup systems; and
5        (2) notify all service providers, contractors, and
6    third parties with whom the regulated entity has shared
7    the consumer's health data of the deletion request.
8    (d) Any service provider, contractor, and other third
9party that receives notice of a consumer's deletion request
10from a Regulated Entity shall honor the consumer's deletion
11request and delete the health data from the regulated entity's
12records, including from all parts of its network or backup
13systems.
14    (e) A consumer or a consumer's authorized agent may
15exercise the rights set forth in this Act by submitting a
16request, at any time, to a regulated entity. Such a request may
17be made by:
18        (1) contacting the regulated entity through the manner
19    included in its health data privacy policy;
20        (2) by designating an authorized agent who may
21    exercise the rights on behalf of the consumer;
22        (3) in the case of collecting health data of a minor,
23    the minor seeking health services may exercise their
24    rights under this Act, or the parent or legal guardian of
25    the minor, may exercise the rights of this Act on the
26    minor's behalf; or

 

 

HB3603- 15 -LRB103 29143 CPF 55529 b

1        (4) in the case of collecting health data concerning a
2    consumer subject to guardianship, conservatorship, or
3    other protective arrangement under the Probate Act of
4    1975, the guardian or the conservator of the consumer may
5    exercise the rights of this Act on the consumer's behalf.
6    (f) The time period to delete any of the consumer's health
7data may be extended once by an additional 30 calendar days
8when reasonably necessary, provided the consumer is provided
9notice of the extension within the first 30-day period.
 
10    Section 50. Consumer health data security and
11minimization.
12    (a) A regulated entity shall restrict access to health
13data by the employees, service providers, and contractors of
14such regulated entity to only those employees, services
15providers, and contractors for which access is necessary to
16provide a product or service that the consumer to whom such
17health data relates has requested from such regulated entity.
18    (b) A regulated entity shall establish, implement, and
19maintain administrative, technical, and physical data security
20practices that at least satisfy a reasonable standard of care
21within the regulated entity's industry to protect the
22confidentiality, integrity, and accessibility of health data
23appropriate to the volume and nature of the personal data at
24issue.
 

 

 

HB3603- 16 -LRB103 29143 CPF 55529 b

1    Section 55. Prohibition on geofencing.
2    (a) It shall be unlawful for any person to implement a
3geofence that enables the sending of a notification, message,
4alert, or other pieces of information to a consumer that
5enters the perimeter around any entity that provides health
6services.
7    (b) It shall be unlawful for any person to implement a
8geofence around any entity that provides in-person health care
9services where such geofence is used to identify, track, or
10collect data from a consumer that enters the virtual
11perimeter.
 
12    Section 60. Private right of action. Any person aggrieved
13by a violation of this Act shall have a right of action in a
14state circuit court or as a supplemental claim in federal
15district court against an offending party. A prevailing party
16may recover for each violation:
17        (1) against any offending party that negligently
18    violates a provision of this Act, liquidated damages of
19    $1,000 or actual damages, whichever is greater;
20        (2) against any offending party that intentionally or
21    recklessly violates a provision of this Act, liquidated
22    damages of $5,000 or actual damages, whichever is greater;
23        (3) reasonable attorneys' fees and costs, including
24    expert witness fees and other litigation expenses; and
25        (4) other relief, including an injunction, as the

 

 

HB3603- 17 -LRB103 29143 CPF 55529 b

1    State or federal court may deem appropriate.
 
2    Section 65. Enforcement by the Attorney General. The
3Attorney General may enforce a violation of this Act as an
4unlawful practice under the Consumer Fraud and Deceptive
5Business Practices Act. All rights and remedies provided the
6Attorney General under the Consumer Fraud and Deceptive
7Business Practices Act shall be available for enforcement of a
8violation of this Act.
 
9    Section 70. Conflict with other laws.
10    (a) Nothing in this Act shall be construed to conflict
11with the Health Insurance Portability and Accountability Act
12of 1996.
13    (b) Nothing in this Act shall be construed to prohibit
14disclosure as required under the Adult Protective Services
15Act, the Abused and Neglected Child Reporting Act, the
16Criminal Code of 2012, and the Disclosure of Offenses Against
17Children Act.
18    (c) If any provision of this Act, or the application
19thereof to any person or circumstance, is held invalid, the
20remainder of this Act and the application of such provision to
21other persons not similarly situated or to other circumstances
22shall not be affected by the invalidation.