Fiscal impact reports (FIRs) are prepared by the Legislative Finance Committee (LFC) for standing finance
committees of the Legislature. LFC does not assume responsibility for the accuracy of these reports if they
are used for other purposes.
F I S C A L I M P A C T R E P O R T
SPONSOR Sariñana/Anaya/Thomson/Ferrary
LAST UPDATED
ORIGINAL DATE 2/21/2025
SHORT TITLE Health Data Privacy Act
BILL
NUMBER House Bill 430
ANALYST Esquibel
ESTIMATED ADDITIONAL OPERATING BUDGET IMPACT*
(dollars in thousands)
Agency/Program
FY25 FY26 FY27
3 Year
Total Cost
Recurring or
Nonrecurring
Fund
Affected
RHCA
Indeterminate
but minimal
Indeterminate
but minimal
Indeterminate
but minimal
Indeterminate
but minimal
Recurring
RHCA Benefits
Fund
Parentheses ( ) indicate expenditure decreases.
*Amounts reflect most recent analysis of this legislation.
Sources of Information
LFC Files
Agency Analysis Received From
Health Care Authority (HCA) New Mexico Retiree Health Care Authority (RHCA)
New Mexico Health Insurance Exchange (HIE)
SUMMARY
Synopsis of House Bill 430
House Bill 430 (HB430) would enact the Health Data Privacy Act and would enact restrictions
on the use of personally identifiable health data. The bill prohibits “regulated entities” or service
providers from processing regulated health information without an individual’s consent or for
services other than a requested product, service, or feature. The bill defines a “regulated entity”
as an entity other than a licensed healthcare provider which controls the processing of regulated
health information of New Mexico residents or is located in New Mexico. The bill defines as “an
operation performed or set of operations performed on regulated health information.” The bill
includes a specific set of operations within this definition, including the analysis, disclosure,
share, monetization, sale, or use of health data.
The effective date of the bill is July 1, 2025.
FISCAL IMPLICATIONS
The Retiree Health Care Authority (RHCA) and the Health Care Authority (HCA) report the
agencies already follow the federal Health Insurance Portability and Accountability Act of 1996
(HIPAA) laws and other state privacy laws. RHCA reports it may require some IT and other
adjustments to comply with the bill but that the fiscal impact would be minimal. House Bill 430 – Page 2
SIGNIFICANT ISSUES
The New Mexico Health Insurance Exchange, currently managed by Syncronys, reports the bill
may needs to exclude the processing and exchange of health information disclosed in accordance
with HIPAA and the New Mexico Electronic Medical Records Act. Besides licensed healthcare
providers, the bill may be amended to also exclude hospitals, skilled nursing facilities, labs,
imaging, the health information exchange, state agencies, and other entities involved in
providing treatment, payment, and operations within the scope of health care.
HCA notes it is unclear if the bill balances between safeguarding privacy versus fostering
technological advancements that rely on health data to enhance services and improve health
outcomes.
ADMINISTRATIVE IMPLICATIONS
The health information exchange reports the bill would require every individual consent to have
their data shared with the state’s health information exchange. New Mexico is an “opt out” state
for the health information exchange, which means an individual’s data is shared with the health
information exchange by their healthcare provider. Healthcare providers share data in accordance
with HIPAA.
To implement the consent process, if the bill continues to only exclude licensed health care
providers, hospitals, skilled nursing facilities, etc., will need to obtain consent from all
individuals to process health information. Electronic medical records, billing systems, claims
systems, etc., may need upgrades to manage which individuals have provided consent to process
their health data.
HCA reports information processed by governmental entities is excluded from the requirements
of the act, including HCA. However, HCA contracts with Medicaid managed care organizations,
New Mexico health insurance carriers, and other healthcare entities that collect or maintain
personal health information. These are HIPAA covered entities but, because HB430 does not
exempt HIPAA covered personal health information or HIPAA covered entities, their obligations
under the bill may be unclear. Presumably, they would be required to comply with HB340 to the
extent they process health information outside of the HIPAA definition of personal health
information.
OTHER SUBSTANT IVE ISSUES
HCA reports the bill would extend protections over personal health information beyond the
scope of federal HIPAA laws. Currently, disclosures of personal health information are permitted
when health data is collected or maintained by an entity not covered by HIPAA. HIPAA only
applies to “covered entities” and their “business associates.” A covered entity is a healthcare
provider, health plan, or healthcare clearinghouse. A business associate is an entity that provides
products or services to a covered entity that involves access to personal health information.
Given the limitations of HIPAA, there are many entities that collect health information that are
not subject to its provisions, such as health app companies, wearable devices such as fitness
trackers, and apps and devices that track heart patterns, menstrual cycles, respiratory conditions, House Bill 430 – Page 3
sleep patterns, etc. These apps and devices collect a considerable amount of health-related
information that would be subject to HIPAA rules if collected by a HIPAA covered entity. There
have been unsuccessful attempts to address this privacy gap at the federal level by expanding
HIPAA to cover all health data regardless of the entity that collects the information. HB340
seeks to address the gap at the state level. At the time of this writing, three states (Washington,
Nevada and Connecticut) have passed similar laws, and an act passed by the New York
Legislature in 2025 is awaiting the governor’s signature.
RAE/sgs/SL2