Printed on recycled paper
131st MAINE LEGISLATURE
FIRST SPECIAL SESSION-2023
Legislative Document No. 1902H.P. 1217 House of Representatives, May 9, 2023
An Act to Protect Personal Health Data
Reference to the Committee on Judiciary suggested and ordered printed.
ROBERT B. HUNT
Clerk
Presented by Representative O'NEIL of Saco.
Cosponsored by Senator DAUGHTRY of Cumberland and
Representatives: BRENNAN of Portland, MATHIESON of Kittery, RANA of Bangor,
ROEDER of Bangor, SHEEHAN of Biddeford, SUPICA of Bangor, Speaker TALBOT ROSS
of Portland, Senator: BRENNER of Cumberland. Page 1 - 131LR2108(01)
1
2 is enacted to read:
3
4
5
6 This chapter may be known and cited as "the My Health My Data Act."
7
8 As used in this chapter, unless the context otherwise indicates, the following terms
9 have the following meanings.
10 "Abortion" has the same meaning as in Title 22, section 1596, subsection
11 1, paragraph A.
12 "Affiliate" means a legal entity that shares common branding with another
13 legal entity and controls, is controlled by or is under common control with another legal
14 entity. For the purposes of this definition, "control" means:
15 A. Ownership of, or the power to vote, more than 50% of the outstanding shares of any
16 class of voting security of a company;
17 B. Influence in any manner over the election of a majority of the directors or of
18 individuals exercising similar functions; or
19 C. The power to exercise direct influence over the management of a company.
20 "Biometric data" means data generated from the measurement or
21 technological processing of an individual's physiological, biological or behavioral
22 characteristics that can be used individually or in combination with other data to identify a
23 consumer. "Biometric data" includes, but is not limited to:
24 A. Imagery of the iris, retina, fingerprint, face, hand, palm and vein patterns and voice
25 recordings, from which an identifier template can be extracted; or
26 B. Keystroke patterns or rhythms, gait patterns or rhythms and sleep, health or exercise
27 data that contain identifying information.
28 "Collect" means to buy, rent, access, retain, receive, acquire, infer, derive
29 or otherwise process consumer health data in any manner.
30 "Consent" means an affirmative act by a consumer that clearly
31 communicates a consumer's opt-in, voluntary, specific and unambiguous written
32 authorization for an act or practice after having been informed, in response to a specific
33 request from a regulated entity that meets the requirements of section 1350-P. "Consent"
34 may include written consent provided by electronic means. "Consent" cannot be obtained
35 by:
36 A. A consumer's acceptance of a general or broad terms of use agreement or a similar
37 document that contains descriptions of personal data processing along with other
38 unrelated information; Page 2 - 131LR2108(01)
1 B. A consumer's hovering over, muting, pausing or closing a given piece of content;
2 C. The use of any false, fictitious, fraudulent or materially misleading statement or
3 representation; or
4 D. The design, modification or manipulation of any user interface with the purpose or
5 substantial effect of obscuring, subverting or impairing a reasonable consumer's
6 autonomy, decision making or choice to provide such consent or any consumer health
7 data.
8 "Consumer" means an individual who is a resident of this State or an
9 individual whose consumer health data is collected in this State. "Consumer" does not
10 include an individual acting in an employment context.
11 "Consumer health data" means personal information that
12 describes or reveals the past, present or future physical health, mental health, disability,
13 diagnosis or health condition of a consumer, including, but not limited to, any personal
14 information relating to:
15 A. Individual health conditions, treatment, status, diseases or diagnoses;
16 B. Social, psychological, behavioral and medical interventions;
17 C. Noncosmetic surgeries or health-related procedures;
18 D. Use or purchase of medication;
19 E. Bodily functions, vital signs, symptoms or measurements of the information
20 described in this subsection;
21 F. Diagnoses or diagnostic testing, treatment or medication;
22 G. Efforts to research or obtain health care services or supplies;
23 H. Gender-affirming care information;
24 I. Reproductive or sexual health information;
25 J. Biometric data related to information in paragraphs A to I;
26 K. Genetic data related to information in paragraphs A to I;
27 L. Precise location information that could reasonably indicate a consumer's attempt to
28 acquire or receive health care services or supplies; or
29 M. Any information described in paragraphs A to L that is derived or extrapolated from
30 nonhealth information, such as proxy, derivative, inferred or emergent data, by any
31 means, including algorithms or machine learning.
32 "Consumer health data" does not include personal information that is used to engage in
33 public or peer-reviewed scientific, historical or statistical research in the public interest that
34 adheres to all other applicable ethics and privacy laws and is approved, monitored and
35 governed by an institutional review board, human subjects research ethics review board or
36 a similar independent oversight entity that determines that the regulated entity has
37 implemented reasonable safeguards to mitigate privacy risks associated with research,
38 including any risks associated with identification. Page 3 - 131LR2108(01)
1 "Deceptive design" means a user interface designed or
2 manipulated with the potential effect of subverting or impairing user autonomy, decision
3 making or choice.
4 "Deidentified data" means data that cannot reasonably be used
5 to infer information about, or otherwise be linked to, an identified or identifiable individual,
6 or a device linked to such individual, if the regulated entity that possesses such data takes
7 reasonable measures to ensure that such data cannot be associated with an individual;
8 publicly commits to process such data only in a deidentified form and not attempt to
9 reidentify such data; and contractually obligates any recipients of such data to satisfy the
10 criteria set forth in this subsection.
11 "Gender-affirming care information" means
12 personal information relating to seeking or obtaining past, present or future gender-
13 affirming care services. "Gender-affirming care information" includes, but is not limited
14 to:
15 A. Location information that could reasonably indicate a consumer's attempt to acquire
16 or receive gender-affirming care services;
17 B. Efforts to research or obtain gender-affirming care services; or
18 C. Any gender-affirming care information that is derived, extrapolated or inferred,
19 including from nonhealth information, such as proxy, derivative, inferred, emergent or
20 algorithmic data.
21 "Gender-affirming care services" means health
22 care services or products that support and affirm an individual's gender identity, including,
23 but not limited to, social, psychological, behavioral, cosmetic, medical or surgical
24 interventions. "Gender-affirming care services" includes, but is not limited to, treatments
25 for gender dysphoria, gender-affirming hormone therapy and gender-affirming surgical
26 procedures.
27 "Genetic data" means any data, regardless of its format, that concerns
28 a consumer's genetic characteristics. "Genetic data" includes, but is not limited to:
29 A. Raw sequence data that result from the sequencing of a consumer's complete
30 extracted deoxyribonucleic acid, or DNA, or a portion of the extracted DNA;
31 B. Genotypic and phenotypic information that results from analyzing the raw sequence
32 data under paragraph A; and
33 C. Self-reported health data that a consumer submits to a regulated entity and that is
34 analyzed in connection with consumer's raw sequence data under paragraph A.
35 "Geofence" means technology that uses global positioning system
36 coordinates, cell tower connectivity, cellular data, radio frequency identification, wireless
37 access point data or any other form of location detection to establish a virtual perimeter
38 around a specific physical location.
39 "Health care services" means any services provided to a
40 person to assess, measure, improve or learn about a person's health, including, but not
41 limited to:
42 A. Individual health conditions, treatment, status, diseases or diagnoses; Page 4 - 131LR2108(01)
1 B. Social, psychological, behavioral and medical interventions;
2 C. Noncosmetic surgeries or health-related procedures;
3 D. Use or purchase of medication;
4 E. Bodily functions, vital signs, symptoms or measurements described in this
5 subsection;
6 F. Diagnoses or diagnostic testing, treatment or medication;
7 G. Reproductive and sexual health services; or
8 H. Gender-affirming care services.
9 "Homepage" means the introductory page of a publicly accessible
10 website and any Internet webpage on which personal information is collected. In the case
11 of an online service, such as a mobile application, "homepage" means the application's
12 platform page or download page and a link within the application, such as from the
13 application's configuration page, "about" page, "information" page or settings page.
14 "Person" means an individual, corporation, trust, unincorporated
15 association or partnership.
16 "Personal information" means information that identifies,
17 relates to, describes or is reasonably capable of being associated or linked, directly or
18 indirectly, with a particular consumer. "Personal information" includes, but is not limited
19 to, data associated with a persistent unique identifier, such as a so-called cookie, an Internet
20 protocol address or a device identifier. "Personal information" does not include
21 information that is in a public record held by a federal, state or local government. "Personal
22 information" includes any biometric data collected about a consumer by a business without
23 the consumer's knowledge. "Personal information" does not include deidentified data.
24 "Process" means any operation performed on consumer health data.
25 "Regulated entity" means any person that conducts business in
26 this State or produces or provides products or services that are targeted to consumers in this
27 State and that collects, shares or sells consumer health data or determines the purpose and
28 means of processing consumer health data. "Regulated entity" does not include a
29 government agency.
30 "Reproductive or sexual health
31 information" means personal information relating to seeking or obtaining past, present or
32 future reproductive or sexual health services. "Reproductive or sexual health information"
33 includes, but is not limited to:
34 A. Location information that could reasonably indicate a consumer's attempt to acquire
35 or receive reproductive or sexual health services;
36 B. Efforts to research or obtain reproductive or sexual health services; or
37 C. Any reproductive or sexual health information that is derived, extrapolated or
38 inferred, including from nonhealth information, such as proxy, derivative, inferred,
39 emergent or algorithmic data. Page 5 - 131LR2108(01)
1 "Reproductive or sexual health services"
2 means health services or products that support or relate to an individual's reproductive
3 system or sexual well-being, including, but not limited to:
4 A. Individual health conditions, treatment, status, diseases or diagnoses;
5 B. Social, psychological, behavioral and medical interventions;
6 C. Health-related surgeries or procedures, including, but not limited to, abortions;
7 D. Use or purchase of medication, including, but not limited to, medication for the
8 purposes of abortion;
9 E. Bodily functions, vital signs, symptoms or measurements described in this
10 subsection;
11 F. Diagnoses or diagnostic testing, treatment or medication; and
12 G. Medical or nonmedical services related to and provided in conjunction with an
13 abortion, including, but not limited to, associated diagnostics, counseling, supplies and
14 follow-up services.
15 "Sell" or "sale" means, with respect to consumer health data, sharing
16 or providing the data for monetary or other valuable consideration. "Sell" or "sale" does
17 not include the sharing of consumer health data for monetary or other valuable
18 consideration:
19 A. To a 3rd party as an asset that is part of a merger, acquisition, bankruptcy or other
20 transaction in which the 3rd party assumes control of all or part of the regulated entity's
21 assets;
22 B. By an individual selling the individual's own consumer health data pursuant to a
23 written contract of sale with a 3rd party; or
24 C. By a regulated entity to a service provider when such sharing is consistent with the
25 purpose for which the consumer health data was collected.
26 "Service provider" means a person that processes consumer
27 health data on behalf of a regulated entity.
28 "Share" means, with respect to consumer health data, the release of,
29 disclosure of, dissemination of, divulging of, making available of, providing access to,
30 licensing of or otherwise communicating orally, in writing or by electronic or other means,
31 consumer health data by a regulated entity to a 3rd party or affiliate. "Share" does not
32 include:
33 A. The disclosure of consumer health data by a regulated entity to a service provider
34 when such sharing is consistent with the purpose for which the consumer health data
35 was collected;
36 B. The disclosure of consumer health data to a 3rd party with which the consumer has
37 a direct relationship when:
38 (1) The disclosure is for purposes of providing a product or service requested by
39 the consumer;
40 (2) The regulated entity maintains control and ownership of the data; and Page 6 - 131LR2108(01)
1 (3) The 3rd party uses the consumer health data only at the direction of the
2 regulated entity and consistent with the purpose for which it was collected; or
3 C. The disclosure or transfer of personal data to a 3rd party as an asset that is part of a
4 merger, acquisition, bankruptcy or other transaction in which the 3rd party assumes
5 control of all or part of the regulated entity's assets.
6 "Third party" means an entity other than a consumer, regulated entity,
7 service provider or affiliate of the regulated entity.
8
9 A regulated entity shall maintain a consumer health data
10 privacy policy that clearly and conspicuously discloses:
11 A. The specific types of consumer health data collected and the purpose for which the
12 data is collected, including the specific ways in which the data will be used;
13 B. The sources from which the consumer health data is collected;
14 C. The specific consumer health data that is shared;
15 D. A list of 3rd parties and affiliates with which the regulated entity shares the
16 consumer health data, including an active email address or other online mechanism that
17 the consumer may use to contact the 3rd parties and affiliates;
18 E. The length of time the regulated entity intends to retain each category of consumer
19 health data, or, if it is not possible to identify that time frame, the criteria used to
20 determine the length of time the regulated entity intends to retain categories of
21 consumer health data; and
22 F. How a consumer can exercise the rights provided in this chapter.
23 A regulated entity shall prominently publish its consumer
24 health data privacy policy on its homepage.
25 A regulated entity may not
26 collect, use or share additional categories of consumer health data not disclosed in the
27 consumer health data privacy policy without first disclosing the additional categories and
28 obtaining the consumer's consent prior to the collection, use or sharing of such consumer
29 health data.
30 A regulated entity may
31 not collect, use or share consumer health data for purposes not disclosed in the consumer
32 health data privacy policy without first disclosing the additional purposes and obtaining the
33 consumer's consent prior to the collection, use or sharing of such consumer health data.
34 It is a violation of this chapter for a regulated entity to contract with a
35 service provider to process consumer health data in a manner that is inconsistent with the
36 regulated entity's consumer health data privacy policy.
37
38 A request from a regulated entity to use consumer health data must meet the following
39 requirements.
40 The request is provided to the consumer in a clear and conspicuous
41 stand-alone disclosure made through the primary means used to offer the covered entity's Page 7 - 131LR2108(01)
42 product or service, or, if the product or service is not offered in a means that permits the
43 making of the request under this paragraph, another means regularly used in conjunction
44 with the covered entity's product or service.
4 The request includes a description of the processing purpose
5 for which the consumer's consent is sought and:
6 A. Clearly states the specific categories of consumer health data that the covered entity
7 shall collect, process and transfer necessary to effectuate the processing purpose; and
8 B. Includes a prominent heading and is written in easy-to-understand language that
9 would enable a reasonable individual to identify and understand the processing purpose
10 for which consent is sought and the consumer health data to be collected, processed or
11 transferred by the covered entity for that processing purpose.
12 The request clearly explains the consumer's applicable rights
13 related to consent.
14 The request is made in a manner reasonably accessible to and usable
15 by a consumer with a disability.
16 The request is made available to the consumer in each language in
17 which the covered entity provides a product or service for which authorization is sought.
18 The option to refuse consent must be at least as
19 prominent as the option to accept, and the option to refuse consent must take the same
20 number of steps or fewer as the option to accept.
21 Processing or
22 transferring any consumer health data collected pursuant to the consumer's consent for a
23 different processing purpose than that for which the consumer's consent was obtained
24 requires the consumer's consent for the subsequent processing purpose.
25
26 A regulated entity may not collect any
27 consumer health data except:
28 A. With consent from the consumer for such collection for a specified purpose; or
29 B. To the extent necessary to provide a product or service that the consumer to whom
30 the consumer health data relates has requested from the regulated entity.
31 A regulated entity may not share any consumer
32 health data except:
33 A. With consent from the consumer for such sharing that is separate and distinct from
34 the consent obtained to collect consumer health data; or
35 B. To the extent necessary to provide a product or service that the consumer to whom
36 the consumer health data relates has requested from the regulated entity.
37 Consent required under this section must be obtained prior to the
38 collection or sharing, as applicable, of any consumer health data, and the request for
39 consent must clearly and conspicuously disclose:
40 A. The categories of consumer health data collected or shared;
1
2
3 Page 8 - 131LR2108(01)
1 B. The purpose of the collection or sharing of the consumer health data, including the
2 specific ways in which the data will be used;
3 C. The entities with which the consumer health data will be shared; and
4 D. How the consumer can withdraw consent from future collection or sharing of the
5 consumer's health data.
6 A regulated entity may not discriminate
7 against a consumer for exercising any rights under section 1350-Q.
8
9 A consumer has the following rights with respect to consumer health data
10 concerning the consumer.
11 A. A consumer has the right to confirm whether a regulated entity is collecting or
12 sharing consumer health data concerning the consumer and to access the data,
13 including a list of all 3rd parties and affiliates with whom or to whom the regulated
14 entity has shared or sold the consumer health data and an active e-mail address or other
15 online mechanism that the consumer may use to contact these 3rd parties.
16 B. A consumer has the right to confirm that a regulated entity has not sold consumer
17 health data concerning the consumer.
18 C. A consumer has the right to withdraw consent from the regulated entity's collection
19 and sharing of consumer health data concerning the consumer.
20 D. A consumer has the right to have consumer health data concerning the consumer
21 deleted and may exercise that right by informing the regulated entity of the consumer's
22 request for deletion.
23 A regulated entity that receives a
24 consumer's request to delete any consumer health data concerning the consumer shall
25 without unreasonable delay and no more than 30 calendar days from receiving the deletion
26 request:
27 A. Delete the consumer health data from its records, including from all parts of the
28 regulated entity's network or backup systems; and
29 B. Notify all affiliates, service providers, contractors and other 3rd parties with which
30 the regulated entity has shared consumer health data of the deletion request.
31 All affiliates, service providers, contractors and 3rd parties that receive notice of a
32 consumer's deletion request shall honor the consumer's deletion request and delete the
33 consumer health data from any possessed records, including from all parts of a network or
34 backup system.
35 A consumer may exercise the rights set forth in this chapter by
36 submitting a request, at any time, to a regulated entity. A request may be made by a secure
37 and reliable method established by the regulated entity and described in its consumer health
38 data privacy policy. The method must take into account the ways in which consumers
39 normally interact with the regulated entity, the need for secure and reliable communication
40 of such requests and the ability of the regulated entity to authenticate the identity of the
41 consumer making the request. A regulated entity may not require a consumer to create a Page 9 - 131LR2108(01)
42 new account in order to exercise consumer rights pursuant to this chapter but may require
43 a consumer to use an existing account.
3
4 A regulated entity shall restrict access to consumer health
5 data by the employees, service providers and contractors of the regulated entity to only
6 those employees, service providers and contractors for which access is necessary to further
7 the purposes that are strictly necessary to provide a product or service that the consumer to
8 whom the data relates has requested from the regulated entity and for which the consumer
9 provided consent.
10 A regulated entity shall establish, implement and maintain
11 administrative, technical and physical data security practices that, at a minimum, satisfy a
12 reasonable standard of care within the regulated entity's industry to protect the
13 confidentiality, integrity and accessibility of consumer health data appropriate to the
14 volume and nature of the personal information at issue.
15 A regulated entity shall
16 dispose of consumer health data in accordance with a retention schedule that requires the
17 deletion of consumer health data when the data is required to be deleted by law or is no
18 longer necessary for the purpose for which the data was collected, processed or transferred,
19 unless an individual has provided consent to such retention. The disposal of consumer
20 health data must include destroying, permanently erasing or otherwise modifying the
21 consumer health data to make the data permanently unreadable or indecipherable and
22 unrecoverable to ensure ongoing compliance with this section. A service provider shall
23 establish practices to delete or return consumer health data to a regulated entity as requested
24 at the end of the provision of services unless retention of the consumer health data is
25 required by law.
26
27 A service provider may process consumer health data only pursuant to
28 a binding contract between the service provider and the regulated entity that sets forth the
29 processing instructions and limits the actions the service provider may take with respect to
30 the consumer health data it processes on behalf of the regulated entity. A service provider
31 may process consumer health data only in a manner that is consistent with the instructions
32 set forth in the binding contract with the regulated entity.
33 A service provider shall assist the regulated entity by providing
34 appropriate technical and organizational support in fulfilling the regulated entity's
35 obligations under this chapter.
36 If a service provider fails to adhere to the
37 regulated entity's instructions or processes consumer health data in a manner that is outside
38 the scope of the service provider's contract with the regulated entity, the service provider
39 is deemed a regulated entity under this chapter and is subject to all the requirements of this
40 chapter.
41
42 It is unlawful for any person, including, but not limited to, regulated entities or service
43 providers, to sell consumer health data.
1
2 Page 10 - 131LR2108(01)
1
2 It is unlawful for any person to implement a geofence around an entity that provides
3 in-person health care services when the geofence is used to identify, track, collect data from
4 or send notifications or messages to a consumer that enters the virtual perimeter.
5
6 An individual alleging a violation of this chapter may bring
7 a civil action against an offending regulated entity. If the individual prevails in the action,
8 the individual is entitled to:
9 A. For a violation of this chapter:
10 (1) As a result of negligence, actual damages or $1,000 per violation, whichever
11 is greater; or
12 (2) As a result of recklessness or intentional misconduct, actual damages or $5,000
13 per violation, whichever is greater;
14 B. Reasonable attorney's fees and court costs, including expert witness fees and other
15 litigation expenses; and
16 C. Other relief, including injunctive or equitable relief, as the court determines
17 appropriate.
18 In addition to subsection 1, any violation of this chapter
19 constitutes prima facie evidence of a violation of the Maine Unfair Trade Practices Act.
20 The Attorney General may bring an action
21 against a regulated entity for a violation of this chapter and seek any form of relief available
22 to any other plaintiff, including the collection of damages as a civil penalty.
23
24 This chapter does not apply to:
25 Protected health information, or information treated
26 like protected health information, collected, used or disclosed by covered entities and
27 business associates when:
28 A. The protected health information is collected, used or disclosed in accordance with
29 the federal Health Insurance Portability and Accountability Act of 1996, the Health
30 Information Technology for Economic and Clinical Health Act and 45 Code of Federal
31 Regulations, Parts 160 and 164 and implementing regulations; and
32 B. The protected health information is afforded all the privacy protections and security
33 safeguards of the federal laws and implementing regulations under paragraph A. For
34 the purpose of this subsection, "protected health information," "covered entity" and
35 "business associate" have the same meaning as in the federal Health Insurance
36 Portability and Accountability Act of 1996 and its implementing regulations;
37 Patient identifying information collected, used or
38 disclosed in accordance with 42 Code of Federal Regulations, Part 2, established pursuant
39 to 42 United States Code, Section 290dd-2; or
40 Health care information collected, used or disclosed in
41 accordance with Title 22, section 1711-C. Page 11 - 131LR2108(01)
1
2 This bill establishes consumer rights with regard to consumer health data and defines
3 obligations of regulated entities that collect, use and share consumer health data. The bill
4 prohibits selling consumer health data and implementing a geofence around certain health
5 care entities. The bill provides a private right of action for a consumer against a regulated
6 entity for a violation of the provisions as well as civil penalties and enforcement by the
7 Attorney General. The bill also makes violations enforceable under the Maine Unfair Trade
8 Practices Act. The bill's requirements do not apply to government agencies and health care
9 information subject to federal and state law related to confidentiality of health care
10 information.
2
3
4
5
6
7
8
9
10