Full Text of HB3603 103rd General Assembly
HB3603 103RD GENERAL ASSEMBLY |
| | 103RD GENERAL ASSEMBLY
State of Illinois
2023 and 2024 HB3603 Introduced 2/17/2023, by Rep. Ann M. Williams SYNOPSIS AS INTRODUCED: |
| |
Amends the Protect Health Data Privacy Act. Provides that a regulated entity shall disclose and maintain a health data privacy policy that, in plain language, clearly and conspicuously disclosures specified information. Provides that a regulated entity shall prominently publish its health data privacy policy on its website homepage. Provides that a regulated entity shall not collect, share, sell, or store categories of health data not disclosed in the health data privacy policy without first disclosing the categories of health data and obtaining the consumer's consent prior to the collection, sharing, selling, or storing of such data. Prohibits the collection, sharing, selling, or storing of health data. Describes the regulated entity's duty to obtain consent; the consumer's right to withdraw consent; prohibitions on discrimination; prohibitions on geofencing; a private right of action; enforcement by the Attorney General; and conflicts with other laws. Makes other changes.
|
| |
| | A BILL FOR |
|
| | | HB3603 | | LRB103 29143 CPF 55529 b |
|
| 1 | | AN ACT concerning safety.
| 2 | | Be it enacted by the People of the State of Illinois,
| 3 | | represented in the General Assembly:
| 4 | | Section 1. Short title. This Act may be cited as the | 5 | | Protect Health Data Privacy Act. | 6 | | Section 5. Definitions.
As used in this Act:
| 7 | | "Collect" means to buy, rent, lease, access, retain, | 8 | | receive, acquire, or otherwise process health data in any | 9 | | manner.
| 10 | | "Consent" means a clear affirmative act by a consumer that | 11 | | unambiguously communicates the consumer's express, freely | 12 | | given, informed, opt-in, voluntary, specific, and unambiguous | 13 | | written agreement, which may include written consent provided | 14 | | by electronic means, to the collection, sale, sharing or | 15 | | storage of health data.
Consent may not be implied, and | 16 | | consent cannot be obtained by:
| 17 | | (1) acceptance of a general or broad terms of use | 18 | | agreement or a similar document that contains descriptions | 19 | | of personal data processing along with other, unrelated | 20 | | information;
| 21 | | (2) hovering over, muting, pausing, or closing a given | 22 | | piece of digital content; or
| 23 | | (3) agreement obtained through the use of deceptive |
| | | HB3603 | - 2 - | LRB103 29143 CPF 55529 b |
|
| 1 | | designs.
| 2 | | "Consumer" means a person who is a resident of the State, | 3 | | however identified, including by any unique identifier. A | 4 | | person located in the State when the person's health data is | 5 | | collected by a regulated entity will create a presumption that | 6 | | the person is a resident of the State for purposes of enforcing | 7 | | this Act.
| 8 | | "Deceptive design" means any user interface or element | 9 | | thereof that has the effect of subverting, impairing, or | 10 | | impeding an individual's autonomy, decision-making, or choice.
| 11 | | "Deidentified data" means data that cannot be used to | 12 | | infer information about, or otherwise be linked to, an | 13 | | identified or identifiable individual, or a device linked to | 14 | | such individual. A regulated entity that possesses | 15 | | deidentified data shall: (i) take reasonable measures to | 16 | | ensure that such data cannot be associated with an individual; | 17 | | (ii) publicly commit to process such data only in a | 18 | | deidentified fashion and not attempt to reidentify such data; | 19 | | and, (iii) contractually obligate any recipients of such data | 20 | | to satisfy the criteria set forth in items (i) and (ii).
| 21 | | "Geofence" means technology that uses global positioning | 22 | | coordinates, cell tower connectivity, cellular data, radio | 23 | | frequency identification, wireless Internet data, or any other | 24 | | form of location detection to establish a virtual boundary | 25 | | around a specific physical location.
| 26 | | "Health data" means information regarding, relating to, |
| | | HB3603 | - 3 - | LRB103 29143 CPF 55529 b |
|
| 1 | | derived, or extrapolated from the past, present, or future | 2 | | physical or mental health of a consumer, including, but not | 3 | | limited to, any information relating to:
| 4 | | (1) individual health conditions, treatment, status, | 5 | | diseases, or diagnoses;
| 6 | | (2) health related surgeries or procedures;
| 7 | | (3) use or purchase of medication;
| 8 | | (4) social, psychological, behavioral, and medical | 9 | | interventions;
| 10 | | (5) bodily functions, vital signs, measurements, or | 11 | | symptoms;
| 12 | | (6) diagnoses or diagnostic testing, treatment, or | 13 | | medication;
| 14 | | (7) efforts to research or obtain health services or | 15 | | supplies;
| 16 | | (8) health services or products that support or relate | 17 | | to lawful health care, as defined by Public Act 102-1117;
| 18 | | (9) location information that could reasonably | 19 | | indicate a consumer's attempt to acquire or receive health | 20 | | services or supplies; and
| 21 | | (10) any information described in paragraphs (1) | 22 | | through (9) that is derived or extrapolated from nonhealth | 23 | | information, including by use of algorithms or machine | 24 | | learning.
| 25 | | "Health data" does not include personal information | 26 | | collected with the consumer's consent that is used to engage |
| | | HB3603 | - 4 - | LRB103 29143 CPF 55529 b |
|
| 1 | | in public or peer-reviewed scientific, historical, or | 2 | | statistical research in the public interest that adheres to | 3 | | all other applicable ethics and privacy laws and is approved, | 4 | | monitored, and governed by an institutional review board, | 5 | | human subjects research ethics review board, or a similar | 6 | | independent oversight entity that determines that the | 7 | | regulated entity has implemented reasonable safeguards to | 8 | | mitigate privacy risks associated with research, including any | 9 | | risks associated with reidentification.
| 10 | | "Health services" means any service, medical care, or | 11 | | information related to a consumer's health data provided to a | 12 | | consumer.
| 13 | | "Homepage" means the introductory page of an Internet | 14 | | website and any Internet web page where personal information | 15 | | is collected. In the case of an online service, such as a | 16 | | mobile application, homepage means the application's platform | 17 | | page or download page, such as from the application | 18 | | configuration, "About," "Information," or settings page, and | 19 | | any other location that allows consumers to review the notice.
| 20 | | "Personal information" means information that identifies, | 21 | | relates to, describes, is reasonably capable of being | 22 | | associated with, or linked, directly or indirectly, with a | 23 | | particular consumer or household. "Personal information" does | 24 | | not include publicly available information or deidentified | 25 | | data. "Publicly available" means information that is lawfully | 26 | | made available from federal, State, or local government |
| | | HB3603 | - 5 - | LRB103 29143 CPF 55529 b |
|
| 1 | | records.
| 2 | | "Regulated entity" means any individual, partnership, | 3 | | corporation, limited liability company, association, or other | 4 | | group, however organized, that: (i) conducts business in the | 5 | | State or produces products or services that are available to | 6 | | consumers in the State, and (ii) for any purpose, handles, | 7 | | collects, shares, sells, stores or otherwise deals with health | 8 | | data. "Regulated entity" does not mean government agencies, | 9 | | tribal nations, a clerk of the court, or a judge or justice | 10 | | thereof.
| 11 | | "Sell" or "sale" means when a regulated entity, directly | 12 | | or indirectly, receives any form of remuneration or other | 13 | | valuable consideration from the use of health data or from the | 14 | | recipient of the health data in exchange for the health data. | 15 | | "Sell" does not include:
| 16 | | (1) the sharing of health data to a recipient where | 17 | | the regulated entity maintains control and ownership of | 18 | | the health data;
| 19 | | (2) the sharing of health data to comply with | 20 | | applicable laws or regulations;
| 21 | | (3) the recipient uses the health data only at the | 22 | | direction of the regulated entity and consistent with the | 23 | | purpose for which it was collected and disclosed to the | 24 | | consumer; and
| 25 | | (4) the transfer of health data to a third party as an | 26 | | asset as part of a merger, acquisition, bankruptcy, or |
| | | HB3603 | - 6 - | LRB103 29143 CPF 55529 b |
|
| 1 | | other transaction in which the third party assumes control | 2 | | of all or part of the regulated entity's assets that shall | 3 | | comply with the requirements and obligations in this Act.
| 4 | | "Share" means to release, disclose, disseminate, divulge, | 5 | | loans, make available, provide access to, license, or | 6 | | otherwise communicate orally, in writing, or by electronic or | 7 | | other means, health data by a regulated entity to a third party | 8 | | except where the regulated entity maintains exclusive control | 9 | | and ownership of the health data. "Share" does not include:
| 10 | | (1) the disclosure of health data to an entity who | 11 | | collects or processes the personal data on behalf of the | 12 | | regulated entity, when the regulated entity maintains | 13 | | control and ownership of the data and the third party | 14 | | maintains or uses the health data only for the regulated | 15 | | entity's distinct purposes;
| 16 | | (2) the disclosure of health data to a third party | 17 | | with whom the consumer has a direct relationship for | 18 | | purposes of and only to the extent necessary for providing | 19 | | a product or service requested by the consumer when the | 20 | | regulated entity maintains control and ownership of the | 21 | | data and the third party maintains or uses the health data | 22 | | only for the regulated entity's distinct purposes; or
| 23 | | (3) the disclosure or transfer of personal data to a | 24 | | third party as an asset that is part of a merger, | 25 | | acquisition, bankruptcy, or other transaction in which the | 26 | | third party assumes control of all or part of the |
| | | HB3603 | - 7 - | LRB103 29143 CPF 55529 b |
|
| 1 | | regulated entity's assets and shall comply with the | 2 | | requirements and obligations in this Act.
| 3 | | "Third party" means an entity other than a consumer, | 4 | | regulated entity, service provider, or affiliate of the | 5 | | regulated entity.
| 6 | | Section 10. Scope.
| 7 | | (a) This Act applies to consumers seeking, researching, or | 8 | | obtaining health services within the State, or information | 9 | | about health services available in the State and regulated | 10 | | entities.
| 11 | | (b) This Act does not affect an individual's right to | 12 | | voluntarily share the individual's own health care information | 13 | | with another person.
| 14 | | Section 15. Health data privacy policy required.
| 15 | | (a) A regulated entity shall disclose and maintain a | 16 | | health data privacy policy that, in plain language, clearly | 17 | | and conspicuously discloses:
| 18 | | (1) the specific types of health data collected and | 19 | | the purpose for which the data is collected and used;
| 20 | | (2) the categories of sources from which the health | 21 | | data is collected;
| 22 | | (3) the specific types of health data that are shared, | 23 | | sold, and stored;
| 24 | | (4) the categories of third parties with whom the |
| | | HB3603 | - 8 - | LRB103 29143 CPF 55529 b |
|
| 1 | | regulated entity collects, shares, sells, and stores | 2 | | health data, and the process to withdraw consent from | 3 | | having health data collected, shared, sold, and stored;
| 4 | | (5) a list of the specific third parties to which the | 5 | | regulated entity shares health data, and an active | 6 | | electronic mail address or other online mechanism that the | 7 | | consumer may use to contact these third parties free of | 8 | | charge;
| 9 | | (6) how a consumer may exercise the rights provided in | 10 | | this Act, including, but not limited to, identifying 2 or | 11 | | more designated methods for a consumer to contact the | 12 | | regulated entity in connection with the exercise of any | 13 | | rights provided in this Act;
| 14 | | (7) the length of time the regulated entity intends to | 15 | | retain each category of health data, or if that is not | 16 | | possible, the criteria used to determine that period | 17 | | provided that a regulated entity shall not retain health | 18 | | data for each disclosed purpose for which the health data | 19 | | was collected for longer than is reasonably necessary to | 20 | | fulfill that disclosed purpose; and
| 21 | | (8) whether the regulated entity collects health data | 22 | | when the consumer is not directly interacting with the | 23 | | regulated entity or its services.
| 24 | | (b) A regulated entity shall prominently publish its | 25 | | health data privacy policy on its website homepage. Such | 26 | | health data privacy policy must be distinguishable from other |
| | | HB3603 | - 9 - | LRB103 29143 CPF 55529 b |
|
| 1 | | matters.
| 2 | | (c) A regulated entity shall not collect, share, sell, or | 3 | | store additional categories of health data not disclosed in | 4 | | the health data privacy policy without first disclosing the | 5 | | additional categories of health data and obtaining the | 6 | | consumer's consent prior to the collection, sharing, selling, | 7 | | or storing of such health data.
| 8 | | (d) A regulated entity shall not collect, share, sell, or | 9 | | store health data for additional purposes not disclosed in the | 10 | | health data privacy policy without first disclosing the | 11 | | additional purposes and obtaining the consumer's affirmative | 12 | | consent prior to the collection, sharing, selling, or storing | 13 | | of such health data.
| 14 | | (e) It is a violation of this Act for a regulated entity to | 15 | | contract with a service provider to process consumer health | 16 | | data in a manner that is inconsistent with the regulated | 17 | | entity's consumer health data privacy policy.
| 18 | | Section 20. Prohibition on collection, sharing, selling, | 19 | | or storing of health data.
| 20 | | (a) A regulated entity shall not collect health data, | 21 | | except:
| 22 | | (1) with the consent of the consumer to whom such | 23 | | information relates for a specified purpose; or
| 24 | | (2) as is strictly necessary to provide a product or | 25 | | service that the consumer to whom such health data relates |
| | | HB3603 | - 10 - | LRB103 29143 CPF 55529 b |
|
| 1 | | has specifically requested from such regulated entity.
| 2 | | (b) A regulated entity shall not share any health data | 3 | | except:
| 4 | | (1) with consent from the consumer for such sharing | 5 | | that is separate and distinct from the consent obtained to | 6 | | collect health data; or
| 7 | | (2) to the extent strictly necessary to provide a | 8 | | product or service that the consumer to whom such health | 9 | | data relates has specifically requested from such | 10 | | regulated entity.
| 11 | | (c) A regulated entity shall not sell health data to any | 12 | | third party without entering into a separate written agreement | 13 | | with the consumer to whom such health data relates, in which | 14 | | the consumer expressly consents to and authorizes the | 15 | | regulated entity to sell such health data.
| 16 | | (d) A regulated entity shall not store any health data | 17 | | except:
| 18 | | (1) with consent from the consumer for such sharing | 19 | | that is separate and distinct from the consent obtained to | 20 | | collect health data; or
| 21 | | (2) to the extent strictly necessary to provide a | 22 | | product or service that the consumer to whom such health | 23 | | data relates has specifically requested from such | 24 | | regulated entity.
| 25 | | Section 25. Consent required.
|
| | | HB3603 | - 11 - | LRB103 29143 CPF 55529 b |
|
| 1 | | (a) A regulated entity shall not seek consent to collect, | 2 | | share, sell, or store health data without first disclosing its | 3 | | health data privacy policy as required under Section 15.
| 4 | | (b) Consent obtained prior to collection, sharing, | 5 | | selling, or storing. Consent required under this Section must | 6 | | be obtained prior to the collection, sharing, selling, or | 7 | | storing, as applicable, of any health data, and the request | 8 | | for consent must clearly and conspicuously disclose, separate | 9 | | and apart from its health data privacy policy:
| 10 | | (1) the categories of health data collected, sold, | 11 | | shared, or stored;
| 12 | | (2) the purpose of the collection, selling, sharing, | 13 | | or storage of the health data, including the specific ways | 14 | | in which it will be used; and
| 15 | | (3) how the consumer can withdraw consent from future | 16 | | collection, selling, sharing or storage of their health | 17 | | data.
| 18 | | (c) Consent required under this Section must be obtained | 19 | | prior to the use of any health data for any purpose not | 20 | | specified prior to obtaining a consumer's consent for the use | 21 | | of such health data for any new purpose.
| 22 | | Section 30. Right to withdraw consent.
A consumer has the | 23 | | right to withdraw consent from the collection and sharing of | 24 | | the consumer's health data.
|
| | | HB3603 | - 12 - | LRB103 29143 CPF 55529 b |
|
| 1 | | Section 35. Prohibition on discrimination.
It shall be | 2 | | unlawful for a regulated entity to discriminate against a | 3 | | consumer solely because they have not provided consent | 4 | | pursuant to this Act, or have exercised any other rights | 5 | | provided by this Act or guaranteed by law. Discrimination | 6 | | includes, but is not limited to:
| 7 | | (1) providing different, or a different level or | 8 | | quality of, goods or services to the consumer;
| 9 | | (2) denying or limiting goods or services to the | 10 | | consumer;
| 11 | | (3) imposing additional requirements or restrictions | 12 | | on the individual that would not be necessary if the | 13 | | consumer provided their consent;
| 14 | | (4) providing materially different treatment to | 15 | | consumers who provide consent as compared to consumers who | 16 | | do not provide consent;
| 17 | | (5) suggesting that the consumer will receive a | 18 | | different price or rate for goods or services or a | 19 | | different level or quality of goods or services; or
| 20 | | (6) charging different prices or rates for goods or | 21 | | services, including through the use of discounts or other | 22 | | benefits or imposing penalties.
| 23 | | Section 40. Right to confirm.
A consumer has the right to | 24 | | confirm whether a regulated entity is collecting, selling, | 25 | | sharing, or storing any of the consumer's health data, and to |
| | | HB3603 | - 13 - | LRB103 29143 CPF 55529 b |
|
| 1 | | confirm that a regulated entity has deleted the consumer's | 2 | | health data following a deletion request pursuant to Section | 3 | | 45 of this Act. A regulated entity that receives a consumer | 4 | | request to confirm shall respond within 30 calendar days from | 5 | | receiving the request to confirm from the consumer. The | 6 | | regulated entity shall, without reasonable delay, promptly | 7 | | take all steps necessary to verify the consumer's request, but | 8 | | this shall not extend the regulated entity's duty to respond | 9 | | within 30 days of receipt of the consumer's request. The time | 10 | | period to provide the required confirmation may be extended | 11 | | once by an additional 30 calendar days when reasonably | 12 | | necessary, provided the consumer is provided notice of the | 13 | | extension within the first 30-day period.
| 14 | | Section 45. Right to deletion.
| 15 | | (a) A consumer has the right to have the consumer's health | 16 | | data that is collected by a regulated entity deleted by | 17 | | informing the regulated entity of the consumer's request for | 18 | | deletion.
| 19 | | (b) A regulated entity that collects health data about | 20 | | consumers shall disclose the consumer's rights to request the | 21 | | deletion of the consumer's health data.
| 22 | | (c) Except as otherwise specified in subsection (f), a | 23 | | regulated entity that receives a consumer request to delete | 24 | | any of the consumer's health data shall without unreasonable | 25 | | delay, and no more than 30 calendar days from receiving the |
| | | HB3603 | - 14 - | LRB103 29143 CPF 55529 b |
|
| 1 | | deletion request:
| 2 | | (1) delete the consumer's health data from its | 3 | | records, including from all parts of the regulated | 4 | | entity's network or backup systems; and
| 5 | | (2) notify all service providers, contractors, and | 6 | | third parties with whom the regulated entity has shared | 7 | | the consumer's health data of the deletion request.
| 8 | | (d) Any service provider, contractor, and other third | 9 | | party that receives notice of a consumer's deletion request | 10 | | from a Regulated Entity shall honor the consumer's deletion | 11 | | request and delete the health data from the regulated entity's | 12 | | records, including from all parts of its network or backup | 13 | | systems.
| 14 | | (e) A consumer or a consumer's authorized agent may | 15 | | exercise the rights set forth in this Act by submitting a | 16 | | request, at any time, to a regulated entity. Such a request may | 17 | | be made by:
| 18 | | (1) contacting the regulated entity through the manner | 19 | | included in its health data privacy policy;
| 20 | | (2) by designating an authorized agent who may | 21 | | exercise the rights on behalf of the consumer;
| 22 | | (3) in the case of collecting health data of a minor, | 23 | | the minor seeking health services may exercise their | 24 | | rights under this Act, or the parent or legal guardian of | 25 | | the minor, may exercise the rights of this Act on the | 26 | | minor's behalf; or
|
| | | HB3603 | - 15 - | LRB103 29143 CPF 55529 b |
|
| 1 | | (4) in the case of collecting health data concerning a | 2 | | consumer subject to guardianship, conservatorship, or | 3 | | other protective arrangement under the Probate Act of | 4 | | 1975, the guardian or the conservator of the consumer may | 5 | | exercise the rights of this Act on the consumer's behalf.
| 6 | | (f) The time period to delete any of the consumer's health | 7 | | data may be extended once by an additional 30 calendar days | 8 | | when reasonably necessary, provided the consumer is provided | 9 | | notice of the extension within the first 30-day period.
| 10 | | Section 50. Consumer health data security and | 11 | | minimization.
| 12 | | (a) A regulated entity shall restrict access to health | 13 | | data by the employees, service providers, and contractors of | 14 | | such regulated entity to only those employees, services | 15 | | providers, and contractors for which access is necessary to | 16 | | provide a product or service that the consumer to whom such | 17 | | health data relates has requested from such regulated entity.
| 18 | | (b) A regulated entity shall establish, implement, and | 19 | | maintain administrative, technical, and physical data security | 20 | | practices that at least satisfy a reasonable standard of care | 21 | | within the regulated entity's industry to protect the | 22 | | confidentiality, integrity, and accessibility of health data | 23 | | appropriate to the volume and nature of the personal data at | 24 | | issue.
|
| | | HB3603 | - 16 - | LRB103 29143 CPF 55529 b |
|
| 1 | | Section 55. Prohibition on geofencing.
| 2 | | (a) It shall be unlawful for any person to implement a | 3 | | geofence that enables the sending of a notification, message, | 4 | | alert, or other pieces of information to a consumer that | 5 | | enters the perimeter around any entity that provides health | 6 | | services.
| 7 | | (b) It shall be unlawful for any person to implement a | 8 | | geofence around any entity that provides in-person health care | 9 | | services where such geofence is used to identify, track, or | 10 | | collect data from a consumer that enters the virtual | 11 | | perimeter.
| 12 | | Section 60. Private right of action.
Any person aggrieved | 13 | | by a violation of this Act shall have a right of action in a | 14 | | state circuit court or as a supplemental claim in federal | 15 | | district court against an offending party. A prevailing party | 16 | | may recover for each violation:
| 17 | | (1) against any offending party that negligently | 18 | | violates a provision of this Act, liquidated damages of | 19 | | $1,000 or actual damages, whichever is greater;
| 20 | | (2) against any offending party that intentionally or | 21 | | recklessly violates a provision of this Act, liquidated | 22 | | damages of $5,000 or actual damages, whichever is greater;
| 23 | | (3) reasonable attorneys' fees and costs, including | 24 | | expert witness fees and other litigation expenses; and
| 25 | | (4) other relief, including an injunction, as the |
| | | HB3603 | - 17 - | LRB103 29143 CPF 55529 b |
|
| 1 | | State or federal court may deem appropriate.
| 2 | | Section 65. Enforcement by the Attorney General.
The | 3 | | Attorney General may enforce a violation of this Act as an | 4 | | unlawful practice under the Consumer Fraud and Deceptive | 5 | | Business Practices Act. All rights and remedies provided the | 6 | | Attorney General under the Consumer Fraud and Deceptive | 7 | | Business Practices Act shall be available for enforcement of a | 8 | | violation of this Act.
| 9 | | Section 70. Conflict with other laws.
| 10 | | (a) Nothing in this Act shall be construed to conflict | 11 | | with the Health Insurance Portability and Accountability Act | 12 | | of 1996.
| 13 | | (b) Nothing in this Act shall be construed to prohibit | 14 | | disclosure as required under the Adult Protective Services | 15 | | Act, the Abused and Neglected Child Reporting Act, the | 16 | | Criminal Code of 2012, and the Disclosure of Offenses Against | 17 | | Children Act.
| 18 | | (c) If any provision of this Act, or the application | 19 | | thereof to any person or circumstance, is held invalid, the | 20 | | remainder of this Act and the application of such provision to | 21 | | other persons not similarly situated or to other circumstances | 22 | | shall not be affected by the invalidation.
|
|