New Mexico 2025 Regular Session

New Mexico House Bill HB430 Compare Versions

Only one version of the bill is available at this time.

Old	New	Differences
1	1	underscored material = new
2	2	[bracketed material] = delete
3	3	1
4	4	2
5	5	3
6	6	4
7	7	5
8	8	6
9	9	7
10	10	8
11	11	9
12	12	10
13	13	11
14	14	12
15	15	13
16	16	14
17	17	15
18	18	16
19	19	17
20	20	18
21	21	19
22	22	20
23	23	21
24	24	22
25	25	23
26	26	24
27	27	25
28	28	HOUSE BILL 430
29	29	57
30	30	TH LEGISLATURE
31	31	-
32	32
33	33	STATE
34	34
35	35	OF
36	36
37	37	NEW
38	38
39	39	MEXICO
40	40
41	41	-
42	42	FIRST SESSION
43	43	,
44	44
45	45	2025
46	46	INTRODUCED BY
47	47	Debra M. Sariñana and Marianna Anaya
48	48	and Elizabeth "Liz" Thomson and Joanne J. Ferrary
49	49	AN ACT
50	50	RELATING TO PRIVACY; ENACTING THE HEALTH DATA PRIVACY ACT;
51	51	PROVIDING DEFINITIONS; PROVIDING DUTIES FOR REGULATED ENTITIES;
52	52	PROVIDING FOR ENFORCEMENT AND PENALTIES.
53	53	BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF NEW MEXICO:
54	54	SECTION 1. [NEW MATERIAL] SHORT TITLE.--This act may be
55	55	cited as the "Health Data Privacy Act".
56	56	SECTION 2. [NEW MATERIAL] DEFINITIONS.--As used in the
57	57	Health Data Privacy Act:
58	58	A. "de-identified data" means data that does not
59	59	identify and cannot be used to infer information about, or
60	60	otherwise be linked to, an identified or identifiable
61	61	individual or a device linked to the individual, if the
62	62	regulated entity that possesses such data:
63	63	(1) takes reasonable physical, administrative
64	64	.229584.2 underscored material = new
65	65	[bracketed material] = delete
66	66	1
67	67	2
68	68	3
69	69	4
70	70	5
71	71	6
72	72	7
73	73	8
74	74	9
75	75	10
76	76	11
77	77	12
78	78	13
79	79	14
80	80	15
81	81	16
82	82	17
83	83	18
84	84	19
85	85	20
86	86	21
87	87	22
88	88	23
89	89	24
90	90	25
91	91	and technical measures to ensure that the data cannot be
92	92	associated with an individual or used to identify the
93	93	individual or be associated with a device that identifies, is
94	94	linked to or can reasonably be linked to an individual;
95	95	(2) publicly commits to process the data only
96	96	in a de-identified fashion and not to attempt to re-identify
97	97	the data; and
98	98	(3) contractually obligates any recipient of
99	99	the de-identified data to comply with Paragraphs (1) and (2) of
100	100	this subsection;
101	101	B. "process" or "processing" means conduct or an
102	102	operation performed or a set of operations performed on
103	103	regulated health information, including the collection, use,
104	104	access, sharing, sale, monetization, brokerage, analysis,
105	105	retention, creation, generation, derivation, recording,
106	106	organization, structuring, modification, storage, disclosure,
107	107	transmission, disposal, licensing, destruction, deletion,
108	108	modification or de-identification of regulated health
109	109	information;
110	110	C. "regulated entity" means an entity, not
111	111	including a licensed health care provider, that:
112	112	(1) controls the processing of regulated
113	113	health information of an individual who is a New Mexico
114	114	resident;
115	115	(2) controls the processing of regulated
116	116	.229584.2
117	117	- 2 - underscored material = new
118	118	[bracketed material] = delete
119	119	1
120	120	2
121	121	3
122	122	4
123	123	5
124	124	6
125	125	7
126	126	8
127	127	9
128	128	10
129	129	11
130	130	12
131	131	13
132	132	14
133	133	15
134	134	16
135	135	17
136	136	18
137	137	19
138	138	20
139	139	21
140	140	22
141	141	23
142	142	24
143	143	25
144	144	health information of an individual who is physically present
145	145	in New Mexico while that individual is in New Mexico; or
146	146	(3) is located in New Mexico and controls the
147	147	processing of regulated health information. A regulated entity
148	148	may also be a service provider depending upon the context in
149	149	which the regulated entity processes or controls the processing
150	150	of regulated health information;
151	151	D. "regulated health information" means information
152	152	that is reasonably linkable to an individual or to a device and
153	153	that is collected or processed in connection with the physical
154	154	or mental health of an individual, including location or
155	155	payment information that relates to an individual's past,
156	156	present or future physical or mental health. "Regulated health
157	157	information" includes information related to an individual's
158	158	disability, diagnosis, health condition or treatment and any
159	159	inference drawn or derived about an individual's physical or
160	160	mental health, disability, diagnosis or health condition or
161	161	treatment that is reasonably linkable to an individual or a
162	162	device. "Regulated health information" does not include de-
163	163	identified information;
164	164	E. "service provider" means a person or an entity
165	165	that processes regulated health information on behalf of a
166	166	regulated entity. A service provider may also be a regulated
167	167	entity depending upon the context in which the service provider
168	168	processes regulated health information; and
169	169	.229584.2
170	170	- 3 - underscored material = new
171	171	[bracketed material] = delete
172	172	1
173	173	2
174	174	3
175	175	4
176	176	5
177	177	6
178	178	7
179	179	8
180	180	9
181	181	10
182	182	11
183	183	12
184	184	13
185	185	14
186	186	15
187	187	16
188	188	17
189	189	18
190	190	19
191	191	20
192	192	21
193	193	22
194	194	23
195	195	24
196	196	25
197	197	F. "third party" means a person or an entity
198	198	involved in a transaction related to the processing of
199	199	regulated health information, other than an individual, a
200	200	regulated entity or a service provider that is involved in the
201	201	transaction. A third party may also be a regulated entity or
202	202	service provider depending upon the context in which the third
203	203	party is involved in the processing of regulated health
204	204	information.
205	205	SECTION 3. [NEW MATERIAL] REQUIREMENTS FOR REGULATED
206	206	ENTITIES.--
207	207	A. A regulated entity shall:
208	208	(1) publicly provide, in a clear, concise and
209	209	easily understood manner, the regulated entity's privacy
210	210	information and shall provide the privacy information separate
211	211	and distinct from the provision of the regulated entity's terms
212	212	of service, policies and community standards;
213	213	(2) publicly provide prominent, accessible and
214	214	responsive tools to help an individual exercise the
215	215	individual's privacy rights and report privacy concerns; and
216	216	(3) establish, implement and maintain
217	217	reasonable administrative, technical and physical data security
218	218	practices to protect the confidentiality, integrity and
219	219	accessibility of regulated health information as appropriate to
220	220	the volume and nature of the regulated health information at
221	221	issue.
222	222	.229584.2
223	223	- 4 - underscored material = new
224	224	[bracketed material] = delete
225	225	1
226	226	2
227	227	3
228	228	4
229	229	5
230	230	6
231	231	7
232	232	8
233	233	9
234	234	10
235	235	11
236	236	12
237	237	13
238	238	14
239	239	15
240	240	16
241	241	17
242	242	18
243	243	19
244	244	20
245	245	21
246	246	22
247	247	23
248	248	24
249	249	25
250	250	B. All communications between a regulated entity
251	251	and individuals whose regulated health information is in the
252	252	possession or control of the regulated entity shall be
253	253	reasonably accessible to individuals with disabilities. A
254	254	regulated entity shall ensure accessibility:
255	255	(1) for notices by using digital accessibility
256	256	tools and complying with generally recognized industry
257	257	standards, including current standards set by the world wide
258	258	web consortium or other similar standards-setting bodies as
259	259	determined appropriate by the attorney general; and
260	260	(2) for communications other than notices by
261	261	providing information about how an individual with a disability
262	262	may access the communication in an alternative format.
263	263	SECTION 4. [NEW MATERIAL] PROHIBITED PRACTICES.--
264	264	A. A regulated entity shall not, and shall not
265	265	instruct a service provider or third party to:
266	266	(1) process the regulated health information
267	267	of an individual, except:
268	268	(a) with consent from the individual for
269	269	the processing for a specified purpose;
270	270	(b) as is strictly necessary for the
271	271	regulated entity to provide the product, service or feature
272	272	requested and only for the limited time that the collection of
273	273	the information is strictly necessary to provide the product,
274	274	service or feature; and
275	275	.229584.2
276	276	- 5 - underscored material = new
277	277	[bracketed material] = delete
278	278	1
279	279	2
280	280	3
281	281	4
282	282	5
283	283	6
284	284	7
285	285	8
286	286	9
287	287	10
288	288	11
289	289	12
290	290	13
291	291	14
292	292	15
293	293	16
294	294	17
295	295	18
296	296	19
297	297	20
298	298	21
299	299	22
300	300	23
301	301	24
302	302	25
303	303	(c) as is strictly necessary to provide
304	304	a communication, that is not an advertisement, by the regulated
305	305	entity to an individual that reasonably anticipates the
306	306	communication within the context of the relationship between
307	307	the regulated entity and the individual;
308	308	(2) process any precise geolocation
309	309	information of an individual that could reasonably indicate the
310	310	individual's attempt to acquire or receive health services or
311	311	supplies unless it is strictly necessary to provide the
312	312	product, service or feature requested. Consensual geolocation
313	313	information sharing among users shall not constitute consent to
314	314	additional processing of geolocation information by the
315	315	regulated entity unless the additional processing is
316	316	specifically authorized;
317	317	(3) process regulated health information for
318	318	purposes of targeted advertising, first party advertising or
319	319	the brokerage of personal data without an individual's consent;
320	320	and
321	321	(4) obtain consent to process regulated health
322	322	information using any mechanism that has the purpose or
323	323	substantial effect of obscuring, subverting or impairing an
324	324	individual's decision-making abilities regarding providing
325	325	consent to authorize processing of the individual's regulated
326	326	health information. The request for consent to process an
327	327	individual's regulated health information shall be obtained
328	328	.229584.2
329	329	- 6 - underscored material = new
330	330	[bracketed material] = delete
331	331	1
332	332	2
333	333	3
334	334	4
335	335	5
336	336	6
337	337	7
338	338	8
339	339	9
340	340	10
341	341	11
342	342	12
343	343	13
344	344	14
345	345	15
346	346	16
347	347	17
348	348	18
349	349	19
350	350	20
351	351	21
352	352	22
353	353	23
354	354	24
355	355	25
356	356	prior to and separately from the processing and shall clearly
357	357	and conspicuously disclose:
358	358	(a) the categories of regulated health
359	359	information to be collected or shared;
360	360	(b) the purpose of the processing of the
361	361	regulated health information, including the specific ways in
362	362	which the information will be used;
363	363	(c) the entities with which the
364	364	regulated health information is shared; and
365	365	(d) how the individual can withdraw
366	366	consent for future processing of the individual's health
367	367	information. If the regulated entity is requesting consent
368	368	for multiple categories of processing activities, the entity
369	369	shall allow the individual to provide or withhold consent
370	370	separately for each category of processing activity, and the
371	371	entity shall not include a request for consent for a processing
372	372	activity for which an individual has withheld or revoked
373	373	consent within the past calendar year.
374	374	B. A consent shall include:
375	375	(1) the types of regulated health information
376	376	authorized to be processed;
377	377	(2) the nature of the processing activity;
378	378	(3) the specific purposes for the processing;
379	379	(4) the names of service providers or third
380	380	parties to which the regulated entity may disclose the
381	381	.229584.2
382	382	- 7 - underscored material = new
383	383	[bracketed material] = delete
384	384	1
385	385	2
386	386	3
387	387	4
388	388	5
389	389	6
390	390	7
391	391	8
392	392	9
393	393	10
394	394	11
395	395	12
396	396	13
397	397	14
398	398	15
399	399	16
400	400	17
401	401	18
402	402	19
403	403	20
404	404	21
405	405	22
406	406	23
407	407	24
408	408	25
409	409	individual's regulated health information and the purposes for
410	410	the disclosure, including the circumstances under which the
411	411	regulated entity could disclose regulated health information to
412	412	law enforcement;
413	413	(5) any monetary or other valuable
414	414	consideration the regulated entity could receive in connection
415	415	with processing the individual's regulated health information,
416	416	if applicable;
417	417	(6) an acknowledgment that not providing
418	418	consent will not affect an individual's experience of using the
419	419	regulated entity's products or services;
420	420	(7) the expiration date of the consent, which
421	421	may be up to one year from the date the consent was provided;
422	422	(8) the mechanism by which the individual may
423	423	revoke the consent prior to its expiration;
424	424	(9) the mechanism by which the individual may
425	425	request access to or deletion of the individual's regulated
426	426	health information;
427	427	(10) any other information material to an
428	428	individual's decision making regarding consent for processing;
429	429	and
430	430	(11) the signature, which may be electronic,
431	431	of the individual who is the subject of the regulated health
432	432	information or, in the case of a known minor, a parent or
433	433	guardian authorized by law to take actions of legal consequence
434	434	.229584.2
435	435	- 8 - underscored material = new
436	436	[bracketed material] = delete
437	437	1
438	438	2
439	439	3
440	440	4
441	441	5
442	442	6
443	443	7
444	444	8
445	445	9
446	446	10
447	447	11
448	448	12
449	449	13
450	450	14
451	451	15
452	452	16
453	453	17
454	454	18
455	455	19
456	456	20
457	457	21
458	458	22
459	459	23
460	460	24
461	461	25
462	462	on behalf of the individual who is the subject of the regulated
463	463	health information and the date the consent is signed.
464	464	C. A regulated entity that receives consent for
465	465	processing an individual's regulated health information shall
466	466	provide an effective, efficient and easy-to-use mechanism by
467	467	which an individual may revoke consent at any time through an
468	468	interface the individual regularly uses in connection with the
469	469	regulated entity's product or service.
470	470	D. For individuals who have an online account with
471	471	the regulated entity, the regulated entity shall provide, in a
472	472	conspicuous and easily accessible place within the account
473	473	settings, a list of all processing activities for which the
474	474	individual has provided consent and, for each processing
475	475	activity, shall allow the individual to revoke consent in the
476	476	same settings location with one motion or action.
477	477	E. Upon obtaining valid consent from an individual,
478	478	the regulated entity shall provide that individual a copy of
479	479	the consent. The consent shall be provided in a manner in
480	480	which a copy of the consent can be retained by the individual.
481	481	F. The regulated entity shall limit its processing
482	482	to the regulated health information that was clearly disclosed
483	483	to an individual pursuant to Subsection B of this section at
484	484	the time the regulated entity received consent from the
485	485	individual.
486	486	G. If the regulated entity seeks to materially
487	487	.229584.2
488	488	- 9 - underscored material = new
489	489	[bracketed material] = delete
490	490	1
491	491	2
492	492	3
493	493	4
494	494	5
495	495	6
496	496	7
497	497	8
498	498	9
499	499	10
500	500	11
501	501	12
502	502	13
503	503	14
504	504	15
505	505	16
506	506	17
507	507	18
508	508	19
509	509	20
510	510	21
511	511	22
512	512	23
513	513	24
514	514	25
515	515	alter its processing activities for the regulated health
516	516	information of an individual collected pursuant to the
517	517	individual's consent, the regulated entity shall obtain a new
518	518	consent for the new or altered processing activity.
519	519	SECTION 5. [NEW MATERIAL] RIGHT OF ACCESS--CORRECTION--
520	520	DELETION.--
521	521	A. Regulated entities shall provide individuals the
522	522	right to:
523	523	(1) access the individual's regulated health
524	524	information that is processed by the regulated entity or by a
525	525	service provider;
526	526	(2) access information pertaining to the
527	527	collection and processing of the individual's regulated health
528	528	information, including:
529	529	(a) from where or from whom the covered
530	530	entity obtained the regulated health information;
531	531	(b) the types of third parties to which
532	532	the regulated entity has disclosed or will disclose the
533	533	regulated health information;
534	534	(c) the purposes of the processing;
535	535	(d) the specific types of regulated
536	536	health information processed;
537	537	(e) the names of third parties to which
538	538	the regulated entity disclosed the regulated health information
539	539	and a log showing when the disclosure happened; and
540	540	.229584.2
541	541	- 10 - underscored material = new
542	542	[bracketed material] = delete
543	543	1
544	544	2
545	545	3
546	546	4
547	547	5
548	548	6
549	549	7
550	550	8
551	551	9
552	552	10
553	553	11
554	554	12
555	555	13
556	556	14
557	557	15
558	558	16
559	559	17
560	560	18
561	561	19
562	562	20
563	563	21
564	564	22
565	565	23
566	566	24
567	567	25
568	568	(f) the period of retention by the
569	569	regulated entity of the regulated health information;
570	570	(3) obtain the individual's regulated health
571	571	information processed by a regulated entity in a structured,
572	572	readily usable, portable and machine-readable format;
573	573	(4) transmit or cause the regulated entity to
574	574	transmit the regulated health information to another regulated
575	575	entity, when technically feasible;
576	576	(5) request a regulated entity to stop
577	577	collecting and processing the individual's regulated health
578	578	information;
579	579	(6) correct inaccurate regulated health
580	580	information stored by a regulated entity; and
581	581	(7) delete all the individual's regulated
582	582	health information stored by the regulated entity; provided
583	583	that a regulated entity that has collected regulated health
584	584	information from an individual is not required to delete
585	585	information to the extent it is exempt under the Health Data
586	586	Privacy Act.
587	587	B. A regulated entity shall provide every
588	588	individual whose regulated heath information the entity
589	589	possesses with a reasonable means to exercise the individual's
590	590	rights as provided in this section to revoke consent using a
591	591	request form that is:
592	592	(1) clear and conspicuous;
593	593	.229584.2
594	594	- 11 - underscored material = new
595	595	[bracketed material] = delete
596	596	1
597	597	2
598	598	3
599	599	4
600	600	5
601	601	6
602	602	7
603	603	8
604	604	9
605	605	10
606	606	11
607	607	12
608	608	13
609	609	14
610	610	15
611	611	16
612	612	17
613	613	18
614	614	19
615	615	20
616	616	21
617	617	22
618	618	23
619	619	24
620	620	25
621	621	(2) available at no cost and with no
622	622	transactional penalty to the individual to whom the information
623	623	pertains; and
624	624	(3) in English and any other language in which
625	625	the regulated entity communicates with the individual to whom
626	626	the information pertains.
627	627	C. Upon an individual's revocation of consent, the
628	628	regulated entity shall immediately cease all processing
629	629	activities and delete all regulated health information for
630	630	which consent was revoked, except to the extent necessary to
631	631	comply with the regulated entity's legal obligations; provided
632	632	that:
633	633	(1) if the regulated entity has reasonable
634	634	doubts or cannot verify the identity of the individual making a
635	635	request, the regulated entity may request additional personal
636	636	information necessary to confirm the individual's identity.
637	637	The regulated entity shall not process the additional personal
638	638	information for any reason beyond confirming the individual's
639	639	identity; and
640	640	(2) a regulated entity shall not de-identify
641	641	an individual's regulated health information during the sixty-
642	642	day period beginning on the date the regulated entity receives
643	643	a request for correction or deletion from the individual.
644	644	D. A regulated entity shall make available an
645	645	effective, efficient and easy-to-use mechanism, through an
646	646	.229584.2
647	647	- 12 - underscored material = new
648	648	[bracketed material] = delete
649	649	1
650	650	2
651	651	3
652	652	4
653	653	5
654	654	6
655	655	7
656	656	8
657	657	9
658	658	10
659	659	11
660	660	12
661	661	13
662	662	14
663	663	15
664	664	16
665	665	17
666	666	18
667	667	19
668	668	20
669	669	21
670	670	22
671	671	23
672	672	24
673	673	25
674	674	interface the individual regularly uses in connection with the
675	675	regulated entity's product or service, by which an individual
676	676	may request access to or to delete the individual's regulated
677	677	health information.
678	678	E. Within thirty days of receiving an access
679	679	request, the regulated entity shall make available a copy of
680	680	all regulated health information about the individual that the
681	681	regulated entity maintains or that service providers maintain
682	682	on behalf of the regulated entity. An individual's request to
683	683	delete or cancel the individual's online account shall be
684	684	treated as a request to delete the individual's regulated
685	685	health information, and within thirty days of receiving a
686	686	deletion request, the regulated entity shall:
687	687	(1) delete all regulated health information
688	688	associated with the individual in the regulated entity's
689	689	possession or control, except to the extent necessary to comply
690	690	with the regulated entity's legal obligations; and
691	691	(2) unless it proves impossible or involves
692	692	disproportionate effort that is documented in writing by the
693	693	regulated entity, communicate such request to each service
694	694	provider or third party that processed the individual's
695	695	regulated health information in connection with a transaction
696	696	involving the regulated entity occurring within one year
697	697	preceding the individual's request.
698	698	F. Any service provider or third party that
699	699	.229584.2
700	700	- 13 - underscored material = new
701	701	[bracketed material] = delete
702	702	1
703	703	2
704	704	3
705	705	4
706	706	5
707	707	6
708	708	7
709	709	8
710	710	9
711	711	10
712	712	11
713	713	12
714	714	13
715	715	14
716	716	15
717	717	16
718	718	17
719	719	18
720	720	19
721	721	20
722	722	21
723	723	22
724	724	23
725	725	24
726	726	25
727	727	receives notice of an individual's deletion request shall
728	728	within thirty days delete all regulated health information
729	729	associated with the individual in its possession or control,
730	730	except to the extent necessary to comply with its legal
731	731	obligations.
732	732	SECTION 6. [NEW MATERIAL] DATA PROCESSING AGREEMENTS.--A
733	733	service provider or third party that receives regulated health
734	734	information from a regulated entity shall enter into a written
735	735	data processing agreement with the providing regulated entity
736	736	ensuring that the information will continue to be processed
737	737	consistent with the provisions of the Health Data Privacy Act,
738	738	including that:
739	739	A. regulated health information received by service
740	740	providers or third parties shall be processed only for purposes
741	741	specified in the data processing agreement;
742	742	B. service providers and third parties shall only
743	743	process regulated health information that is adequate, relevant
744	744	and necessary for the purposes for which it was collected or
745	745	received;
746	746	C. service providers and third parties shall ensure
747	747	that subcontractors comply with the same protection obligations
748	748	as set forth in the data processing agreement;
749	749	D. service providers and third parties shall
750	750	establish, implement and maintain reasonable administrative,
751	751	technical and physical data security practices to protect the
752	752	.229584.2
753	753	- 14 - underscored material = new
754	754	[bracketed material] = delete
755	755	1
756	756	2
757	757	3
758	758	4
759	759	5
760	760	6
761	761	7
762	762	8
763	763	9
764	764	10
765	765	11
766	766	12
767	767	13
768	768	14
769	769	15
770	770	16
771	771	17
772	772	18
773	773	19
774	774	20
775	775	21
776	776	22
777	777	23
778	778	24
779	779	25
780	780	confidentiality, integrity and accessibility of regulated
781	781	health information as is appropriate to the volume and nature
782	782	of the regulated health information at issue; and
783	783	E. service providers and third parties shall allow,
784	784	and cooperate with, reasonable assessments by the providing
785	785	regulated entity or that entity's designated assessor for
786	786	purposes of evaluating compliance with the obligations provided
787	787	pursuant to the data processing agreement and consistent with
788	788	the Health Data Privacy Act. Alternatively, the service
789	789	provider or third party may arrange for a qualified and
790	790	independent assessor to conduct an assessment of the service
791	791	provider's or third party's policies and technical and
792	792	organizational measures in support of the obligations pursuant
793	793	to the data processing agreement and consistent with that act
794	794	using an appropriate and accepted control standard or framework
795	795	and assessment procedure for the assessments. The service
796	796	provider or third party shall provide a report of the
797	797	assessment to the providing regulated entity upon request and
798	798	shall:
799	799	(1) notify the regulated entity at a
800	800	reasonable time in advance before disclosing or transferring
801	801	regulated health information to any other service provider.
802	802	The notice may be in the form of a regularly updated list of
803	803	other service providers that may access regulated health
804	804	information;
805	805	.229584.2
806	806	- 15 - underscored material = new
807	807	[bracketed material] = delete
808	808	1
809	809	2
810	810	3
811	811	4
812	812	5
813	813	6
814	814	7
815	815	8
816	816	9
817	817	10
818	818	11
819	819	12
820	820	13
821	821	14
822	822	15
823	823	16
824	824	17
825	825	18
826	826	19
827	827	20
828	828	21
829	829	22
830	830	23
831	831	24
832	832	25
833	833	(2) engage any other service provider or third
834	834	party pursuant to a written, binding agreement that includes
835	835	the contractual requirements provided in this section,
836	836	containing at minimum the same obligations that the service
837	837	provider or third party has entered into in the data processing
838	838	agreement with regard to regulated health information; and
839	839	(3) prior to transferring regulated health
840	840	information to a third party located outside of New Mexico,
841	841	ensure that adequate data protection safeguards consistent with
842	842	the Health Data Privacy Act are in place.
843	843	SECTION 7. [NEW MATERIAL] PROHIBITION ON WAIVING OF
844	844	RIGHTS AND DENIAL OF SERVICE.--
845	845	A. A regulated entity shall not retaliate against
846	846	an individual for exercising any of the rights guaranteed by
847	847	the Health Data Privacy Act. Retaliation includes denying
848	848	goods or services, charging different prices or rates for goods
849	849	or services or providing a different level of quality of goods
850	850	or services.
851	851	B. No provision of any contract, agreement or terms
852	852	of service shall waive, limit or otherwise undermine the rights
853	853	conferred to individuals under the Health Data Privacy Act or
854	854	any other applicable data protection laws. The invalidity or
855	855	unenforceability of any provision in a contract involving a
856	856	regulated entity, service provider or third party shall not
857	857	affect the validity or enforceability of the remaining
858	858	.229584.2
859	859	- 16 - underscored material = new
860	860	[bracketed material] = delete
861	861	1
862	862	2
863	863	3
864	864	4
865	865	5
866	866	6
867	867	7
868	868	8
869	869	9
870	870	10
871	871	11
872	872	12
873	873	13
874	874	14
875	875	15
876	876	16
877	877	17
878	878	18
879	879	19
880	880	20
881	881	21
882	882	22
883	883	23
884	884	24
885	885	25
886	886	provisions of the contract or agreement.
887	887	SECTION 8. [NEW MATERIAL] VIOLATIONS--ENFORCEMENT--
888	888	PENALTIES--CLAIMS FOR VIOLATIONS.--
889	889	A. A violation of the Health Data Privacy Act
890	890	constitutes a rebuttable presumption of harm. A regulated
891	891	entity that violates that act shall be:
892	892	(1) subject to injunctive relief to cease or
893	893	correct the violation;
894	894	(2) liable for a civil penalty of not more
895	895	than two thousand five hundred dollars ($2,500) per affected
896	896	individual for each negligent violation; or
897	897	(3) liable for a civil penalty of not more
898	898	than seven thousand five hundred dollars ($7,500) per affected
899	899	individual for each intentional violation.
900	900	B. An individual who claims to have suffered a
901	901	deprivation of the rights secured under the Health Data Privacy
902	902	Act may maintain an action to establish liability and recover
903	903	damages and equitable or injunctive relief in any New Mexico
904	904	district court.
905	905	C. The attorney general or a district attorney may
906	906	institute a civil action in district court if the attorney
907	907	general or district attorney has reasonable cause to believe
908	908	that a violation has occurred or to prevent a violation of the
909	909	Health Data Privacy Act.
910	910	D. In an action brought pursuant to Subsection A of
911	911	.229584.2
912	912	- 17 - underscored material = new
913	913	[bracketed material] = delete
914	914	1
915	915	2
916	916	3
917	917	4
918	918	5
919	919	6
920	920	7
921	921	8
922	922	9
923	923	10
924	924	11
925	925	12
926	926	13
927	927	14
928	928	15
929	929	16
930	930	17
931	931	18
932	932	19
933	933	20
934	934	21
935	935	22
936	936	23
937	937	24
938	938	25
939	939	this section, the court may award appropriate relief, including
940	940	temporary, preliminary or permanent injunctive relief. The
941	941	court may assess a civil penalty for a violation of the Health
942	942	Data Privacy Act in the amount of five thousand dollars
943	943	($5,000) or actual damages resulting from each violation,
944	944	whichever is greater.
945	945	SECTION 9. [NEW MATERIAL] LIMITATIONS.--Nothing in the
946	946	Health Data Privacy Act shall be interpreted or construed to:
947	947	A. impose liability in a manner that is
948	948	inconsistent with Section 230 of the federal Communications
949	949	Decency Act of 1996;
950	950	B. apply to information processed by local, state
951	951	or federal governments or municipal corporations; and
952	952	C. restrict a regulated entity's, service
953	953	provider's or third party's ability to:
954	954	(1) comply with federal or New Mexico law;
955	955	(2) comply with a civil or criminal subpoena
956	956	or summons, except as prohibited by New Mexico law;
957	957	(3) cooperate with law enforcement agencies
958	958	concerning conduct or activity that the covered entity or
959	959	service provider reasonably and in good faith believes may
960	960	violate federal, state or municipal ordinances or regulations;
961	961	(4) investigate, establish, exercise, prepare
962	962	for or defend legal claims to the extent that the regulated
963	963	health information is relevant to the parties' claims;
964	964	.229584.2
965	965	- 18 - underscored material = new
966	966	[bracketed material] = delete
967	967	1
968	968	2
969	969	3
970	970	4
971	971	5
972	972	6
973	973	7
974	974	8
975	975	9
976	976	10
977	977	11
978	978	12
979	979	13
980	980	14
981	981	15
982	982	16
983	983	17
984	984	18
985	985	19
986	986	20
987	987	21
988	988	22
989	989	23
990	990	24
991	991	25
992	992	(5) take immediate steps to protect the life
993	993	or physical safety of the individual or another individual in
994	994	an emergency and where the processing cannot be manifestly
995	995	based on another legal basis; provided that an individual's
996	996	access to health care services lawful in the state of New
997	997	Mexico shall not constitute an emergency;
998	998	(6) prevent, detect, protect against or
999	999	respond to security incidents relating to network security or
1000	1000	physical security, including an intrusion or trespass, medical
1001	1001	alert or request for a medical response, fire alarm or request
1002	1002	for a fire response or access control;
1003	1003	(7) prevent, detect, protect against or
1004	1004	respond to identity theft, fraud, harassment, malicious or
1005	1005	deceptive activities or any illegal activity targeted at or
1006	1006	involving the regulated entity or service provider or its
1007	1007	services, preserve the integrity or security of systems or
1008	1008	investigate, report or prosecute those responsible for any such
1009	1009	action;
1010	1010	(8) assist another regulated entity, service
1011	1011	provider or third party with any of the obligations under the
1012	1012	Health Data Privacy Act;
1013	1013	(9) transfer assets to a third party in the
1014	1014	context of a merger, acquisition, bankruptcy or similar
1015	1015	transaction when the third party assumes control, in whole or
1016	1016	in part, of the regulated entity's assets, only if the
1017	1017	.229584.2
1018	1018	- 19 - underscored material = new
1019	1019	[bracketed material] = delete
1020	1020	1
1021	1021	2
1022	1022	3
1023	1023	4
1024	1024	5
1025	1025	6
1026	1026	7
1027	1027	8
1028	1028	9
1029	1029	10
1030	1030	11
1031	1031	12
1032	1032	13
1033	1033	14
1034	1034	15
1035	1035	16
1036	1036	17
1037	1037	18
1038	1038	19
1039	1039	20
1040	1040	21
1041	1041	22
1042	1042	23
1043	1043	24
1044	1044	25
1045	1045	regulated entity, in a reasonable time prior to the transfer,
1046	1046	provides an affected individual with a:
1047	1047	(a) notice describing the transfer,
1048	1048	including the name of the entity receiving the individual's
1049	1049	regulated health information and the applicable privacy
1050	1050	policies of such entity; and
1051	1051	(b) reasonable opportunity to withdraw
1052	1052	previously provided consent or opt-ins related to the
1053	1053	individual's regulated health information;
1054	1054	(10) request the deletion of the individual's
1055	1055	regulated health information; and
1056	1056	(11) conduct medical research in compliance
1057	1057	with Part 46 of Title 45, Code of Federal Regulations, or Parts
1058	1058	50 and 56 of Title 21, Code of Federal Regulations; or
1059	1059	with respect to regulated health information previously
1060	1060	collected in accordance with state law, process the regulated
1061	1061	health information solely for the purpose that the regulated
1062	1062	health information becomes de-identified data.
1063	1063	SECTION 10. [NEW MATERIAL] SEVERABILITY.--If any part or
1064	1064	application of the Health Data Privacy Act is held invalid, the
1065	1065	remainder of its application to other situations or persons
1066	1066	shall not be affected.
1067	1067	SECTION 11. EFFECTIVE DATE.--The effective date of the
1068	1068	provisions of this act is July 1, 2025.
1069	1069	- 20 -
1070	1070	.229584.2