Bill Amendment: IL SB3222 | 2025-2026 | 104th General Assembly
NOTE: For additional amemendments please see the Bill Drafting List
Bill Title: VIDEO STREAMING AD VOLUME
Status: 2026-06-12 - Public Act . . . . . . . . . 104-0463 [SB3222 Detail]
Download: Illinois-2025-SB3222-House_Amendment_001.html
Bill Title: VIDEO STREAMING AD VOLUME
Status: 2026-06-12 - Public Act . . . . . . . . . 104-0463 [SB3222 Detail]
Download: Illinois-2025-SB3222-House_Amendment_001.html
| |||||||
| |||||||
| 1 | AMENDMENT TO SENATE BILL 3222 | ||||||
| 2 | AMENDMENT NO. ______. Amend Senate Bill 3222 by replacing | ||||||
| 3 | everything after the enacting clause with the following: | ||||||
| 4 | "Section 1. Short title. This Act may be cited as the | ||||||
| 5 | Protect Health Data Privacy Act. | ||||||
| 6 | Section 5. Definitions. As used in this Act: | ||||||
| 7 | "Affiliate" means a legal entity that shares common | ||||||
| 8 | branding with another legal entity or controls, is controlled | ||||||
| 9 | by or is under common control with another legal entity. For | ||||||
| 10 | the purposes of this definition, "control" and "controlled" | ||||||
| 11 | mean (1) ownership of, or the power to vote, more than 50% of | ||||||
| 12 | the outstanding shares of any class of voting security of a | ||||||
| 13 | company, (2) control in any manner over the election of a | ||||||
| 14 | majority of the directors or of individuals exercising similar | ||||||
| 15 | functions, or (3) the power to exercise controlling influence | ||||||
| 16 | over the management of a company. | ||||||
| |||||||
| |||||||
| 1 | "Collect" means to buy, rent, lease, access, retain, | ||||||
| 2 | receive, derive, or acquire health data in any manner, | ||||||
| 3 | including receiving the data from an individual, either | ||||||
| 4 | actively or passively, or by observing or tracking the | ||||||
| 5 | individual's online activity or precise location. | ||||||
| 6 | "Consent" means a clear, affirmative act by an individual | ||||||
| 7 | that unambiguously communicates the individual's express, | ||||||
| 8 | freely given, informed, opted-into, voluntary, specific, and | ||||||
| 9 | unambiguous written agreement, including written consent | ||||||
| 10 | provided by electronic means to the processing or sale of | ||||||
| 11 | health data. "Consent" does not include implied consent or | ||||||
| 12 | consent obtained by: | ||||||
| 13 | (1) acceptance of a general or broad terms of use | ||||||
| 14 | agreement or a similar document that contains descriptions | ||||||
| 15 | of personal data processing along with other, unrelated | ||||||
| 16 | information; | ||||||
| 17 | (2) hovering over, muting, pausing, or closing a given | ||||||
| 18 | piece of digital content; or | ||||||
| 19 | (3) agreement obtained through the use of deceptive | ||||||
| 20 | designs. | ||||||
| 21 | "Deceptive design" means any user interface or element | ||||||
| 22 | thereof that has the substantial effect of subverting, | ||||||
| 23 | impairing, or impeding an individual's autonomy, | ||||||
| 24 | decision-making, or choice. | ||||||
| 25 | "Deidentified data" means data that cannot be used to | ||||||
| 26 | infer information about, or otherwise be linked to, an | ||||||
| |||||||
| |||||||
| 1 | identified or identifiable individual, or a device linked to | ||||||
| 2 | such individual. | ||||||
| 3 | "Geofence" means technology that uses global positioning | ||||||
| 4 | coordinates, cell tower connectivity, cellular data, radio | ||||||
| 5 | frequency identification, wireless Internet data, or any other | ||||||
| 6 | form of spatial or location detection to establish a virtual | ||||||
| 7 | boundary around a specific physical location, or to locate an | ||||||
| 8 | individual within a virtual boundary that is no more than | ||||||
| 9 | 1,750 feet around a specific physical location. | ||||||
| 10 | "Health data" means (1) an individual's personal | ||||||
| 11 | information that identifies a past or present health condition | ||||||
| 12 | of that individual, or (2) information that is linked or can be | ||||||
| 13 | reasonably linked to an individual that a regulated entity | ||||||
| 14 | derives or extrapolates from nonhealth information that a | ||||||
| 15 | regulated entity uses or processes to determine a past, | ||||||
| 16 | present, or future health condition of that individual. | ||||||
| 17 | "Health data" includes any information relating to an | ||||||
| 18 | individual's: | ||||||
| 19 | (1) health conditions, status, diseases, diagnoses, or | ||||||
| 20 | testing; | ||||||
| 21 | (2) health-related treatment, surgeries, or | ||||||
| 22 | procedures; | ||||||
| 23 | (3) use or purchase of medication; | ||||||
| 24 | (4) social, psychological, behavioral, and medical | ||||||
| 25 | interventions; | ||||||
| 26 | (5) measurement or tracking of bodily functions, vital | ||||||
| |||||||
| |||||||
| 1 | signs, or symptoms; | ||||||
| 2 | (6) responses to and results from online screenings | ||||||
| 3 | and online tests and quizzes regarding the individual's | ||||||
| 4 | health conditions that are used to determine an | ||||||
| 5 | individual's health condition; | ||||||
| 6 | (7) efforts to research or obtain health services or | ||||||
| 7 | supplies; | ||||||
| 8 | (8) health services or products that support or relate | ||||||
| 9 | to lawful health care, as defined in Section 28-10 of the | ||||||
| 10 | Lawful Health Care Activity Act; and | ||||||
| 11 | (9) precise location information used to determine an | ||||||
| 12 | individual's attempt to acquire or receive health services | ||||||
| 13 | or supplies. | ||||||
| 14 | "Health data" does not include: | ||||||
| 15 | (1) information about an individual's purchase or | ||||||
| 16 | acquisition of retail goods or services that the regulated | ||||||
| 17 | entity uses or processes for a purpose other than to | ||||||
| 18 | determine an individual's past, present, or future | ||||||
| 19 | physical or mental health condition; or | ||||||
| 20 | (2) deidentified data. | ||||||
| 21 | "Health services" means any service, medical care, or | ||||||
| 22 | information related to an individual's health condition | ||||||
| 23 | provided to an individual. | ||||||
| 24 | "HIPAA" means the Health Insurance Portability and | ||||||
| 25 | Accountability Act of 1996, Public Law 104-191, the Health | ||||||
| 26 | Information Technology for Economic and Clinical Health Act, | ||||||
| |||||||
| |||||||
| 1 | and any subsequent amendments thereto and any regulations | ||||||
| 2 | promulgated thereunder, including the Privacy Rule, as | ||||||
| 3 | specified in 45 CFR 164.500-534, the Security Rule, as | ||||||
| 4 | specified in 45 CFR 164.302-318, and the Breach Notification | ||||||
| 5 | rule, as specified in 45 CFR 164.400-414. | ||||||
| 6 | "Homepage" means the introductory page of a website where | ||||||
| 7 | personal information is collected. In the case of an online | ||||||
| 8 | service, such as a mobile application, "homepage" means the | ||||||
| 9 | application's platform page or download page, such as from the | ||||||
| 10 | application configuration, "About" page, "Information" page, | ||||||
| 11 | or "Settings" page, and any other location that allows | ||||||
| 12 | individuals to review the notice. | ||||||
| 13 | "Individual" means a natural person who is a resident of | ||||||
| 14 | this State or whose health data is collected when present in | ||||||
| 15 | this State, however identified, including by any unique | ||||||
| 16 | identifier. "Individual" does not include a person acting | ||||||
| 17 | within the scope of the person's duties as an employee, | ||||||
| 18 | independent contractor, officer, board member, or sole | ||||||
| 19 | proprietorship. | ||||||
| 20 | "Person" means, where applicable, natural persons, | ||||||
| 21 | corporations, trusts, unincorporated associations, and | ||||||
| 22 | partnerships. "Person" does not include (1) any branch of | ||||||
| 23 | State government, unit of local government, or school | ||||||
| 24 | district; (2) any tribal nation, or (3) any contractor, | ||||||
| 25 | subcontractor, or agent that processes health data on behalf | ||||||
| 26 | of, and in accordance with the terms and conditions of a | ||||||
| |||||||
| |||||||
| 1 | contract with, any branch of State government, tribal nation, | ||||||
| 2 | unit of local government, or school district. | ||||||
| 3 | "Personal information" means information that identifies, | ||||||
| 4 | is reasonably capable of being associated with, or is linked, | ||||||
| 5 | directly or indirectly, with a particular individual or | ||||||
| 6 | household. "Personal information" includes, but is not limited | ||||||
| 7 | to, data associated with a persistent unique identifier, such | ||||||
| 8 | as a cookie ID, an IP address, a device identifier, or any | ||||||
| 9 | other form of persistent unique identifier. "Personal | ||||||
| 10 | information" does not include publicly available information | ||||||
| 11 | or deidentified data. | ||||||
| 12 | "Precise location information" means information derived | ||||||
| 13 | from technology, including, but not limited to, Global | ||||||
| 14 | Positioning System level latitude and longitude coordinates or | ||||||
| 15 | other mechanisms, that identifies the specific location of an | ||||||
| 16 | individual with precision and accuracy within a radius of | ||||||
| 17 | 1,750 feet. "Precise location information" does not include: | ||||||
| 18 | (1) the content of communications, or (2) any data generated | ||||||
| 19 | by or connected to advanced utility metering infrastructure | ||||||
| 20 | systems or equipment for use by a utility. | ||||||
| 21 | "Process" or "processing" means any operation or set of | ||||||
| 22 | operations performed, whether by manual or automated means, on | ||||||
| 23 | personal information or on sets of personal information, | ||||||
| 24 | whether alone or in combination with other data, such as the | ||||||
| 25 | collection, use, access, sharing, analysis, retention, | ||||||
| 26 | creation, generation, derivation, recording, organization, | ||||||
| |||||||
| |||||||
| 1 | structuring, storage, disclosure, transmission, disposal, | ||||||
| 2 | licensing, destruction, deletion, retrieval, modification, or | ||||||
| 3 | deidentification of health data. | ||||||
| 4 | "Processor" means a person or legal entity that processes | ||||||
| 5 | health data on behalf of a regulated entity pursuant to a | ||||||
| 6 | written agreement or contract. | ||||||
| 7 | "Publicly available" means information that is made | ||||||
| 8 | available to the general public from (1) federal, State, or | ||||||
| 9 | local government records; (2) widely distributed media, | ||||||
| 10 | including health data intentionally made available by the | ||||||
| 11 | individual to the general public and in which the individual | ||||||
| 12 | did not maintain a reasonable expectation of privacy; or (3) a | ||||||
| 13 | disclosure that has been made to the general public as | ||||||
| 14 | required by federal, State, or local law. "Publicly available | ||||||
| 15 | information" does not include (1) personal information that is | ||||||
| 16 | created through the combination of personal information with | ||||||
| 17 | publicly available information; (2) information made available | ||||||
| 18 | by an individual on a website or online service open to all | ||||||
| 19 | members of the public, for free or for a fee, where the | ||||||
| 20 | individual has maintained a reasonable expectation of privacy | ||||||
| 21 | by restricting the information to a specific audience; or (3) | ||||||
| 22 | any obscene visual depiction, as defined in 18 U.S.C. 1460. | ||||||
| 23 | "Regulated entity" means any individual, partnership, | ||||||
| 24 | corporation, limited liability company, or association that: | ||||||
| 25 | (1) conducts business in this State, or produces or provides | ||||||
| 26 | products or services that are available to individuals in this | ||||||
| |||||||
| |||||||
| 1 | State; and (2) determines the purpose and means of processing | ||||||
| 2 | or selling of health data. | ||||||
| 3 | "Regulated entity" does not include: | ||||||
| 4 | (1) any branch of State government, a tribal nation, a | ||||||
| 5 | unit of local government, or a school district; | ||||||
| 6 | (2) a contractor, subcontractor, or agent that | ||||||
| 7 | processes health data on behalf of, and in accordance with | ||||||
| 8 | the terms and conditions of a contract with, any branch of | ||||||
| 9 | State government, a tribal nation, a unit of local | ||||||
| 10 | government, or a school district; | ||||||
| 11 | (3) a processor that processes health data on behalf | ||||||
| 12 | of a regulated entity; | ||||||
| 13 | (4) a not-for-profit legal entity that is subject to | ||||||
| 14 | and in compliance with the Illinois Insurance Guaranty | ||||||
| 15 | Fund Article of the Illinois Insurance Code or the Life | ||||||
| 16 | and Health Insurance Guaranty Association Article of the | ||||||
| 17 | Illinois Insurance Code, to the extent such entity is | ||||||
| 18 | acting in a capacity subject to the supervision of the | ||||||
| 19 | Department of Insurance; | ||||||
| 20 | (5) a covered entity or a business associate, as | ||||||
| 21 | defined in 45 CFR 160.103, subject to and in substantial | ||||||
| 22 | compliance with HIPAA to the extent such entity is acting | ||||||
| 23 | as a covered entity or business associate under the | ||||||
| 24 | Privacy and Security rules issued by the United States | ||||||
| 25 | Department of Health and Human Services, Parts 160 and 164 | ||||||
| 26 | of Title 45 of the Code of Federal Regulations; | ||||||
| |||||||
| |||||||
| 1 | (6) any entity that is subject to and in compliance | ||||||
| 2 | with restrictions on disclosure of records under Section | ||||||
| 3 | 543 of the Public Health Service Act, 42 U.S.C. 290dd-2, | ||||||
| 4 | to the extent such entity is acting in a capacity subject | ||||||
| 5 | to such restrictions; or | ||||||
| 6 | (7) an entity that is subject to and in compliance | ||||||
| 7 | with the Insurance Information and Privacy Protection | ||||||
| 8 | Article of the Illinois Insurance Code, the Insurance Data | ||||||
| 9 | Security Law, and any corresponding privacy protection | ||||||
| 10 | rules adopted by the Director of Insurance to the extent | ||||||
| 11 | such entity is acting in a capacity subject to such laws | ||||||
| 12 | and rules. | ||||||
| 13 | "Sell" or "sale" means the exchange of health data for | ||||||
| 14 | monetary or other valuable consideration. | ||||||
| 15 | "Sell" or "sale" does not include: | ||||||
| 16 | (1) the sharing or transfer of an individual's health | ||||||
| 17 | data by a regulated entity to a processor that processes | ||||||
| 18 | the individual's health data on behalf of the regulated | ||||||
| 19 | entity; | ||||||
| 20 | (2) the sharing or transfer of an individual's health | ||||||
| 21 | data to an affiliate of the regulated entity; | ||||||
| 22 | (3) the sharing or transfer of an individual's health | ||||||
| 23 | data by a regulated entity to a third party with whom the | ||||||
| 24 | individual has a direct relationship when the sharing is | ||||||
| 25 | for the purpose of, and only to the extent necessary for | ||||||
| 26 | providing a product or service requested by the | ||||||
| |||||||
| |||||||
| 1 | individual, and the third party maintains or uses the | ||||||
| 2 | individual's health data consistent with the purpose for | ||||||
| 3 | which it was collected and consented to by the individual; | ||||||
| 4 | (4) the sharing or transfer of an individual's health | ||||||
| 5 | data when the individual directs the regulated entity to | ||||||
| 6 | disclose the individual's health data or intentionally | ||||||
| 7 | uses the regulated entity to interact with a third party; | ||||||
| 8 | (5) the sharing or transfer of an individual's health | ||||||
| 9 | data to a third party as an asset that is part of a merger, | ||||||
| 10 | acquisition, bankruptcy, or other transaction in which the | ||||||
| 11 | third party assumes control of all or part of the | ||||||
| 12 | regulated entity's assets and complies with the | ||||||
| 13 | requirements and obligations in this Act, but only if the | ||||||
| 14 | regulated entity, within a reasonable time before the | ||||||
| 15 | exchange, provides the affected individual with: | ||||||
| 16 | (A) a notice describing the transfer, including | ||||||
| 17 | the name of the entity receiving the individual's | ||||||
| 18 | health data and the applicable privacy policies of the | ||||||
| 19 | entity; and | ||||||
| 20 | (B) a reasonable opportunity to withdraw | ||||||
| 21 | previously provided consent related to the | ||||||
| 22 | individual's health data and request the deletion of | ||||||
| 23 | the individual's health data; and | ||||||
| 24 | (6) the sharing or transfer of an individual's | ||||||
| 25 | publicly available health data. | ||||||
| 26 | "Share" or "sharing" means to release, disclose, | ||||||
| |||||||
| |||||||
| 1 | disseminate, divulge, loan, make available, provide access to, | ||||||
| 2 | license, transfer, or otherwise communicate orally, in | ||||||
| 3 | writing, or by electronic or other means, an individual's | ||||||
| 4 | health data by a regulated entity to a third party, except | ||||||
| 5 | where the regulated entity maintains exclusive control and | ||||||
| 6 | ownership of the health data. | ||||||
| 7 | "Share" or "sharing" does not include: | ||||||
| 8 | (1) the sharing or transfer of an individual's health | ||||||
| 9 | data by a regulated entity to a processor that processes | ||||||
| 10 | the individual's health data on behalf of the regulated | ||||||
| 11 | entity; | ||||||
| 12 | (2) the sharing or transfer of an individual's health | ||||||
| 13 | data to an affiliate of the regulated entity; | ||||||
| 14 | (3) the sharing or transfer of an individual's health | ||||||
| 15 | data by a regulated entity to a third party with whom the | ||||||
| 16 | individual has a direct relationship when the sharing is | ||||||
| 17 | for the purpose of, and only to the extent necessary for | ||||||
| 18 | providing a product or service requested by the | ||||||
| 19 | individual, and the third party maintains or uses the | ||||||
| 20 | individual's health data consistent with the purpose for | ||||||
| 21 | which it was collected and consented to by the individual; | ||||||
| 22 | (4) the sharing or transfer of an individual's health | ||||||
| 23 | data when the individual directs the regulated entity to | ||||||
| 24 | disclose the individual's health data or intentionally | ||||||
| 25 | uses the regulated entity to interact with a third party; | ||||||
| 26 | (5) the sharing or transfer of an individual's health | ||||||
| |||||||
| |||||||
| 1 | data to a third party as an asset that is part of a merger, | ||||||
| 2 | acquisition, bankruptcy, or other transaction in which the | ||||||
| 3 | third party assumes control of all or part of the | ||||||
| 4 | regulated entity's assets and complies with the | ||||||
| 5 | requirements and obligations in this Act, but only if the | ||||||
| 6 | regulated entity, within a reasonable time before the | ||||||
| 7 | exchange, provides the affected individual with: | ||||||
| 8 | (A) a notice describing the transfer, including | ||||||
| 9 | the name of the entity receiving the individual's | ||||||
| 10 | health data and the applicable privacy policies of the | ||||||
| 11 | entity; and | ||||||
| 12 | (B) a reasonable opportunity to withdraw | ||||||
| 13 | previously provided consent related to the | ||||||
| 14 | individual's health data and request the deletion of | ||||||
| 15 | the individual's health data; and | ||||||
| 16 | (6) the sharing or transfer of an individual's | ||||||
| 17 | publicly available health data. | ||||||
| 18 | "Strictly necessary" means essential or required to be | ||||||
| 19 | done. | ||||||
| 20 | "Substantial compliance" means a level of compliance with | ||||||
| 21 | Title 45 of the Code of Federal Regulations Sections 164.502, | ||||||
| 22 | 164.508, 164.510, 164.512, 164.514, 164.520, 164.522, 164.524, | ||||||
| 23 | 164.526, 164.528, and 164.530 that does not arise from gross | ||||||
| 24 | negligence, recklessness, or willful misconduct by the entity | ||||||
| 25 | acting as a covered entity or business associate. | ||||||
| 26 | "Third party" means an entity other than an individual, | ||||||
| |||||||
| |||||||
| 1 | regulated entity, processor, or affiliate of the regulated | ||||||
| 2 | entity. | ||||||
| 3 | "Unit of local government" means a county, municipality, | ||||||
| 4 | township, special district, or any other unit designated as a | ||||||
| 5 | unit of local government by law. | ||||||
| 6 | Section 10. Health data privacy policy required. | ||||||
| 7 | (a) A regulated entity shall disclose and maintain a | ||||||
| 8 | health data privacy policy that, in plain language, clearly | ||||||
| 9 | and conspicuously includes and discloses: | ||||||
| 10 | (1) the categories of health data processed, including | ||||||
| 11 | the specific categories of health data collected, the | ||||||
| 12 | purposes for which the health data is collected, and how | ||||||
| 13 | the health data will be used; | ||||||
| 14 | (2) the categories of sources from which health data | ||||||
| 15 | is collected; | ||||||
| 16 | (3) whether the regulated entity collects health data | ||||||
| 17 | when the individual is not directly interacting with the | ||||||
| 18 | regulated entity or its services; | ||||||
| 19 | (4) the specific categories of health data shared and | ||||||
| 20 | sold; | ||||||
| 21 | (5) the categories of third parties to whom the | ||||||
| 22 | regulated entity shares and sells health data, if | ||||||
| 23 | applicable; | ||||||
| 24 | (6) the process for opt-in consent to collection of | ||||||
| 25 | health data; | ||||||
| |||||||
| |||||||
| 1 | (7) how to withdraw consent from the collection, | ||||||
| 2 | processing, and selling of an individual's health data; | ||||||
| 3 | (8) the process to withdraw consent from having health | ||||||
| 4 | data collected; | ||||||
| 5 | (9) the length of time the regulated entity intends to | ||||||
| 6 | retain each category of health data, or if that is not | ||||||
| 7 | possible, the criteria used to determine that period; | ||||||
| 8 | however, a regulated entity shall not retain health data | ||||||
| 9 | for each disclosed purpose for which the health data was | ||||||
| 10 | collected for longer than is reasonably necessary to | ||||||
| 11 | fulfill that disclosed purpose or as otherwise permitted | ||||||
| 12 | by this Act; | ||||||
| 13 | (10) how an individual may exercise the rights | ||||||
| 14 | provided in this Act, including, but not limited to, | ||||||
| 15 | identifying 2 or more designated methods for an individual | ||||||
| 16 | to contact the regulated entity in connection with the | ||||||
| 17 | exercise of any rights provided in this Act; | ||||||
| 18 | (11) an active email address or other online mechanism | ||||||
| 19 | that the individual may use to contact the regulated | ||||||
| 20 | entities, free of charge; and | ||||||
| 21 | (12) the date the health data privacy notice was last | ||||||
| 22 | updated. | ||||||
| 23 | (b) A regulated entity shall prominently publish or link | ||||||
| 24 | to its health data privacy policy on its website homepage, | ||||||
| 25 | mobile application, or in another manner that is clear and | ||||||
| 26 | conspicuous to individuals. A regulated entity's health data | ||||||
| |||||||
| |||||||
| 1 | privacy policy must be distinguishable from other matters. Any | ||||||
| 2 | regulated entity providing health services in a physical | ||||||
| 3 | location shall also post its health data privacy policy in a | ||||||
| 4 | conspicuous place that is readily available for viewing by | ||||||
| 5 | individuals. | ||||||
| 6 | (c) A regulated entity shall not process or sell | ||||||
| 7 | additional categories of health data not disclosed in the | ||||||
| 8 | health data privacy policy without first disclosing the | ||||||
| 9 | additional categories of health data and obtaining the | ||||||
| 10 | individual's consent before the processing or selling of the | ||||||
| 11 | health data. | ||||||
| 12 | (d) A regulated entity shall not process or sell health | ||||||
| 13 | data for additional purposes not disclosed in the health data | ||||||
| 14 | privacy policy without first disclosing the additional | ||||||
| 15 | purposes and obtaining the individual's consent before the | ||||||
| 16 | processing or selling of the health data. | ||||||
| 17 | (e) It is a violation of this Act for a regulated entity to | ||||||
| 18 | contract with a processor to process an individual's health | ||||||
| 19 | data in a manner that is inconsistent with the regulated | ||||||
| 20 | entity's health data privacy policy. | ||||||
| 21 | Section 15. Processing of health data. | ||||||
| 22 | (a) Except as provided in subsection (c), a regulated | ||||||
| 23 | entity shall not process an individual's health data unless it | ||||||
| 24 | first obtains consent of the individual to whom the data | ||||||
| 25 | relates. Before a regulated entity processes an individual's | ||||||
| |||||||
| |||||||
| 1 | health data, it shall first: | ||||||
| 2 | (1) disclose its health data privacy policy as | ||||||
| 3 | required under Section 10; and | ||||||
| 4 | (2) separate from the health data privacy policy, | ||||||
| 5 | request the individual's consent to process the | ||||||
| 6 | information for a specified purpose and clearly and | ||||||
| 7 | conspicuously disclose within the request the following | ||||||
| 8 | information: | ||||||
| 9 | (A) the categories of health data processed; | ||||||
| 10 | (B) the regulated entity's specific purpose for | ||||||
| 11 | processing the health data, including the specific | ||||||
| 12 | ways in which the individual's health data will be | ||||||
| 13 | used; | ||||||
| 14 | (C) the categories of entities with whom the | ||||||
| 15 | health data is shared; and | ||||||
| 16 | (D) how the individual can withdraw consent from | ||||||
| 17 | future processing of the individual's health data. | ||||||
| 18 | (b) A regulated entity shall not process an individual's | ||||||
| 19 | health data for any additional purpose that was not | ||||||
| 20 | specifically disclosed and consented to by the individual in | ||||||
| 21 | accordance with this Act. | ||||||
| 22 | (c) Consent to process an individual's health data is not | ||||||
| 23 | required if the individual's health data is processed only for | ||||||
| 24 | one or more of the following permissible purposes: | ||||||
| 25 | (1) as is strictly necessary to provide a product, | ||||||
| 26 | service, or service feature that the individual to whom | ||||||
| |||||||
| |||||||
| 1 | the health data relates has specifically requested from | ||||||
| 2 | the regulated entity; | ||||||
| 3 | (2) to initiate, manage, execute, or complete a | ||||||
| 4 | financial or commercial transaction or to fulfill an order | ||||||
| 5 | for a specific product or service requested by an | ||||||
| 6 | individual to whom the individual health data pertains, | ||||||
| 7 | including, but not limited to, associated routine | ||||||
| 8 | administrative, operational, or account-servicing | ||||||
| 9 | activity, such as billing, shipping, storage, or | ||||||
| 10 | accounting; | ||||||
| 11 | (3) to comply with an obligation under a law of this | ||||||
| 12 | State or federal law; | ||||||
| 13 | (4) to protect public safety or public health; | ||||||
| 14 | (5) to prevent, detect, protect against, or respond to | ||||||
| 15 | a security incident, identity theft, fraud, harassment, | ||||||
| 16 | malicious or deceptive activities, or activities that are | ||||||
| 17 | illegal under the laws of this State; | ||||||
| 18 | (6) to preserve the integrity or security of systems; | ||||||
| 19 | or | ||||||
| 20 | (7) to investigate, report, or prosecute persons | ||||||
| 21 | responsible for activities that are illegal under the laws | ||||||
| 22 | of this State. | ||||||
| 23 | (d) For purposes of this Act, the processing of precise | ||||||
| 24 | location information or health data to provide transportation | ||||||
| 25 | services by private entities regulated under the | ||||||
| 26 | Transportation Network Providers Act is strictly necessary to | ||||||
| |||||||
| |||||||
| 1 | the extent that the private entity uses the precise location | ||||||
| 2 | information or health data for the sole purpose of providing a | ||||||
| 3 | service requested by the individual or the use is otherwise | ||||||
| 4 | consistent with that individual's reasonable expectations, | ||||||
| 5 | considering the context in which the individual provided the | ||||||
| 6 | precise location information to the private entity. | ||||||
| 7 | Section 20. Sale of health data. | ||||||
| 8 | (a) It is unlawful for any regulated entity to sell or | ||||||
| 9 | offer to sell health data concerning an individual without | ||||||
| 10 | first obtaining consent required under Section 15 and valid | ||||||
| 11 | authorization from the individual. The sale of individual | ||||||
| 12 | health data must be consistent with the valid authorization | ||||||
| 13 | signed or electronically documented by the individual. | ||||||
| 14 | (b) A valid authorization to sell an individual's health | ||||||
| 15 | data is an agreement consistent with this Section and must be | ||||||
| 16 | provided in plain language. The valid authorization to sell | ||||||
| 17 | the individual's health data must contain the following: | ||||||
| 18 | (1) the specific health data concerning the individual | ||||||
| 19 | that the regulated entity intends to sell; | ||||||
| 20 | (2) the name and contact information of the regulated | ||||||
| 21 | entity collecting and selling the health data; | ||||||
| 22 | (3) the name and contact information of the regulated | ||||||
| 23 | entity purchasing the health data from the seller | ||||||
| 24 | identified in paragraph (2) of this subsection; | ||||||
| 25 | (4) a description of the purpose for the sale, | ||||||
| |||||||
| |||||||
| 1 | including how the health data will be gathered and how it | ||||||
| 2 | will be used by the purchaser identified in paragraph (3) | ||||||
| 3 | of this subsection when sold; | ||||||
| 4 | (5) a statement that the provision of goods or | ||||||
| 5 | services may not be conditioned on the individual signing | ||||||
| 6 | the valid authorization; | ||||||
| 7 | (6) a statement that the individual has a right to | ||||||
| 8 | revoke the valid authorization at any time and a | ||||||
| 9 | description on how an individual may revoke the valid | ||||||
| 10 | authorization; | ||||||
| 11 | (7) a statement that the individual health data sold | ||||||
| 12 | pursuant to the valid authorization may be subject to | ||||||
| 13 | redisclosure by the purchaser and may no longer be | ||||||
| 14 | protected by this Section; | ||||||
| 15 | (8) an expiration date for the valid authorization | ||||||
| 16 | that expires one year after the individual signs the valid | ||||||
| 17 | authorization, unless the individual extends the valid | ||||||
| 18 | authorization before it expires. The individual may renew | ||||||
| 19 | the individual's valid authorization annually if the | ||||||
| 20 | regulated entity provides the individual with a notice | ||||||
| 21 | that alerts the individual that the valid authorization | ||||||
| 22 | will expire within 30 days before the expiration date and | ||||||
| 23 | provides the individual with a mechanism that allows the | ||||||
| 24 | individual to renew the valid authorization for an | ||||||
| 25 | additional year or withdraw consent; and | ||||||
| 26 | (9) the signature of the individual and date. | ||||||
| |||||||
| |||||||
| 1 | (c) An authorization is not valid if the document has any | ||||||
| 2 | of the following defects: | ||||||
| 3 | (1) the expiration date has passed and the individual | ||||||
| 4 | did not sign an updated valid authorization before the | ||||||
| 5 | expiration date passed; | ||||||
| 6 | (2) the valid authorization does not contain all the | ||||||
| 7 | information required under this Section; | ||||||
| 8 | (3) the valid authorization has been revoked by the | ||||||
| 9 | individual; | ||||||
| 10 | (4) the valid authorization has been combined with | ||||||
| 11 | other documents to create a compound authorization; or | ||||||
| 12 | (5) the provision of goods or services is conditioned | ||||||
| 13 | on the individual signing the authorization. | ||||||
| 14 | (d) A copy of the signed valid authorization must be | ||||||
| 15 | provided to the individual. | ||||||
| 16 | (e) The seller and purchaser of health data must retain a | ||||||
| 17 | copy of all valid authorizations for the sale of health data | ||||||
| 18 | for 6 years after the date of its signature or the date when it | ||||||
| 19 | was last in effect, whichever is later. | ||||||
| 20 | Section 25. Rights and requests | ||||||
| 21 | (a) An individual has the right to confirm: (i) whether a | ||||||
| 22 | regulated entity has, or is, processing or selling the | ||||||
| 23 | individual's health data and to access such data, including a | ||||||
| 24 | list of all third parties and affiliates with whom the | ||||||
| 25 | regulated entity shared or sold the individual's health data, | ||||||
| |||||||
| |||||||
| 1 | and an active email address or other online mechanism that the | ||||||
| 2 | individual may use to contact these third parties; and (ii) | ||||||
| 3 | that a regulated entity has deleted the individual's health | ||||||
| 4 | data following a deletion request pursuant to subsection (c). | ||||||
| 5 | (1) A regulated entity that receives an individual's | ||||||
| 6 | request to confirm shall respond within 45 calendar days | ||||||
| 7 | after receiving the request to confirm from the | ||||||
| 8 | individual. | ||||||
| 9 | (2) The regulated entity shall, without reasonable | ||||||
| 10 | delay, promptly take all steps necessary to verify the | ||||||
| 11 | individual's request, but this shall not extend the | ||||||
| 12 | regulated entity's duty to respond within 45 calendar days | ||||||
| 13 | after receipt of the individual's request. | ||||||
| 14 | (3) The time period to provide the required | ||||||
| 15 | confirmation may be extended once by an additional 45 | ||||||
| 16 | calendar days when reasonably necessary if the individual | ||||||
| 17 | is provided notice of the extension within the first | ||||||
| 18 | 45-day period. | ||||||
| 19 | (b) An individual has the right to withdraw (i) consent | ||||||
| 20 | for processing, including collection and sharing, and (ii) | ||||||
| 21 | authorization for the sale of health data consistent with the | ||||||
| 22 | requirements of Sections 15 and 20, respectively. | ||||||
| 23 | (1) An individual may exercise rights under this | ||||||
| 24 | subsection (b) by submitting a request to a regulated | ||||||
| 25 | entity using the method the regulated entity specifies in | ||||||
| 26 | the privacy policy under paragraph (10) of subsection (a) | ||||||
| |||||||
| |||||||
| 1 | of Section 10. | ||||||
| 2 | (2) A regulated entity may cease providing a product, | ||||||
| 3 | service, or service feature upon the withdrawal of consent | ||||||
| 4 | for collection if the collection of health data is | ||||||
| 5 | strictly necessary to provide that product, service, or | ||||||
| 6 | service feature. | ||||||
| 7 | (c) An individual whose health data is collected by a | ||||||
| 8 | regulated entity has the right to have the individual's health | ||||||
| 9 | data that is collected by a regulated entity deleted by | ||||||
| 10 | informing the regulated entity of the individual's request for | ||||||
| 11 | deletion, except as provided in paragraph (6) of this | ||||||
| 12 | subsection. | ||||||
| 13 | (1) Except as otherwise specified in paragraph (5), a | ||||||
| 14 | regulated entity that receives an individual's request to | ||||||
| 15 | delete any of the individual's health data shall, without | ||||||
| 16 | unreasonable delay, and no more than 45 calendar days | ||||||
| 17 | after receiving the deletion request: | ||||||
| 18 | (A) delete the individual's health data from its | ||||||
| 19 | records, including from all parts of the regulated | ||||||
| 20 | entity's network; and | ||||||
| 21 | (B) notify all processors, affiliates, and third | ||||||
| 22 | parties with whom the regulated entity has shared the | ||||||
| 23 | individual's health data of the deletion request. | ||||||
| 24 | (2) If a regulated entity stores any health data on | ||||||
| 25 | archived or backup systems, it may delay compliance with | ||||||
| 26 | the individual's request to delete with respect to the | ||||||
| |||||||
| |||||||
| 1 | health data stored on the archived or backup system until | ||||||
| 2 | the archived or backup system relating to that data is | ||||||
| 3 | restored to an active system or is next accessed or used. | ||||||
| 4 | (3) Any processors, affiliates, or other third parties | ||||||
| 5 | that receive notice of an individual's deletion request | ||||||
| 6 | from a regulated entity shall honor the individual's | ||||||
| 7 | deletion request and delete the health data from the | ||||||
| 8 | regulated entity's records, including from all parts of | ||||||
| 9 | its network or backup systems. | ||||||
| 10 | (4) An individual or an individual's authorized agent | ||||||
| 11 | may exercise the rights set forth in this Act by | ||||||
| 12 | submitting a request, at any time, to a regulated entity. | ||||||
| 13 | This request may be made by: | ||||||
| 14 | (A) contacting the regulated entity in the manner | ||||||
| 15 | included in its health data privacy policy; | ||||||
| 16 | (B) by designating an authorized agent who may | ||||||
| 17 | exercise the rights on behalf of the individual; | ||||||
| 18 | (C) in the case of collecting health data of a | ||||||
| 19 | minor, the minor seeking health services may exercise | ||||||
| 20 | their rights under this Act, or the parent or legal | ||||||
| 21 | guardian of the minor may exercise the minor's rights | ||||||
| 22 | of this Act on the minor's behalf; or | ||||||
| 23 | (D) in the case of collecting health data | ||||||
| 24 | concerning an individual subject to guardianship, | ||||||
| 25 | conservatorship, or other protective arrangement under | ||||||
| 26 | the Probate Act of 1975, the guardian or the | ||||||
| |||||||
| |||||||
| 1 | conservator of the individual may exercise the rights | ||||||
| 2 | of this Act on the individual's behalf. | ||||||
| 3 | (5) The time period to delete any of the individual's | ||||||
| 4 | health data may be extended once by an additional 45 | ||||||
| 5 | calendar days when reasonably necessary, if the individual | ||||||
| 6 | is provided notice of the extension within the first | ||||||
| 7 | 45-day period. | ||||||
| 8 | (6) Neither a regulated entity nor a processor shall | ||||||
| 9 | be required to comply with an individual's request to | ||||||
| 10 | delete the individual's health data if it is necessary for | ||||||
| 11 | the regulated entity or the processor to maintain the | ||||||
| 12 | individual's health data to: | ||||||
| 13 | (A) provide a product, service, or service feature | ||||||
| 14 | to the individual to whom the health data pertains | ||||||
| 15 | when requested by that individual. In such cases, the | ||||||
| 16 | regulated entity shall confirm whether the individual | ||||||
| 17 | wishes the request for deletion to be treated as a | ||||||
| 18 | request to terminate the associated product, service, | ||||||
| 19 | or feature; | ||||||
| 20 | (B) execute or complete a financial or commercial | ||||||
| 21 | transaction, or to fulfill an order for a specific | ||||||
| 22 | product, good, or service requested by an individual | ||||||
| 23 | to whom the individual health data pertains, | ||||||
| 24 | including, but not limited to, associated routine | ||||||
| 25 | administrative, operational, and account-servicing | ||||||
| 26 | activity, such as billing, shipping, storage, and | ||||||
| |||||||
| |||||||
| 1 | accounting, or otherwise fulfill the requirements of | ||||||
| 2 | an agreement between the regulated entity and the | ||||||
| 3 | individual; | ||||||
| 4 | (C) prevent, detect, protect against, or respond | ||||||
| 5 | to a security incident, identity theft, fraud, | ||||||
| 6 | harassment, malicious or deceptive activities, or | ||||||
| 7 | activities that are illegal under the laws of this | ||||||
| 8 | State, or investigate, report, or prosecute those | ||||||
| 9 | responsible for any such activity; | ||||||
| 10 | (D) comply with an obligation under a law of this | ||||||
| 11 | State or federal law, including any applicable data | ||||||
| 12 | retention requirements in accordance with State and | ||||||
| 13 | federal law, including the data retention requirements | ||||||
| 14 | set forth in Section 6 of the Hospital Licensing Act, | ||||||
| 15 | 45 CFR 164.316, and 45 CFR 164.530; | ||||||
| 16 | (E) engage in public or peer-reviewed scientific, | ||||||
| 17 | historical, or statistical research in the public | ||||||
| 18 | interest that adheres to all other applicable ethics | ||||||
| 19 | and privacy laws, if the regulated entity's or | ||||||
| 20 | processor's deletion of the information is likely to | ||||||
| 21 | render impossible or seriously impair the achievement | ||||||
| 22 | of such research and if the individual has provided | ||||||
| 23 | consent to such use of the individual's health data; | ||||||
| 24 | (F) comply with any applicable data retention | ||||||
| 25 | requirements in accordance with State and federal law, | ||||||
| 26 | including the data retention requirements set forth in | ||||||
| |||||||
| |||||||
| 1 | Section 6 of the Hospital Licensing Act, 45 CFR | ||||||
| 2 | 164.316, and 45 CFR 164.530; or | ||||||
| 3 | (G) investigate, establish, exercise, prepare for, | ||||||
| 4 | or defend legal claims. | ||||||
| 5 | (d) An individual may exercise rights under this Section | ||||||
| 6 | by submitting a request to a regulated entity using the method | ||||||
| 7 | the regulated entity specifies in the privacy policy under | ||||||
| 8 | paragraph (10) of subsection (a) of Section 10. | ||||||
| 9 | (e) A regulated entity shall not engage in discriminatory | ||||||
| 10 | practices against an individual solely because the individual | ||||||
| 11 | has not provided consent to the sale or processing of the | ||||||
| 12 | individual's health data pursuant to this Act or has exercised | ||||||
| 13 | any other rights provided by this Act or guaranteed by law. | ||||||
| 14 | Discriminatory practices include, but are not limited to: | ||||||
| 15 | (1) denying goods or services to the individual; | ||||||
| 16 | (2) imposing additional requirements or restrictions | ||||||
| 17 | on the individual that would not be necessary if the | ||||||
| 18 | individual provided consent; | ||||||
| 19 | (3) providing materially different treatment to | ||||||
| 20 | individuals who provide consent, as compared to | ||||||
| 21 | individuals who do not provide consent; | ||||||
| 22 | (4) providing or suggesting that the individual will | ||||||
| 23 | receive a lower level or quality of goods or services. | ||||||
| 24 | For the purposes of this subsection, discriminatory | ||||||
| 25 | practices do not prohibit a regulated entity from suggesting | ||||||
| 26 | that the individual will receive a different price or rate for | ||||||
| |||||||
| |||||||
| 1 | goods or services or charging different prices or rates for | ||||||
| 2 | goods or services, including using discounts or other | ||||||
| 3 | benefits, when done in connection with an individual's | ||||||
| 4 | voluntary participation in a bona fide loyalty, rewards, | ||||||
| 5 | premium features, discounts, or club card program. | ||||||
| 6 | Section 30. Processors. | ||||||
| 7 | (a) A processor may process an individual's health data | ||||||
| 8 | only pursuant to a binding contract between the processor and | ||||||
| 9 | the regulated entity that sets forth the processing | ||||||
| 10 | instructions and limits the actions the processor may take | ||||||
| 11 | with respect to the individual health data it processes on | ||||||
| 12 | behalf of the regulated entity. A processor may process | ||||||
| 13 | individual health data only in a manner that is consistent | ||||||
| 14 | with the binding instructions set forth in the contract with | ||||||
| 15 | the regulated entity. | ||||||
| 16 | (b) A processor shall assist the regulated entity using | ||||||
| 17 | appropriate technical and organizational measures, whenever | ||||||
| 18 | possible, in fulfilling the regulated entity's obligations | ||||||
| 19 | under this Act. | ||||||
| 20 | (c) If a processor fails to adhere to the regulated | ||||||
| 21 | entity's instructions or processes individual health data in a | ||||||
| 22 | manner that is outside the scope of the processor's contract | ||||||
| 23 | with the regulated entity, the processor is considered a | ||||||
| 24 | regulated entity with regard to such data and is subject to all | ||||||
| 25 | the requirements of this Act with regard to such data. | ||||||
| |||||||
| |||||||
| 1 | (d) Determining whether a person is acting as a regulated | ||||||
| 2 | entity or processor with respect to a specific processing of | ||||||
| 3 | health data is a fact-based determination that depends upon | ||||||
| 4 | the context in which health data is to be processed. A | ||||||
| 5 | processor that continues to adhere to a regulated entity's | ||||||
| 6 | instructions with respect to a specific processing of health | ||||||
| 7 | data remains a processor. | ||||||
| 8 | (e) A regulated entity or processor that discloses health | ||||||
| 9 | data to a processor or third party in accordance with this Act | ||||||
| 10 | shall not be liable under this Act if the processor or third | ||||||
| 11 | party receiving the health data violates this Act, so long as | ||||||
| 12 | the disclosing regulated entity or processor did not have | ||||||
| 13 | actual knowledge that the receiving processor or third-party | ||||||
| 14 | controller would violate this Act. A third party or processor | ||||||
| 15 | receiving personal data from a regulated entity or processor | ||||||
| 16 | in compliance with this Act is not liable under this Act for | ||||||
| 17 | violations committed by the regulated entity or processor that | ||||||
| 18 | disclosed the health data. | ||||||
| 19 | Section 35. Authentication of an individual's identity. | ||||||
| 20 | (a) A regulated entity that receives an individual's | ||||||
| 21 | request to confirm or delete may take reasonable measures to | ||||||
| 22 | authenticate the individual's identity, or authorized agent's | ||||||
| 23 | identity, to a reasonably high degree of certainty. A | ||||||
| 24 | reasonably high degree of certainty may include matching at | ||||||
| 25 | least 3 pieces of personal information provided by the | ||||||
| |||||||
| |||||||
| 1 | individual, or the individual's authorized agent, with | ||||||
| 2 | personal information maintained by the regulated entity that | ||||||
| 3 | the regulated entity has determined to be reliable for the | ||||||
| 4 | purpose of authenticating the individual, or the individual's | ||||||
| 5 | authorized agent, together with a signed declaration under | ||||||
| 6 | penalty of perjury that the individual or the individual's | ||||||
| 7 | authorized agent making the request is the individual or the | ||||||
| 8 | individual's authorized agent whose health data is the subject | ||||||
| 9 | of the request. If a regulated entity uses this method for | ||||||
| 10 | authentication, the regulated entity shall make all forms | ||||||
| 11 | necessary for authentication of an individual's or the | ||||||
| 12 | individual's authorized agent's identity available to the | ||||||
| 13 | individual or the individual's authorized agent and shall | ||||||
| 14 | maintain all signed declarations as part of its recordkeeping | ||||||
| 15 | obligations. | ||||||
| 16 | (b) A regulated entity is not required to comply with an | ||||||
| 17 | individual's or the individual's authorized agent's request to | ||||||
| 18 | confirm or delete if the regulated entity, using commercially | ||||||
| 19 | reasonable efforts, is unable to authenticate the identity of | ||||||
| 20 | the individual or the individual's authorized agent making the | ||||||
| 21 | request. If a regulated entity is unable to authenticate the | ||||||
| 22 | individual's or the individual's authorized agent's identity, | ||||||
| 23 | the regulated entity shall inform the individual or the | ||||||
| 24 | individual's authorized agent that it was unable to | ||||||
| 25 | authenticate the individual's or the individual's authorized | ||||||
| 26 | agent's identity and advise the individual or the individual's | ||||||
| |||||||
| |||||||
| 1 | authorized agent of other methods, if available, of | ||||||
| 2 | authenticating the individual's or the individual's authorized | ||||||
| 3 | agent's identity. | ||||||
| 4 | (c) If a regulated entity denies an authenticated | ||||||
| 5 | individual's request to delete that individual's health data, | ||||||
| 6 | in whole or in part, because of a conflict with federal or | ||||||
| 7 | State law, the regulated entity shall inform the requesting | ||||||
| 8 | individual and explain the basis for the denial, unless | ||||||
| 9 | prohibited from doing so by law. | ||||||
| 10 | (d) Any information provided by an individual or the | ||||||
| 11 | individual's authorized agent to a regulated entity for the | ||||||
| 12 | purpose of authenticating the individual's or the individual's | ||||||
| 13 | authorized agent's identity shall not be used for any purpose | ||||||
| 14 | other than authenticating the individual's identity and shall | ||||||
| 15 | be destroyed immediately following the authentication process. | ||||||
| 16 | Section 40. Individual health data security and | ||||||
| 17 | minimization. | ||||||
| 18 | (a) A regulated entity shall restrict access to health | ||||||
| 19 | data to only the employees, processors, and contractors, | ||||||
| 20 | subcontractors, agents, and third parties of the regulated | ||||||
| 21 | entity for whom access is necessary to provide a product or | ||||||
| 22 | service that the individual to whom the health data relates | ||||||
| 23 | has requested from the regulated entity. | ||||||
| 24 | (b) A regulated entity shall establish, implement, and | ||||||
| 25 | maintain administrative, technical, and physical data security | ||||||
| |||||||
| |||||||
| 1 | practices that at least satisfy a reasonable standard of care | ||||||
| 2 | within the regulated entity's industry to protect the | ||||||
| 3 | confidentiality, integrity, and accessibility of health data | ||||||
| 4 | appropriate to the volume and nature of the personal data at | ||||||
| 5 | issue. | ||||||
| 6 | (c) A regulated entity in possession of deidentified data | ||||||
| 7 | shall: | ||||||
| 8 | (1) take reasonable measures to ensure that such data | ||||||
| 9 | cannot be associated with an individual; | ||||||
| 10 | (2) publicly commit to process such data only in a | ||||||
| 11 | deidentified fashion and not attempt to reidentify such | ||||||
| 12 | data; and | ||||||
| 13 | (3) contractually obligate any recipients of such data | ||||||
| 14 | to satisfy the criteria set forth in items (1) and (2). | ||||||
| 15 | Section 45. Prohibition on geofencing. It is unlawful for | ||||||
| 16 | a regulated entity to implement a geofence around any entity | ||||||
| 17 | that provides in-person health care services and products | ||||||
| 18 | where the geofence is used to: | ||||||
| 19 | (1) identify or track individuals seeking health care | ||||||
| 20 | services or products, or to determine whether the | ||||||
| 21 | individual is seeking health care services or products; or | ||||||
| 22 | (2) collect data from an individual who enters the | ||||||
| 23 | virtual perimeter. | ||||||
| 24 | Section 50. Limits on access to an individual's health | ||||||
| |||||||
| |||||||
| 1 | information by government agencies, officials, and law | ||||||
| 2 | enforcement. | ||||||
| 3 | (a) A regulated entity shall not disclose an individual's | ||||||
| 4 | health data to a federal, State, or local governmental agency, | ||||||
| 5 | official, or law enforcement agent or agency unless: (1) | ||||||
| 6 | disclosure is requested by the individual to whom the health | ||||||
| 7 | data pertains or (2) the governmental entity or official | ||||||
| 8 | serves the regulated entity with a valid warrant, except as | ||||||
| 9 | prohibited under the laws of this State, including, but not | ||||||
| 10 | limited to, Section 3.5 of the Uniform Interstate Depositions | ||||||
| 11 | and Discovery Act. | ||||||
| 12 | (b) A regulated entity shall not collect, sell, share, | ||||||
| 13 | allow access to, or disclose an individual's health data to | ||||||
| 14 | any state or local jurisdiction for the purpose of | ||||||
| 15 | investigating or enforcing a law that denies or interferes | ||||||
| 16 | with an individual's right to obtain any lawful health care | ||||||
| 17 | services as defined by the Lawful Health Care Activity Act. | ||||||
| 18 | Section 55. Private right of action. Any person aggrieved | ||||||
| 19 | by a violation of this Act shall have a right of action in a | ||||||
| 20 | State circuit court or as a supplemental claim in federal | ||||||
| 21 | district court against an offending party. A prevailing party | ||||||
| 22 | may recover for each violation: | ||||||
| 23 | (1) against any offending party that negligently | ||||||
| 24 | violates a provision of this Act, damages in the amount of | ||||||
| 25 | $1,000 or compensatory damages, whichever is greater; | ||||||
| |||||||
| |||||||
| 1 | (2) against any offending party that intentionally or | ||||||
| 2 | recklessly violates a provision of this Act, damages in | ||||||
| 3 | the amount of $5,000 or compensatory damages, whichever is | ||||||
| 4 | greater; | ||||||
| 5 | (3) reasonable attorney's fees and costs, including | ||||||
| 6 | expert witness fees and other litigation expenses; and | ||||||
| 7 | (4) other relief, including an injunction, as the | ||||||
| 8 | State or federal court may deem appropriate. | ||||||
| 9 | Section 60. Enforcement by the Attorney General. The | ||||||
| 10 | Attorney General may enforce a violation of this Act as an | ||||||
| 11 | unlawful practice under the Consumer Fraud and Deceptive | ||||||
| 12 | Business Practices Act. All rights and remedies provided by | ||||||
| 13 | the Attorney General under the Consumer Fraud and Deceptive | ||||||
| 14 | Business Practices Act shall be available for enforcement of a | ||||||
| 15 | violation of this Act. | ||||||
| 16 | Section 65. Conflicts with other laws. | ||||||
| 17 | (a) Nothing in this Act shall be construed to prohibit the | ||||||
| 18 | lawful and authorized disclosure of health data by regulated | ||||||
| 19 | entities to local health departments or State government | ||||||
| 20 | agencies or by or among local health departments and State | ||||||
| 21 | government agencies as may be required by State and federal | ||||||
| 22 | law, including under the Adult Protective Services Act, the | ||||||
| 23 | Abused and Neglected Child Reporting Act, the Criminal Code of | ||||||
| 24 | 2012, and the Disclosure of Offenses Against Children Act. | ||||||
| |||||||
| |||||||
| 1 | (b) This Act shall not be construed to conflict with, or | ||||||
| 2 | limit the application of, any of the following laws, rules, or | ||||||
| 3 | regulations governing the sharing, collection, processing, or | ||||||
| 4 | disclosure of personal information or health data: the Medical | ||||||
| 5 | Patient Rights Act; the Hospital Licensing Act; Sections 2, 4, | ||||||
| 6 | 5, 6, 7, 8, 9, 9.3, 9.8, and 11 of the Mental Health and | ||||||
| 7 | Developmental Disabilities Confidentiality Act; subsections | ||||||
| 8 | (c) through (f) of Section 10 of the Mental Health and | ||||||
| 9 | Developmental Disabilities Confidentiality Act; and Sections | ||||||
| 10 | 8-2001 and 8-2001.5 of the Code of Civil Procedure. | ||||||
| 11 | (c) In the event of a conflict between the provisions of | ||||||
| 12 | this Act and any other law, rule, or regulation listed in | ||||||
| 13 | subsection (b), the law, rule, or regulation that provides the | ||||||
| 14 | greater right, benefit, or protection to individuals shall | ||||||
| 15 | apply. Nothing in this Act shall be construed to diminish or | ||||||
| 16 | limit any rights, benefits, or protections afforded under the | ||||||
| 17 | laws, rules, or regulations referenced in subsection (b). | ||||||
| 18 | Section 70. Exemptions. | ||||||
| 19 | (a) This Act shall not apply to: | ||||||
| 20 | (1) information that meets the definition of: | ||||||
| 21 | (A) protected health information, as defined by, | ||||||
| 22 | and for purposes of the Health Insurance Portability | ||||||
| 23 | and Accountability Act of 1996, Public Law 104-191, | ||||||
| 24 | and related regulations; | ||||||
| 25 | (B) patient identifying information collected, | ||||||
| |||||||
| |||||||
| 1 | used, or disclosed in accordance with 42 CFR Part 2, | ||||||
| 2 | established pursuant to 42 U.S.C. 290dd-2; | ||||||
| 3 | (C)(i) identifiable private information for | ||||||
| 4 | purposes of the federal policy for the protection of | ||||||
| 5 | human subjects, 45 CFR Part 46; | ||||||
| 6 | (ii) identifiable private information that is | ||||||
| 7 | otherwise information collected as part of human | ||||||
| 8 | subjects research pursuant to the Good Clinical | ||||||
| 9 | Practice guidelines issued by the International | ||||||
| 10 | Council for Harmonisation of Technical Requirements | ||||||
| 11 | for Pharmaceuticals for Human Use; | ||||||
| 12 | (iii) the protection of human subjects under 21 | ||||||
| 13 | CFR Parts 50 and 56; or | ||||||
| 14 | (iv) personal data used or shared in research | ||||||
| 15 | conducted in accordance with one or more of the | ||||||
| 16 | requirements set forth in this subparagraph (C); | ||||||
| 17 | (D) information and documents created for purposes | ||||||
| 18 | of the federal Health Care Quality Improvement Act of | ||||||
| 19 | 1986, Public Law 99-660, and related regulations; | ||||||
| 20 | (E) patient safety work product for purposes of 42 | ||||||
| 21 | CFR Part 3, established pursuant to 42 U.S.C. 299b-21 | ||||||
| 22 | through 42 U.S.C. 299b-26; or | ||||||
| 23 | (F) information that is deidentified in accordance | ||||||
| 24 | with the requirements for deidentification set forth | ||||||
| 25 | in 45 CFR Part 164, and derived from any of the health | ||||||
| 26 | care-related information listed under this paragraph; | ||||||
| |||||||
| |||||||
| 1 | (2) information originating from and intermingled to | ||||||
| 2 | be indistinguishable with information under paragraph (1) | ||||||
| 3 | that is maintained by: | ||||||
| 4 | (A) a covered entity or a business associate, as | ||||||
| 5 | defined in 45 CFR 160.103, subject to and in | ||||||
| 6 | substantial compliance with the Health Insurance | ||||||
| 7 | Portability and Accountability Act of 1996, Public Law | ||||||
| 8 | 104-191, and to the extent such entity is acting as a | ||||||
| 9 | covered entity or business associate under the Privacy | ||||||
| 10 | and Security rules issued by the United States | ||||||
| 11 | Department of Health and Human Services, Parts 160 and | ||||||
| 12 | 164 of Title 45 of the Code of Federal Regulations; | ||||||
| 13 | (B) a health care facility, including a private | ||||||
| 14 | hospital, clinic, center, medical school, medical | ||||||
| 15 | training institution, laboratory or diagnostic | ||||||
| 16 | facility, physician's office, infirmary, dispensary, | ||||||
| 17 | ambulatory surgical treatment center, or other | ||||||
| 18 | institution or location wherein health care services | ||||||
| 19 | are provided to any person, including physician | ||||||
| 20 | organizations and associations, networks, joint | ||||||
| 21 | ventures, and all other combinations of those | ||||||
| 22 | organizations; | ||||||
| 23 | (C) a health care provider, including a physician, | ||||||
| 24 | hospital facility, or other person that is licensed or | ||||||
| 25 | otherwise authorized to deliver health care services; | ||||||
| 26 | or | ||||||
| |||||||
| |||||||
| 1 | (D) a program or a qualified service organization | ||||||
| 2 | as defined in 42 CFR 2.11; or | ||||||
| 3 | (3) information used only for public health activities | ||||||
| 4 | and purposes as described in 45 CFR 164.512 or that is part | ||||||
| 5 | of a limited data set, as defined in 45 CFR 164.514, and is | ||||||
| 6 | used, disclosed, and maintained in the manner required, by | ||||||
| 7 | 45 CFR 164.514. | ||||||
| 8 | (b) Personal information that is governed by and | ||||||
| 9 | collected, used, or disclosed pursuant to the following laws | ||||||
| 10 | or regulations is exempt from this Act: (1) the | ||||||
| 11 | Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq., and | ||||||
| 12 | implementing regulations; (2) Part C of Title XI of the Social | ||||||
| 13 | Security Act, 42 U.S.C. 1320d et seq.; (3) The Fair Credit | ||||||
| 14 | Reporting Act, 15 U.S.C. 1681 et seq.; (4) the Family | ||||||
| 15 | Educational Rights and Privacy Act, 20 U.S.C. 1232g; Part 99 | ||||||
| 16 | of Title 34 of the Code of Federal Regulations; or (5) the | ||||||
| 17 | Insurance Information and Privacy Protection Article of the | ||||||
| 18 | Illinois Insurance Code, the Insurance Data Security Law, and | ||||||
| 19 | any corresponding privacy protection rules adopted by the | ||||||
| 20 | Department of Insurance. | ||||||
| 21 | Section 97. Severability. The provisions of this Act are | ||||||
| 22 | severable under Section 1.31 of the Statute on Statutes. | ||||||
| 23 | Section 500. The Consumer Fraud and Deceptive Business | ||||||
| 24 | Practices Act is amended by adding Section 2MMMM as follows: | ||||||
| |||||||
| |||||||
| 1 | (815 ILCS 505/2MMMM new) | ||||||
| 2 | Sec. 2MMMM. Violations of the Protect Health Data Privacy | ||||||
| 3 | Act. Only for purposes of enforcing Section 60 of the Protect | ||||||
| 4 | Health Data Privacy Act, any person who violates the Protect | ||||||
| 5 | Health Data Privacy Act commits an unlawful practice within | ||||||
| 6 | the meaning of this Act. | ||||||
| 7 | Section 999. Effective date. This Act takes effect August | ||||||
| 8 | 1, 2027, except that Section 55 takes effect February 1, | ||||||
| 9 | 2028.". | ||||||
