IL
Illinois Senate Bill SB3080

Illinois 2023-2024 Regular Session

Illinois Senate Bill SB3080 Compare Versions

Only one version of the bill is available at this time.
OldNewDifferences
11 103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 SB3080 Introduced 2/2/2024, by Sen. Celina Villanueva SYNOPSIS AS INTRODUCED: New Act815 ILCS 505/2EEEE new Creates the Protect Health Data Privacy Act. Provides that a regulated entity shall disclose and maintain a health data privacy policy that clearly and conspicuously discloses specified information. Sets forth provisions concerning health data privacy policies. Provides that a regulated entity shall not collect, share, or store health data, except in specified circumstances. Provides that it is unlawful for any person to sell or offer to sell health data concerning a consumer without first obtaining valid authorization from the consumer. Provides that a valid authorization to sell consumer health data must contain specified information; a copy of the signed valid authorization must be provided to the consumer; and the seller and purchaser of health data must retain a copy of all valid authorizations for sale of health data for 6 years after the date of its signature or the date when it was last in effect, whichever is later. Sets forth provisions concerning the consent required for collection, sharing, and storage of health data. Provides that a consumer has the right to withdraw consent from the collection, sharing, sale, or storage of the consumer's health data. Provides that it is unlawful for a regulated entity to engage in discriminatory practices against consumers solely because they have not provided consent to the collection, sharing, sale, or storage of their health data or have exercised any other rights provided by the provisions or guaranteed by law. Sets forth provisions concerning a consumer's right to confirm whether a regulated entity is collecting, selling, sharing, or storing any of the consumer's health data; a consumer's right to have the consumer's health data that is collected by a regulated entity deleted; prohibitions regarding geofencing; and consumer health data security. Provides that any person aggrieved by a violation of the provisions shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party. Provides that the Attorney General may enforce a violation of the provisions as an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act. Defines terms. Makes a conforming change in the Consumer Fraud and Deceptive Business Practices Act. LRB103 38349 SPS 68484 b A BILL FOR 103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 SB3080 Introduced 2/2/2024, by Sen. Celina Villanueva SYNOPSIS AS INTRODUCED: New Act815 ILCS 505/2EEEE new New Act 815 ILCS 505/2EEEE new Creates the Protect Health Data Privacy Act. Provides that a regulated entity shall disclose and maintain a health data privacy policy that clearly and conspicuously discloses specified information. Sets forth provisions concerning health data privacy policies. Provides that a regulated entity shall not collect, share, or store health data, except in specified circumstances. Provides that it is unlawful for any person to sell or offer to sell health data concerning a consumer without first obtaining valid authorization from the consumer. Provides that a valid authorization to sell consumer health data must contain specified information; a copy of the signed valid authorization must be provided to the consumer; and the seller and purchaser of health data must retain a copy of all valid authorizations for sale of health data for 6 years after the date of its signature or the date when it was last in effect, whichever is later. Sets forth provisions concerning the consent required for collection, sharing, and storage of health data. Provides that a consumer has the right to withdraw consent from the collection, sharing, sale, or storage of the consumer's health data. Provides that it is unlawful for a regulated entity to engage in discriminatory practices against consumers solely because they have not provided consent to the collection, sharing, sale, or storage of their health data or have exercised any other rights provided by the provisions or guaranteed by law. Sets forth provisions concerning a consumer's right to confirm whether a regulated entity is collecting, selling, sharing, or storing any of the consumer's health data; a consumer's right to have the consumer's health data that is collected by a regulated entity deleted; prohibitions regarding geofencing; and consumer health data security. Provides that any person aggrieved by a violation of the provisions shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party. Provides that the Attorney General may enforce a violation of the provisions as an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act. Defines terms. Makes a conforming change in the Consumer Fraud and Deceptive Business Practices Act. LRB103 38349 SPS 68484 b LRB103 38349 SPS 68484 b A BILL FOR
22 103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 SB3080 Introduced 2/2/2024, by Sen. Celina Villanueva SYNOPSIS AS INTRODUCED:
33 New Act815 ILCS 505/2EEEE new New Act 815 ILCS 505/2EEEE new
44 New Act
55 815 ILCS 505/2EEEE new
66 Creates the Protect Health Data Privacy Act. Provides that a regulated entity shall disclose and maintain a health data privacy policy that clearly and conspicuously discloses specified information. Sets forth provisions concerning health data privacy policies. Provides that a regulated entity shall not collect, share, or store health data, except in specified circumstances. Provides that it is unlawful for any person to sell or offer to sell health data concerning a consumer without first obtaining valid authorization from the consumer. Provides that a valid authorization to sell consumer health data must contain specified information; a copy of the signed valid authorization must be provided to the consumer; and the seller and purchaser of health data must retain a copy of all valid authorizations for sale of health data for 6 years after the date of its signature or the date when it was last in effect, whichever is later. Sets forth provisions concerning the consent required for collection, sharing, and storage of health data. Provides that a consumer has the right to withdraw consent from the collection, sharing, sale, or storage of the consumer's health data. Provides that it is unlawful for a regulated entity to engage in discriminatory practices against consumers solely because they have not provided consent to the collection, sharing, sale, or storage of their health data or have exercised any other rights provided by the provisions or guaranteed by law. Sets forth provisions concerning a consumer's right to confirm whether a regulated entity is collecting, selling, sharing, or storing any of the consumer's health data; a consumer's right to have the consumer's health data that is collected by a regulated entity deleted; prohibitions regarding geofencing; and consumer health data security. Provides that any person aggrieved by a violation of the provisions shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party. Provides that the Attorney General may enforce a violation of the provisions as an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act. Defines terms. Makes a conforming change in the Consumer Fraud and Deceptive Business Practices Act.
77 LRB103 38349 SPS 68484 b LRB103 38349 SPS 68484 b
88 LRB103 38349 SPS 68484 b
99 A BILL FOR
1010 SB3080LRB103 38349 SPS 68484 b SB3080 LRB103 38349 SPS 68484 b
1111 SB3080 LRB103 38349 SPS 68484 b
1212 1 AN ACT concerning regulation.
1313 2 Be it enacted by the People of the State of Illinois,
1414 3 represented in the General Assembly:
1515 4 Section 1. Short title. This Act may be cited as the
1616 5 Protect Health Data Privacy Act.
1717 6 Section 5. Definitions. As used in this Act:
1818 7 "Collect" means to buy, rent, lease, access, retain,
1919 8 receive, or acquire health data in any manner.
2020 9 "Consent" means a clear affirmative act by a consumer that
2121 10 unambiguously communicates the consumer's express, freely
2222 11 given, informed, opt-in, voluntary, specific, and unambiguous
2323 12 written agreement, including written consent provided by
2424 13 electronic means, to the collection, sale, sharing, or storage
2525 14 of health data. Consent may not be implied, and consent cannot
2626 15 be obtained by:
2727 16 (1) acceptance of a general or broad terms of use
2828 17 agreement or a similar document that contains descriptions
2929 18 of personal data processing along with other, unrelated
3030 19 information;
3131 20 (2) hovering over, muting, pausing, or closing a given
3232 21 piece of digital content; or
3333 22 (3) agreement obtained through the use of deceptive
3434 23 designs.
3535
3636
3737
3838 103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 SB3080 Introduced 2/2/2024, by Sen. Celina Villanueva SYNOPSIS AS INTRODUCED:
3939 New Act815 ILCS 505/2EEEE new New Act 815 ILCS 505/2EEEE new
4040 New Act
4141 815 ILCS 505/2EEEE new
4242 Creates the Protect Health Data Privacy Act. Provides that a regulated entity shall disclose and maintain a health data privacy policy that clearly and conspicuously discloses specified information. Sets forth provisions concerning health data privacy policies. Provides that a regulated entity shall not collect, share, or store health data, except in specified circumstances. Provides that it is unlawful for any person to sell or offer to sell health data concerning a consumer without first obtaining valid authorization from the consumer. Provides that a valid authorization to sell consumer health data must contain specified information; a copy of the signed valid authorization must be provided to the consumer; and the seller and purchaser of health data must retain a copy of all valid authorizations for sale of health data for 6 years after the date of its signature or the date when it was last in effect, whichever is later. Sets forth provisions concerning the consent required for collection, sharing, and storage of health data. Provides that a consumer has the right to withdraw consent from the collection, sharing, sale, or storage of the consumer's health data. Provides that it is unlawful for a regulated entity to engage in discriminatory practices against consumers solely because they have not provided consent to the collection, sharing, sale, or storage of their health data or have exercised any other rights provided by the provisions or guaranteed by law. Sets forth provisions concerning a consumer's right to confirm whether a regulated entity is collecting, selling, sharing, or storing any of the consumer's health data; a consumer's right to have the consumer's health data that is collected by a regulated entity deleted; prohibitions regarding geofencing; and consumer health data security. Provides that any person aggrieved by a violation of the provisions shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party. Provides that the Attorney General may enforce a violation of the provisions as an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act. Defines terms. Makes a conforming change in the Consumer Fraud and Deceptive Business Practices Act.
4343 LRB103 38349 SPS 68484 b LRB103 38349 SPS 68484 b
4444 LRB103 38349 SPS 68484 b
4545 A BILL FOR
4646
4747
4848
4949
5050
5151 New Act
5252 815 ILCS 505/2EEEE new
5353
5454
5555
5656 LRB103 38349 SPS 68484 b
5757
5858
5959
6060
6161
6262
6363
6464
6565
6666 SB3080 LRB103 38349 SPS 68484 b
6767
6868
6969 SB3080- 2 -LRB103 38349 SPS 68484 b SB3080 - 2 - LRB103 38349 SPS 68484 b
7070 SB3080 - 2 - LRB103 38349 SPS 68484 b
7171 1 "Consumer" means a person who is a resident of this State,
7272 2 however identified, including by any unique identifier. A
7373 3 person located in this State when the person's health data is
7474 4 collected by a regulated entity shall create a presumption
7575 5 that the person is a resident of this State for purposes of
7676 6 enforcing this Act. "Consumer" does not include an individual
7777 7 acting in a commercial or employment context.
7878 8 "Deceptive design" means any user interface or element
7979 9 thereof that has the substantial effect of subverting,
8080 10 impairing, or impeding an individual's autonomy,
8181 11 decision-making, or choice.
8282 12 "Deidentified data" means data that cannot be used to
8383 13 infer information about, or otherwise be linked to, an
8484 14 identified or identifiable individual, or a device linked to
8585 15 such individual. A regulated entity that possesses
8686 16 deidentified data shall: (i) take reasonable measures to
8787 17 ensure that such data cannot be associated with an individual;
8888 18 (ii) publicly commit to process such data only in a
8989 19 deidentified fashion and not attempt to reidentify such data;
9090 20 and (iii) contractually obligate any recipients of such data
9191 21 to satisfy the criteria set forth in items (i) and (ii).
9292 22 "Geofence" means technology that uses global positioning
9393 23 coordinates, cell tower connectivity, cellular data, radio
9494 24 frequency identification, wireless Internet data, or any other
9595 25 form of spatial or location detection to establish a virtual
9696 26 boundary around a specific physical location or to locate a
9797
9898
9999
100100
101101
102102 SB3080 - 2 - LRB103 38349 SPS 68484 b
103103
104104
105105 SB3080- 3 -LRB103 38349 SPS 68484 b SB3080 - 3 - LRB103 38349 SPS 68484 b
106106 SB3080 - 3 - LRB103 38349 SPS 68484 b
107107 1 consumer within a virtual boundary. For the purposes of this
108108 2 Act, "geofence" means a virtual boundary that is no more than
109109 3 1,750 feet around a specific physical location that provides
110110 4 health services.
111111 5 "Health data" means information regarding, relating to,
112112 6 derived, or extrapolated from the past, present, or future
113113 7 physical or mental health of a consumer, including, but not
114114 8 limited to, any information relating to:
115115 9 (1) individual health conditions, treatment, status,
116116 10 diseases, or diagnoses;
117117 11 (2) health related surgeries or procedures;
118118 12 (3) use or purchase of medication;
119119 13 (4) social, psychological, behavioral, and medical
120120 14 interventions;
121121 15 (5) bodily functions, vital signs, measurements, or
122122 16 symptoms;
123123 17 (6) diagnoses or diagnostic testing, treatment, or
124124 18 medication;
125125 19 (7) efforts to research or obtain health services or
126126 20 supplies;
127127 21 (8) health services or products that support or relate
128128 22 to lawful health care, as defined by Public Act 102-1117;
129129 23 (9) precise location information that could reasonably
130130 24 be used to determine a consumer's attempt to acquire or
131131 25 receive health services or supplies; and
132132 26 (10) any information described in paragraphs (1)
133133
134134
135135
136136
137137
138138 SB3080 - 3 - LRB103 38349 SPS 68484 b
139139
140140
141141 SB3080- 4 -LRB103 38349 SPS 68484 b SB3080 - 4 - LRB103 38349 SPS 68484 b
142142 SB3080 - 4 - LRB103 38349 SPS 68484 b
143143 1 through (9) that is derived or extrapolated from
144144 2 non-health information, including by use of algorithms or
145145 3 machine learning, if such information is used or processed
146146 4 in connection with the advertising, marketing, or
147147 5 provision of health services.
148148 6 "Health data" does not include:
149149 7 (1) personal information collected with the consumer's
150150 8 consent that is used to engage in public or peer-reviewed
151151 9 scientific, historical, or statistical research in the
152152 10 public interest that adheres to all other applicable
153153 11 ethics and privacy laws and is approved, monitored, and
154154 12 governed by an institutional review board, human subjects
155155 13 research ethics review board, or a similar independent
156156 14 oversight entity that determines that the regulated entity
157157 15 has implemented reasonable safeguards to mitigate privacy
158158 16 risks associated with research, including any risks
159159 17 associated with reidentification; or
160160 18 (2) deidentified data.
161161 19 "Health services" means any service, medical care, or
162162 20 information related to a consumer's health data provided to a
163163 21 consumer.
164164 22 "HIPAA" means the Health Insurance Portability and
165165 23 Accountability Act of 1996, Public Law 104-191, the Health
166166 24 Information Technology for Economic and Clinical Health Act,
167167 25 and any subsequent amendments thereto and any regulations
168168 26 promulgated thereunder, including the Privacy Rule, as
169169
170170
171171
172172
173173
174174 SB3080 - 4 - LRB103 38349 SPS 68484 b
175175
176176
177177 SB3080- 5 -LRB103 38349 SPS 68484 b SB3080 - 5 - LRB103 38349 SPS 68484 b
178178 SB3080 - 5 - LRB103 38349 SPS 68484 b
179179 1 specified in 45 CFR 164.500-534, the Security Rule, as
180180 2 specified in 45 CFR 164.302-318, and the Breach Notification
181181 3 rule, as specified in 45 CFR 164.400-414.
182182 4 "Homepage" means the introductory page of a website where
183183 5 personal information is collected. In the case of an online
184184 6 service, such as a mobile application, "homepage" means the
185185 7 application's platform page or download page, such as from the
186186 8 application configuration, "About" page, "Information" page,
187187 9 or settings page, and any other location that allows consumers
188188 10 to review the notice.
189189 11 "Personal information" means information that identifies,
190190 12 relates to, describes, is reasonably capable of being
191191 13 associated with, or linked, directly or indirectly, with a
192192 14 particular consumer or household. "Personal information" does
193193 15 not include publicly available information or deidentified
194194 16 data.
195195 17 "Precise location information" means information that
196196 18 identifies the location of an individual within a radius of
197197 19 1,750 feet. "Precise location information" does not include:
198198 20 (i) the content of communications, or (ii) any data generated
199199 21 by or connected to advanced utility metering infrastructure
200200 22 systems or equipment for use by a utility.
201201 23 "Processor" means an individual or legal entity that
202202 24 processes health data on behalf of a regulated entity pursuant
203203 25 to a written agreement or contract. "Process" or "processing"
204204 26 means arranging, storing, organizing, structuring, retrieving,
205205
206206
207207
208208
209209
210210 SB3080 - 5 - LRB103 38349 SPS 68484 b
211211
212212
213213 SB3080- 6 -LRB103 38349 SPS 68484 b SB3080 - 6 - LRB103 38349 SPS 68484 b
214214 SB3080 - 6 - LRB103 38349 SPS 68484 b
215215 1 transmission, or the otherwise making available of data.
216216 2 "Publicly available" means information that is lawfully
217217 3 made available from federal, State, or local government
218218 4 records.
219219 5 "Regulated entity" means any individual, partnership,
220220 6 corporation, limited liability company, association, or other
221221 7 group, however organized, that: (i) conducts business in this
222222 8 State or produces products or services that are available to
223223 9 consumers in this State; and (ii) for any purpose, handles,
224224 10 collects, shares, sells, stores or otherwise deals with health
225225 11 data. "Regulated entity" does not include government agencies,
226226 12 tribal nations, a clerk of the court, or a judge or justice
227227 13 thereof, or contracted service providers when processing
228228 14 consumer health data on behalf of the government agency.
229229 15 "Regulated entity" does not include any entity that is a
230230 16 covered entity or a business associate, as defined in Section
231231 17 160.103 of Title 45 of the Code of Federal Regulations,
232232 18 subject to and in compliance with HIPAA to the extent such
233233 19 entity is acting as a covered entity or business associate
234234 20 under the Privacy and Security rules issued by the United
235235 21 States Department of Health and Human Services, Parts 160 and
236236 22 164 of Title 45 of the Code of Federal Regulations. "Regulated
237237 23 entity" does not include any entity that is subject to and in
238238 24 compliance with restrictions on disclosure of records under
239239 25 Section 543 of the Public Health Service Act, 42 U.S.C.
240240 26 290dd2, to the extent such entity is acting in a capacity
241241
242242
243243
244244
245245
246246 SB3080 - 6 - LRB103 38349 SPS 68484 b
247247
248248
249249 SB3080- 7 -LRB103 38349 SPS 68484 b SB3080 - 7 - LRB103 38349 SPS 68484 b
250250 SB3080 - 7 - LRB103 38349 SPS 68484 b
251251 1 subject to such restrictions.
252252 2 "Sell" or "sale" means when a regulated entity, directly
253253 3 or indirectly, receives any form of remuneration or other
254254 4 valuable consideration from the use of health data or from the
255255 5 recipient of the health data in exchange for the health data.
256256 6 "Sell" does not include:
257257 7 (1) the sharing of health data to a recipient where
258258 8 the regulated entity maintains control and ownership of
259259 9 the health data;
260260 10 (2) the sharing of health data to comply with
261261 11 applicable laws or regulations;
262262 12 (3) the use of the health data by an entity
263263 13 exclusively at the direction of the regulated entity and
264264 14 consistent with the purpose for which it was collected and
265265 15 disclosed; and
266266 16 (4) the transfer of health data to a third party as an
267267 17 asset as part of a merger, acquisition, bankruptcy, or
268268 18 other transaction in which the third party assumes control
269269 19 of all or part of the regulated entity's assets that shall
270270 20 comply with the requirements and obligations in this Act.
271271 21 "Share" means to release, disclose, disseminate, divulge,
272272 22 loan, make available, provide access to, license, or otherwise
273273 23 communicate orally, in writing, or by electronic or other
274274 24 means, health data by a regulated entity to a third party
275275 25 except where the regulated entity maintains exclusive control
276276 26 and ownership of the health data. "Share" does not include:
277277
278278
279279
280280
281281
282282 SB3080 - 7 - LRB103 38349 SPS 68484 b
283283
284284
285285 SB3080- 8 -LRB103 38349 SPS 68484 b SB3080 - 8 - LRB103 38349 SPS 68484 b
286286 SB3080 - 8 - LRB103 38349 SPS 68484 b
287287 1 (1) the disclosure of health data to a processor that
288288 2 collects or processes the personal data on behalf of the
289289 3 regulated entity, when the regulated entity maintains
290290 4 control and ownership of the data and the processor
291291 5 maintains or uses the health data only for the regulated
292292 6 entity's distinct purposes pursuant to a contract;
293293 7 (2) the disclosure of health data to a third party
294294 8 with whom the consumer has a direct relationship for
295295 9 purposes of and only to the extent necessary for providing
296296 10 a product or service requested by the consumer when the
297297 11 regulated entity maintains control and ownership of the
298298 12 data and the third party maintains or uses the health data
299299 13 only for the regulated entity's distinct purposes; or
300300 14 (3) the disclosure or transfer of personal data to a
301301 15 third party as an asset that is part of a merger,
302302 16 acquisition, bankruptcy, or other transaction in which the
303303 17 third party assumes control of all or part of the
304304 18 regulated entity's assets and shall comply with the
305305 19 requirements and obligations in this Act.
306306 20 "Strictly necessary" means essential or required to be
307307 21 done.
308308 22 "Third party" means an entity other than a consumer,
309309 23 regulated entity, service provider, or affiliate of the
310310 24 regulated entity.
311311 25 Section 10. Scope.
312312
313313
314314
315315
316316
317317 SB3080 - 8 - LRB103 38349 SPS 68484 b
318318
319319
320320 SB3080- 9 -LRB103 38349 SPS 68484 b SB3080 - 9 - LRB103 38349 SPS 68484 b
321321 SB3080 - 9 - LRB103 38349 SPS 68484 b
322322 1 (a) This Act applies to consumers seeking, researching, or
323323 2 obtaining health services within this State, or information
324324 3 about health services available in this State and regulated
325325 4 entities.
326326 5 (b) This Act does not affect an individual's right to
327327 6 voluntarily share the individual's own health care information
328328 7 with another person or entity.
329329 8 Section 15. Health data privacy policy required.
330330 9 (a) A regulated entity shall disclose and maintain a
331331 10 health data privacy policy that, in plain language, clearly
332332 11 and conspicuously discloses:
333333 12 (1) the specific types of health data collected and
334334 13 the purpose for which the data is collected and used;
335335 14 (2) the categories of sources from which the health
336336 15 data is collected;
337337 16 (3) the specific types of health data that are shared,
338338 17 sold, and stored;
339339 18 (4) the categories of third parties with whom the
340340 19 regulated entity collects, shares, sells, and stores
341341 20 health data, and the process to withdraw consent from
342342 21 having health data collected, shared, sold, and stored;
343343 22 (5) a list of the specific third parties to which the
344344 23 regulated entity shares health data, and an active
345345 24 electronic mail address or other online mechanism that the
346346 25 consumer may use to contact these third parties free of
347347
348348
349349
350350
351351
352352 SB3080 - 9 - LRB103 38349 SPS 68484 b
353353
354354
355355 SB3080- 10 -LRB103 38349 SPS 68484 b SB3080 - 10 - LRB103 38349 SPS 68484 b
356356 SB3080 - 10 - LRB103 38349 SPS 68484 b
357357 1 charge;
358358 2 (6) how a consumer may exercise the rights provided in
359359 3 this Act, including, but not limited to, identifying 2 or
360360 4 more designated methods for a consumer to contact the
361361 5 regulated entity in connection with the exercise of any
362362 6 rights provided in this Act;
363363 7 (7) the length of time the regulated entity intends to
364364 8 retain each category of health data, or if that is not
365365 9 possible, the criteria used to determine that period;
366366 10 however, a regulated entity shall not retain health data
367367 11 for each disclosed purpose for which the health data was
368368 12 collected for longer than is reasonably necessary to
369369 13 fulfill that disclosed purpose; and
370370 14 (8) whether the regulated entity collects health data
371371 15 when the consumer is not directly interacting with the
372372 16 regulated entity or its services.
373373 17 (b) A regulated entity shall prominently publish or link
374374 18 to its health data privacy policy on its website homepage, or
375375 19 in another manner that is clear and conspicuous to consumers.
376376 20 Its health data privacy policy must be distinguishable from
377377 21 other matters. Any regulated entity providing health services
378378 22 in a physical location shall also post its health data privacy
379379 23 policy in a conspicuous place that is readily available for
380380 24 viewing by consumers.
381381 25 (c) A regulated entity shall not collect, share, sell, or
382382 26 store additional categories of health data not disclosed in
383383
384384
385385
386386
387387
388388 SB3080 - 10 - LRB103 38349 SPS 68484 b
389389
390390
391391 SB3080- 11 -LRB103 38349 SPS 68484 b SB3080 - 11 - LRB103 38349 SPS 68484 b
392392 SB3080 - 11 - LRB103 38349 SPS 68484 b
393393 1 the health data privacy policy without first disclosing the
394394 2 additional categories of health data and obtaining the
395395 3 consumer's consent before the collection, sharing, selling, or
396396 4 storing of the health data.
397397 5 (d) A regulated entity shall not collect, share, sell, or
398398 6 store health data for additional purposes not disclosed in the
399399 7 health data privacy policy without first disclosing the
400400 8 additional purposes and obtaining the consumer's consent
401401 9 before the collection, sharing, selling, or storing of the
402402 10 health data.
403403 11 (e) It is a violation of this Act for a regulated entity to
404404 12 contract with a processor to process consumer health data in a
405405 13 manner that is inconsistent with the regulated entity's
406406 14 consumer health data privacy policy.
407407 15 Section 20. Prohibition on collection, sharing, or storing
408408 16 of health data. A regulated entity shall not collect, share,
409409 17 or store health data, except:
410410 18 (1) with the consent of the consumer to whom the
411411 19 information relates for a specified purpose; or
412412 20 (2) as is strictly necessary to provide a product or
413413 21 service that the consumer to whom the health data relates
414414 22 has specifically requested from the regulated entity.
415415 23 Section 25. Prohibition on sale of health data.
416416 24 (a) It is unlawful for any person to sell or offer to sell
417417
418418
419419
420420
421421
422422 SB3080 - 11 - LRB103 38349 SPS 68484 b
423423
424424
425425 SB3080- 12 -LRB103 38349 SPS 68484 b SB3080 - 12 - LRB103 38349 SPS 68484 b
426426 SB3080 - 12 - LRB103 38349 SPS 68484 b
427427 1 health data concerning a consumer without first obtaining
428428 2 valid authorization from the consumer. The sale of consumer
429429 3 health data must be consistent with the valid authorization
430430 4 signed by the consumer.
431431 5 (b) A valid authorization to sell consumer health data is
432432 6 an agreement consistent with this Section and must be written
433433 7 in plain language. The valid authorization to sell consumer
434434 8 health data must contain the following:
435435 9 (1) the specific consumer health data concerning the
436436 10 consumer that the person intends to sell;
437437 11 (2) the name and contact information of any person or
438438 12 entity collecting and selling the health data;
439439 13 (3) the name and contact information of any person or
440440 14 entity purchasing the health data from the seller
441441 15 identified in paragraph (2) of this subsection;
442442 16 (4) a description of the purpose for the sale,
443443 17 including how the health data will be gathered and how it
444444 18 will be used by the purchaser identified in paragraph (3)
445445 19 of this subsection when sold;
446446 20 (5) a statement that the provision of goods or
447447 21 services may not be conditioned on the consumer signing
448448 22 the valid authorization;
449449 23 (6) a statement that the consumer has a right to
450450 24 revoke the valid authorization at any time and a
451451 25 description on how a consumer may revoke the valid
452452 26 authorization;
453453
454454
455455
456456
457457
458458 SB3080 - 12 - LRB103 38349 SPS 68484 b
459459
460460
461461 SB3080- 13 -LRB103 38349 SPS 68484 b SB3080 - 13 - LRB103 38349 SPS 68484 b
462462 SB3080 - 13 - LRB103 38349 SPS 68484 b
463463 1 (7) a statement that the consumer health data sold
464464 2 pursuant to the valid authorization may be subject to
465465 3 redisclosure by the purchaser and may no longer be
466466 4 protected by this Section;
467467 5 (8) an expiration date for the valid authorization
468468 6 that expires one year from when the consumer signs the
469469 7 valid authorization; and
470470 8 (9) the signature of the consumer and date.
471471 9 (c) An authorization is not valid if the document has any
472472 10 of the following defects:
473473 11 (1) the expiration date has passed;
474474 12 (2) the authorization does not contain all the
475475 13 information required under this Section;
476476 14 (3) the authorization has been revoked by the
477477 15 consumer;
478478 16 (4) the authorization has been combined with other
479479 17 documents to create a compound authorization; or
480480 18 (5) the provision of goods or services is conditioned
481481 19 on the consumer signing the authorization.
482482 20 (d) A copy of the signed valid authorization must be
483483 21 provided to the consumer.
484484 22 (e) The seller and purchaser of health data must retain a
485485 23 copy of all valid authorizations for sale of health data for 6
486486 24 years after the date of its signature or the date when it was
487487 25 last in effect, whichever is later.
488488
489489
490490
491491
492492
493493 SB3080 - 13 - LRB103 38349 SPS 68484 b
494494
495495
496496 SB3080- 14 -LRB103 38349 SPS 68484 b SB3080 - 14 - LRB103 38349 SPS 68484 b
497497 SB3080 - 14 - LRB103 38349 SPS 68484 b
498498 1 Section 30. Consent required for collection, sharing, and
499499 2 storage of health data.
500500 3 (a) A regulated entity shall not seek consent to collect,
501501 4 share, or store health data without first disclosing its
502502 5 health data privacy policy as required under Section 15.
503503 6 (b) Consent required under this Section must be obtained
504504 7 before the collection, sharing, or storing, as applicable, of
505505 8 any health data, and the request for consent must clearly and
506506 9 conspicuously disclose, separate and apart from its health
507507 10 data privacy policy:
508508 11 (1) the categories of health data collected, sold,
509509 12 shared, or stored;
510510 13 (2) the purpose of the collection, sharing, or storage
511511 14 of the health data, including the specific ways in which
512512 15 it will be used; and
513513 16 (3) how the consumer can withdraw consent from future
514514 17 collection, sharing, or storage of their health data.
515515 18 (c) Consent required under this Section must be obtained
516516 19 before the use of any health data for any additional purpose
517517 20 that was not specified before obtaining a consumer's consent
518518 21 for the use of the health data.
519519 22 Section 35. Right to withdraw consent. A consumer has the
520520 23 right to withdraw consent from the collection, sharing, sale,
521521 24 or storage of the consumer's health data, consistent with the
522522 25 requirements of Section 30.
523523
524524
525525
526526
527527
528528 SB3080 - 14 - LRB103 38349 SPS 68484 b
529529
530530
531531 SB3080- 15 -LRB103 38349 SPS 68484 b SB3080 - 15 - LRB103 38349 SPS 68484 b
532532 SB3080 - 15 - LRB103 38349 SPS 68484 b
533533 1 Section 40. Prohibition on discriminatory practices.
534534 2 (a) It is unlawful for a regulated entity to engage in
535535 3 discriminatory practices against a consumer solely because the
536536 4 consumer has not provided consent to the collection, sharing,
537537 5 sale, or storage of the consumer's health data pursuant to
538538 6 this Act, or have exercised any other rights provided by this
539539 7 Act or guaranteed by law. Discriminatory practices include,
540540 8 but are not limited to:
541541 9 (1) denying or limiting goods or services to the
542542 10 consumer;
543543 11 (2) imposing additional requirements or restrictions
544544 12 on the individual that would not be necessary if the
545545 13 consumer provided their consent;
546546 14 (3) providing materially different treatment to
547547 15 consumers who provide consent as compared to consumers who
548548 16 do not provide consent;
549549 17 (4) providing or suggesting that the consumer will
550550 18 receive a lower level or quality of goods or services;
551551 19 (5) suggesting that the consumer will receive a
552552 20 different price or rate for goods or services; or
553553 21 (6) charging different prices or rates for goods or
554554 22 services, including using discounts or other benefits or
555555 23 imposing penalties.
556556 24 (b) It shall not be a discriminatory practice under this
557557 25 Section to use health data as is strictly necessary to provide
558558
559559
560560
561561
562562
563563 SB3080 - 15 - LRB103 38349 SPS 68484 b
564564
565565
566566 SB3080- 16 -LRB103 38349 SPS 68484 b SB3080 - 16 - LRB103 38349 SPS 68484 b
567567 SB3080 - 16 - LRB103 38349 SPS 68484 b
568568 1 a product or service that the consumer to whom the health data
569569 2 relates has specifically requested from a regulated entity.
570570 3 Section 45. Right to confirm. A consumer has the right to
571571 4 confirm whether a regulated entity is collecting, selling,
572572 5 sharing, or storing any of the consumer's health data, and to
573573 6 confirm that a regulated entity has deleted the consumer's
574574 7 health data following a deletion request pursuant to Section
575575 8 50. A regulated entity that receives a consumer request to
576576 9 confirm shall respond within 45 calendar days after receiving
577577 10 the request to confirm from the consumer. The regulated entity
578578 11 shall, without reasonable delay, promptly take all steps
579579 12 necessary to verify the consumer's request, but this shall not
580580 13 extend the regulated entity's duty to respond within 45 days
581581 14 of receipt of the consumer's request. The time period to
582582 15 provide the required confirmation may be extended once by an
583583 16 additional 45 calendar days when reasonably necessary, if the
584584 17 consumer is provided notice of the extension within the first
585585 18 45-day period.
586586 19 Section 50. Right to deletion.
587587 20 (a) A consumer has the right to have the consumer's health
588588 21 data that is collected by a regulated entity deleted by
589589 22 informing the regulated entity of the consumer's request for
590590 23 deletion, except as provided in subsection (g).
591591 24 (b) Except as otherwise specified in subsection (f), a
592592
593593
594594
595595
596596
597597 SB3080 - 16 - LRB103 38349 SPS 68484 b
598598
599599
600600 SB3080- 17 -LRB103 38349 SPS 68484 b SB3080 - 17 - LRB103 38349 SPS 68484 b
601601 SB3080 - 17 - LRB103 38349 SPS 68484 b
602602 1 regulated entity that receives a consumer request to delete
603603 2 any of the consumer's health data shall without unreasonable
604604 3 delay, and no more than 45 calendar days from receiving the
605605 4 deletion request:
606606 5 (1) delete the consumer's health data from its
607607 6 records, including from all parts of the regulated
608608 7 entity's network; and
609609 8 (2) notify all service providers, contractors, and
610610 9 third parties with whom the regulated entity has shared
611611 10 the consumer's health data of the deletion request.
612612 11 (c) If a regulated entity stores any health data on
613613 12 archived or backup systems, it may delay compliance with the
614614 13 consumer's request to delete with respect to the health data
615615 14 stored on the archived or backup system until the archived or
616616 15 backup system relating to that data is restored to an active
617617 16 system or is next accessed or used.
618618 17 (d) Any processor, service provider, contractor, and other
619619 18 third party that receives notice of a consumer's deletion
620620 19 request from a regulated entity shall honor the consumer's
621621 20 deletion request and delete the health data from the regulated
622622 21 entity's records, including from all parts of its network or
623623 22 backup systems.
624624 23 (e) A consumer or a consumer's authorized agent may
625625 24 exercise the rights set forth in this Act by submitting a
626626 25 request, at any time, to a regulated entity. Such a request may
627627 26 be made by:
628628
629629
630630
631631
632632
633633 SB3080 - 17 - LRB103 38349 SPS 68484 b
634634
635635
636636 SB3080- 18 -LRB103 38349 SPS 68484 b SB3080 - 18 - LRB103 38349 SPS 68484 b
637637 SB3080 - 18 - LRB103 38349 SPS 68484 b
638638 1 (1) contacting the regulated entity through the manner
639639 2 included in its health data privacy policy;
640640 3 (2) by designating an authorized agent who may
641641 4 exercise the rights on behalf of the consumer;
642642 5 (3) in the case of collecting health data of a minor,
643643 6 the minor seeking health services may exercise their
644644 7 rights under this Act, or the parent or legal guardian of
645645 8 the minor may exercise the rights of this Act on the
646646 9 minor's behalf; or
647647 10 (4) in the case of collecting health data concerning a
648648 11 consumer subject to guardianship, conservatorship, or
649649 12 other protective arrangement under the Probate Act of
650650 13 1975, the guardian or the conservator of the consumer may
651651 14 exercise the rights of this Act on the consumer's behalf.
652652 15 (f) The time period to delete any of the consumer's health
653653 16 data may be extended once by an additional 30 calendar days
654654 17 when reasonably necessary, if the consumer is provided notice
655655 18 of the extension within the first 30-day period.
656656 19 (g) Neither a regulated entity nor a processor shall be
657657 20 required to comply with a consumer's request to delete the
658658 21 consumer's health data if it is necessary for the regulated
659659 22 entity or the processor to maintain the consumer's health data
660660 23 to:
661661 24 (1) complete the transaction for which the health data
662662 25 was collected, provide a good or service requested by the
663663 26 consumer, or otherwise fulfill the requirements of an
664664
665665
666666
667667
668668
669669 SB3080 - 18 - LRB103 38349 SPS 68484 b
670670
671671
672672 SB3080- 19 -LRB103 38349 SPS 68484 b SB3080 - 19 - LRB103 38349 SPS 68484 b
673673 SB3080 - 19 - LRB103 38349 SPS 68484 b
674674 1 agreement between the regulated entity and the consumer;
675675 2 (2) detect security incidents, protect against
676676 3 malicious, deceptive, fraudulent, or illegal activity, if
677677 4 the use of health data for such purposes is limited in time
678678 5 pursuant to a valid record retention schedule;
679679 6 (3) engage in public or peer-reviewed scientific,
680680 7 historical, or statistical research in the public interest
681681 8 that adheres to all other applicable ethics and privacy
682682 9 laws, if the entities' deletion of the information is
683683 10 likely to render impossible or seriously impair the
684684 11 achievement of such research, and if the consumer has
685685 12 provided consent to such use of their health data;
686686 13 (4) comply with an applicable legal obligation, such
687687 14 as data retention requirements set forth in Section 6 of
688688 15 the Hospital Licensing Act, 45 CFR 164.316, and 45 CFR
689689 16 164.530;
690690 17 (5) comply with an applicable legal obligation if the
691691 18 regulated entity has been notified, in writing by an
692692 19 attorney, that there is litigation pending in court
693693 20 involving the consumer's health data as possible evidence
694694 21 and that the consumer is their client or is the person who
695695 22 has instituted the litigation against their client, then
696696 23 the regulated entity shall retain the record of that
697697 24 consumer until notified in writing by the plaintiff's
698698 25 attorney, with the approval of the defendant's attorney of
699699 26 record, that the case in court involving the record has
700700
701701
702702
703703
704704
705705 SB3080 - 19 - LRB103 38349 SPS 68484 b
706706
707707
708708 SB3080- 20 -LRB103 38349 SPS 68484 b SB3080 - 20 - LRB103 38349 SPS 68484 b
709709 SB3080 - 20 - LRB103 38349 SPS 68484 b
710710 1 been concluded or for a period of 12 years after the date
711711 2 that the record was produced, whichever occurs first in
712712 3 time; or
713713 4 (6) otherwise use the consumer's health data,
714714 5 internally, in a lawful manner that is compatible with the
715715 6 context in which the consumer provided their health data.
716716 7 Section 55. Authentication of consumer identity.
717717 8 (a) A regulated entity that receives a consumer request to
718718 9 confirm or delete may take reasonable measures to authenticate
719719 10 the consumer's identity to a reasonably high degree of
720720 11 certainty. A reasonably high degree of certainty may include
721721 12 matching at least 3 pieces of personal information provided by
722722 13 the consumer with personal information maintained by the
723723 14 regulated entity that it has determined to be reliable for the
724724 15 purpose of authenticating the consumer together with a signed
725725 16 declaration under penalty of perjury that the consumer making
726726 17 the request is the consumer whose health data is the subject of
727727 18 the request. If a regulated entity uses this method for
728728 19 authentication, the regulated entity shall make all forms
729729 20 necessary for authentication of a consumer's identity
730730 21 available to consumers, and shall maintain all signed
731731 22 declarations as part of its recordkeeping obligations.
732732 23 (b) A regulated entity is not required to comply with a
733733 24 consumer request to confirm or delete if the regulated entity,
734734 25 using commercially reasonable efforts, is unable to
735735
736736
737737
738738
739739
740740 SB3080 - 20 - LRB103 38349 SPS 68484 b
741741
742742
743743 SB3080- 21 -LRB103 38349 SPS 68484 b SB3080 - 21 - LRB103 38349 SPS 68484 b
744744 SB3080 - 21 - LRB103 38349 SPS 68484 b
745745 1 authenticate the identity of the consumer making the request.
746746 2 If a regulated entity is unable to authenticate the consumer's
747747 3 identity, the regulated entity shall inform the consumer that
748748 4 it was unable to authenticate the consumer's identity and
749749 5 advise the consumer of other methods, if available, of
750750 6 authenticating their identity.
751751 7 (c) If a regulated entity denies an authenticated consumer
752752 8 request to delete that consumer's health data, in whole or in
753753 9 part, because of a conflict with federal or State law, the
754754 10 regulated entity shall inform the requesting consumer and
755755 11 explain the basis for the denial, unless prohibited from doing
756756 12 so by law.
757757 13 (d) Any information provided by a consumer to a regulated
758758 14 entity for the purpose of authenticating the consumer's
759759 15 identity shall not be used for any purpose other than
760760 16 authenticating the consumer's identity and shall be destroyed
761761 17 immediately following the authentication process.
762762 18 Section 60. Consumer health data security and
763763 19 minimization.
764764 20 (a) A regulated entity shall restrict access to health
765765 21 data by the employees, processors, service providers, and
766766 22 contractors of the regulated entity to only those employees,
767767 23 processors, services providers, and contractors for which
768768 24 access is necessary to provide a product or service that the
769769 25 consumer to whom the health data relates has requested from
770770
771771
772772
773773
774774
775775 SB3080 - 21 - LRB103 38349 SPS 68484 b
776776
777777
778778 SB3080- 22 -LRB103 38349 SPS 68484 b SB3080 - 22 - LRB103 38349 SPS 68484 b
779779 SB3080 - 22 - LRB103 38349 SPS 68484 b
780780 1 the regulated entity.
781781 2 (b) A regulated entity shall establish, implement, and
782782 3 maintain administrative, technical, and physical data security
783783 4 practices that at least satisfy a reasonable standard of care
784784 5 within the regulated entity's industry to protect the
785785 6 confidentiality, integrity, and accessibility of health data
786786 7 appropriate to the volume and nature of the personal data at
787787 8 issue.
788788 9 Section 65. Prohibition on geofencing.
789789 10 (a) It shall be unlawful for any person to implement a
790790 11 geofence that enables the sending of a notification, message,
791791 12 alert, or other piece of information to a consumer that enters
792792 13 the perimeter around any entity that provides health services.
793793 14 (b) It shall be unlawful for any person to implement a
794794 15 geofence around any entity that provides in-person health care
795795 16 services where the geofence is used to identify, track, or
796796 17 collect data from a consumer that enters the virtual
797797 18 perimeter.
798798 19 Section 70. Private right of action. Any person aggrieved
799799 20 by a violation of this Act shall have a right of action in a
800800 21 State circuit court or as a supplemental claim in federal
801801 22 district court against an offending party. A prevailing party
802802 23 may recover for each violation:
803803 24 (1) against any offending party that negligently
804804
805805
806806
807807
808808
809809 SB3080 - 22 - LRB103 38349 SPS 68484 b
810810
811811
812812 SB3080- 23 -LRB103 38349 SPS 68484 b SB3080 - 23 - LRB103 38349 SPS 68484 b
813813 SB3080 - 23 - LRB103 38349 SPS 68484 b
814814 1 violates a provision of this Act, liquidated damages of
815815 2 $1,000 or actual damages, whichever is greater;
816816 3 (2) against any offending party that intentionally or
817817 4 recklessly violates a provision of this Act, liquidated
818818 5 damages of $5,000 or actual damages, whichever is greater;
819819 6 (3) reasonable attorney's fees and costs, including
820820 7 expert witness fees and other litigation expenses; and
821821 8 (4) other relief, including an injunction, as the
822822 9 State or federal court may deem appropriate.
823823 10 Section 75. Enforcement by the Attorney General. The
824824 11 Attorney General may enforce a violation of this Act as an
825825 12 unlawful practice under the Consumer Fraud and Deceptive
826826 13 Business Practices Act. All rights and remedies provided the
827827 14 Attorney General under the Consumer Fraud and Deceptive
828828 15 Business Practices Act shall be available for enforcement of a
829829 16 violation of this Act.
830830 17 Section 80. Conflict with other laws.
831831 18 (a) Nothing in this Act shall be construed to prohibit the
832832 19 lawful and authorized disclosure of health data by regulated
833833 20 entities to local health departments or State government
834834 21 agencies or by or among local health departments and State
835835 22 government agencies as may be required by State and federal
836836 23 law, including under the Adult Protective Services Act, the
837837 24 Abused and Neglected Child Reporting Act, the Criminal Code of
838838
839839
840840
841841
842842
843843 SB3080 - 23 - LRB103 38349 SPS 68484 b
844844
845845
846846 SB3080- 24 -LRB103 38349 SPS 68484 b SB3080 - 24 - LRB103 38349 SPS 68484 b
847847 SB3080 - 24 - LRB103 38349 SPS 68484 b
848848 1 2012, and the Disclosure of Offenses Against Children Act.
849849 2 (b) If any provision of this Act, or the application
850850 3 thereof to any person or circumstance, is held invalid, the
851851 4 remainder of this Act and the application of such provision to
852852 5 other persons not similarly situated or to other circumstances
853853 6 shall not be affected by the invalidation.
854854 7 (c) This Act shall not apply to personal information
855855 8 collected, processed, sold, or disclosed subject to the
856856 9 federal Gramm-Leach-Bliley Act, Public Law 106-102, and
857857 10 implementing regulations.
858858 11 Section 900. The Consumer Fraud and Deceptive Business
859859 12 Practices Act is amended by adding Section 2EEEE as follows:
860860
861861
862862
863863
864864
865865 SB3080 - 24 - LRB103 38349 SPS 68484 b