VT
Vermont Senate Bill S0074

Vermont 2025-2026 Regular Session

Vermont Senate Bill S0074 Compare Versions

Only one version of the bill is available at this time.
OldNewDifferences
11 BILL AS INTRODUCED S.74
22 2025 Page 1 of 30
33
44
55 VT LEG #379087 v.1
66 S.74 1
77 Introduced by Senators Lyons, Gulick and Harrison 2
88 Referred to Committee on 3
99 Date: 4
1010 Subject: Health; health information; data privacy 5
1111 Statement of purpose of bill as introduced: This bill proposes to regulate the 6
1212 collection, sharing, and selling of consumer health data in Vermont. 7
1313 An act relating to the collection, sharing, and selling of consumer health 8
1414 data 9
1515 It is hereby enacted by the General Assembly of the State of Vermont: 10
1616 Sec. 1. 18 V.S.A. chapter 42B is amended to read: 11
1717 42B. HEALTH CARE PRIVACY 12
1818 Subchapter 1. Disclosure of Protected Health Information 13
1919 § 1881. DISCLOSURE OF PROTECTED HEALTH INFORMATION 14
2020 PROHIBITED 15
2121 * * * 16
2222 Subchapter 2. Vermont My Health My Data Act 17
2323 § 1891a. SHORT TITLE 18
2424 This subchapter shall be known and may be cited as the “Vermont My 19
2525 Health My Data Act.” 20 BILL AS INTRODUCED S.74
2626 2025 Page 2 of 30
2727
2828
2929 VT LEG #379087 v.1
3030 § 1891b. FINDINGS AND INTENT 1
3131 (a) Findings. The General Assembly finds that: 2
3232 (1) The residents of Vermont regard their privacy as a fundamental right 3
3333 and an essential element of their individual freedom. Fundamental privacy 4
3434 rights have long been and continue to be integral to protecting Vermonters and 5
3535 to safeguarding our democratic republic. 6
3636 (2) Information related to an individual’s health conditions or attempts 7
3737 to obtain health care services is among the most personal and sensitive 8
3838 categories of data collected. Vermonters expect that their health data is 9
3939 protected under laws like the Health Insurance Portability and Accountability 10
4040 Act of 1996 (HIPAA). However, HIPAA only covers health data collected by 11
4141 specific health care entities, including most health care providers. Health data 12
4242 collected by noncovered entities, including certain applications and websites, 13
4343 are not afforded the same protections. This act works to close the gap between 14
4444 consumer knowledge and industry practice by providing stronger privacy 15
4545 protections for all of Vermont consumers’ health data. 16
4646 (b) Intent. By enacting this subchapter, it is the intent of the General 17
4747 Assembly to provide heightened protections for Vermonters’ health data by: 18
4848 (1) requiring additional disclosures and consumer consent regarding the 19
4949 collection, sharing, and use of their health data; 20 BILL AS INTRODUCED S.74
5050 2025 Page 3 of 30
5151
5252
5353 VT LEG #379087 v.1
5454 (2) empowering consumers with the right to have their health data 1
5555 deleted; 2
5656 (3) prohibiting the selling of consumer health data without valid 3
5757 authorization signed by the consumer; and 4
5858 (4) making it unlawful to utilize a geofence around a facility that 5
5959 provides health care services. 6
6060 § 1891c. DEFINITIONS 7
6161 As used in this subchapter: 8
6262 (1) “Abortion” means any medical treatment intended to induce the 9
6363 termination of, or to terminate, a clinically diagnosable pregnancy except for 10
6464 the purpose of producing a live birth. 11
6565 (2) “Affiliate” means a legal entity that shares common branding with 12
6666 another legal entity and controls, is controlled by, or is under common control 13
6767 with another legal entity. For purposes of this definition, “control” or 14
6868 “controlled” means any one or more of the following: 15
6969 (A) ownership of, or the power to vote, more than 50 percent of the 16
7070 outstanding shares of any class of voting security of a company; 17
7171 (B) control in any manner over the election of a majority of the 18
7272 directors or of individuals exercising similar functions; or 19
7373 (C) the power to exercise controlling influence over the management 20
7474 of a company. 21 BILL AS INTRODUCED S.74
7575 2025 Page 4 of 30
7676
7777
7878 VT LEG #379087 v.1
7979 (3) “Area agency on aging” has the same meaning as in 33 V.S.A. 1
8080 § 6203. 2
8181 (4) “Authenticate” means to use reasonable means to determine that a 3
8282 request to exercise any of the rights afforded in this chapter is being made by 4
8383 or on behalf of the consumer who is entitled to exercise those consumer rights 5
8484 with respect to the consumer health data at issue. 6
8585 (5) “Biometric data” means data that is generated from the measurement 7
8686 or technological processing of an individual’s physiological, biological, or 8
8787 behavioral characteristics and that identifies a consumer, whether individually 9
8888 or in combination with other data. Biometric data includes: 10
8989 (A) imagery of the iris, retina, fingerprint, face, hand, palm, vein 11
9090 patterns, and voice recordings, from which an identifier template can be 12
9191 extracted; and 13
9292 (B) keystroke patterns or rhythms and gait patterns or rhythms that 14
9393 contain identifying information. 15
9494 (6) “Collect” means to buy, rent, access, retain, receive, acquire, infer, 16
9595 derive, or otherwise process consumer health data in any manner. 17
9696 (7)(A) “Consent” means a clear affirmative act that signifies the 18
9797 consumer’s freely given, specific, informed, opt-in, voluntary, and 19
9898 unambiguous agreement, which may include written consent provided by 20
9999 electronic means. 21 BILL AS INTRODUCED S.74
100100 2025 Page 5 of 30
101101
102102
103103 VT LEG #379087 v.1
104104 (B) “Consent” shall not be obtained by: 1
105105 (i) a consumer’s acceptance of a general or broad terms-of-use 2
106106 agreement or a similar document that contains descriptions of personal data 3
107107 processing along with other unrelated information; 4
108108 (ii) a consumer hovering over, muting, pausing, or closing a given 5
109109 piece of content; or 6
110110 (iii) a consumer’s agreement obtained through the use of deceptive 7
111111 designs. 8
112112 (8)(A) “Consumer” means a natural person who meets one or both of 9
113113 the following conditions: 10
114114 (i) the person is a Vermont resident; or 11
115115 (ii) the person’s consumer health data is collected in Vermont. 12
116116 (B) “Consumer” means a natural person who acts only in an 13
117117 individual or household context, however identified, including by any unique 14
118118 identifier. The term does not include an individual acting in an employment 15
119119 context. 16
120120 (9)(A) “Consumer health data” means personal information that is 17
121121 linked or reasonably linkable to a consumer and that identifies the consumer’s 18
122122 past, present, or future physical or mental health status. 19
123123 (B) For purposes of this definition, physical or mental health status 20
124124 includes: 21 BILL AS INTRODUCED S.74
125125 2025 Page 6 of 30
126126
127127
128128 VT LEG #379087 v.1
129129 (i) individual health conditions, treatment diseases, or diagnosis; 1
130130 (ii) social, psychological, behavioral, and medical interventions; 2
131131 (iii) health-related surgeries or procedures; 3
132132 (iv) use or purchase of prescribed medication; 4
133133 (v) bodily functions, vital signs, symptoms, or measurements of 5
134134 the information described in this subdivision (B); 6
135135 (vi) diagnoses or diagnostic testing, treatment, or medication; 7
136136 (vii) gender-affirming care information; 8
137137 (viii) reproductive or sexual health information; 9
138138 (ix) biometric data; 10
139139 (x) genetic data; 11
140140 (xi) precise location information that could reasonably indicate a 12
141141 consumer’s attempt to acquire or receive health services or supplies; 13
142142 (xii) data that identifies a consumer seeking health care services; 14
143143 or 15
144144 (xiii) any information that a regulated entity or a small business, 16
145145 or its respective processor, processes to associate or identify a consumer with 17
146146 the data described in subdivisions (i)–(xii) of this subdivision (B) that is 18
147147 derived or extrapolated from nonhealth information, such as proxy, derivative, 19
148148 inferred, or emergency data by any means, including algorithms or machine 20
149149 learning. 21 BILL AS INTRODUCED S.74
150150 2025 Page 7 of 30
151151
152152
153153 VT LEG #379087 v.1
154154 (C) “Consumer health data” does not include personal information 1
155155 that is used to engage in public or peer-reviewed scientific, historical, or 2
156156 statistical research in the public interest that adheres to all other applicable 3
157157 ethics and privacy laws and is approved, monitored, and governed by an 4
158158 institutional review board, human subjects research ethics review board, or a 5
159159 similar independent oversight entity that determines that the regulated entity or 6
160160 the small business has implemented reasonable safeguards to mitigate privacy 7
161161 risks associated with research, including any risks associated with 8
162162 reidentification. 9
163163 (10) “Deceptive design” means a user interface designed or manipulated 10
164164 with the effect of subverting or impairing user autonomy, decision making, or 11
165165 choice. 12
166166 (11) “Deidentified data” means data that cannot reasonably be used to 13
167167 infer information about, or otherwise be linked to, an identified or identifiable 14
168168 consumer, or a device linked to such consumer, if the regulated entity or the 15
169169 small business that possesses the data does all of the following: 16
170170 (A) takes reasonable measures to ensure that the data cannot be 17
171171 associated with a consumer; 18
172172 (B) publicly commits to process the data only in a deidentified 19
173173 fashion and not to attempt to reidentify the data; and 20 BILL AS INTRODUCED S.74
174174 2025 Page 8 of 30
175175
176176
177177 VT LEG #379087 v.1
178178 (C) contractually obligates any recipients of the data to satisfy the 1
179179 criteria set forth in this subdivision (11). 2
180180 (12) “Gender-affirming care information” means personal information 3
181181 relating to seeking or obtaining past, present, or future gender-affirming health 4
182182 care services. “Gender-affirming care information” includes: 5
183183 (A) precise location information that could reasonably indicate a 6
184184 consumer’s attempt to acquire or receive gender-affirming health care services; 7
185185 (B) efforts to research or obtain gender-affirming health care 8
186186 services; or 9
187187 (C) any gender-affirming care information that is derived, 10
188188 extrapolated, or inferred, including from nonhealth information such as proxy, 11
189189 derivative, inferred, emergent, or algorithmic data. 12
190190 (13) “Gender-affirming health care services” has the same meaning as in 13
191191 1 V.S.A. § 150. 14
192192 (14) “Genetic data” means any data, regardless of its format, that 15
193193 concerns a consumer’s genetic characteristics. “Genetic data” includes: 16
194194 (A) raw sequence data that result from the sequencing of a 17
195195 consumer’s complete extracted deoxyribonucleic acid (DNA) or a portion of 18
196196 the extracted DNA; 19
197197 (B) genotypic and phenotypic information that results from analyzing 20
198198 the raw sequence data; and 21 BILL AS INTRODUCED S.74
199199 2025 Page 9 of 30
200200
201201
202202 VT LEG #379087 v.1
203203 (C) self-reported health data that a consumer submits to a regulated 1
204204 entity or a small business and that is analyzed in connection with the 2
205205 consumer’s raw sequence data. 3
206206 (15) “Geofence” means technology that uses global positioning 4
207207 coordinates, cell tower connectivity, cellular data, radio frequency 5
208208 identification, Wi-Fi data, or any other form of spatial or location detection, 6
209209 individually or in combination, to establish a virtual boundary around a 7
210210 specific physical location or to locate a consumer within a virtual boundary. 8
211211 (16) “Health care service” means any service provided to a person to 9
212212 assess, measure, improve, or learn about a person’s mental or physical health, 10
213213 including: 11
214214 (A) individual health conditions, status, diseases, or diagnoses; 12
215215 (B) social, psychological, behavioral, and medical interventions; 13
216216 (C) health-related surgeries or procedures; 14
217217 (D) use or purchase of medication; 15
218218 (E) bodily functions, vital signs, symptoms, or measurements of the 16
219219 information described in this subdivision (16); 17
220220 (F) diagnoses or diagnostic testing, treatment, or medication; 18
221221 (G) reproductive health services; or 19
222222 (H) gender-affirming health care services. 20 BILL AS INTRODUCED S.74
223223 2025 Page 10 of 30
224224
225225
226226 VT LEG #379087 v.1
227227 (17) “Homepage” means the introductory page of an internet website 1
228228 and any internet web page on which personal information is collected. In the 2
229229 case of an online service such as a mobile application, “homepage” means the 3
230230 application’s platform page or download page, and a link within the 4
231231 application, such as from the application configuration or the “about,” 5
232232 “information,” or “settings” page. 6
233233 (18) “Person” means, where applicable, a natural person, corporation, 7
234234 trust, unincorporated association, or partnership. The term does not include a 8
235235 government agency, tribal nation, or a contracted service provider when 9
236236 processing consumer health data on behalf of a government agency. 10
237237 (19)(A) “Personal information” means information that identifies or is 11
238238 reasonably capable of being associated or linked, directly or indirectly, with a 12
239239 particular consumer. “Personal information” includes data associated with a 13
240240 persistent unique identifier, such as a cookie ID, an IP address, a device 14
241241 identifier, or any other form of persistent unique identifier. 15
242242 (B) “Personal information” does not include publicly available 16
243243 information or deidentified data. 17
244244 (20) “Precise location information” means information derived from 18
245245 technology, including global positioning system level latitude and longitude 19
246246 coordinates and other mechanisms, that directly identifies the specific location 20
247247 of an individual with precision and accuracy within a radius of 1,850 feet. 21 BILL AS INTRODUCED S.74
248248 2025 Page 11 of 30
249249
250250
251251 VT LEG #379087 v.1
252252 “Precise location information” does not include the content of communications 1
253253 or any data generated by or connected to advanced utility metering 2
254254 infrastructure systems or equipment for use by a utility. 3
255255 (21) “Process” or “processing” means any operation or set of operations 4
256256 performed on consumer health data. 5
257257 (22) “Processor” means a person who processes consumer health data 6
258258 on behalf of a regulated entity or a small business. 7
259259 (23)(A) “Publicly available information” means information that: 8
260260 (i) is lawfully made available through federal, state, or municipal 9
261261 government records or widely distributed media; and 10
262262 (ii) a regulated entity or a small business has a reasonable basis to 11
263263 believe a consumer has lawfully made available to the general public. 12
264264 (B) “Publicly available information” does not include any biometric 13
265265 data collected about a consumer by a business without the consumer’s consent. 14
266266 (24)(A) “Regulated entity” means any legal entity that: 15
267267 (i) conducts business in Vermont, or produces or provides 16
268268 products or services that are targeted to consumers in Vermont; and 17
269269 (ii) alone or jointly with others, determines the purpose and means 18
270270 of collecting, processing, sharing, or selling of consumer health data. 19 BILL AS INTRODUCED S.74
271271 2025 Page 12 of 30
272272
273273
274274 VT LEG #379087 v.1
275275 (B) “Regulated entity” does not mean government agencies or 1
276276 contracted service providers when processing consumer health data on behalf 2
277277 of a government agency. 3
278278 (25)(A) “Reproductive or sexual health information” means personal 4
279279 information relating to seeking or obtaining past, present, or future 5
280280 reproductive or sexual health services. 6
281281 (B) “Reproductive or sexual health information” includes: 7
282282 (i) precise location information that could reasonably indicate a 8
283283 consumer’s attempt to acquire or receive reproductive or sexual health 9
284284 services; 10
285285 (ii) efforts to research or obtain reproductive or sexual health 11
286286 services; or 12
287287 (iii) any reproductive or sexual health information that is derived, 13
288288 extrapolated, or inferred, including from nonhealth information, such as proxy, 14
289289 derivative, inferred, emergent, or algorithmic data. 15
290290 (26) “Reproductive or sexual health services” means health services or 16
291291 products that support or relate to a consumer’s reproductive system or sexual 17
292292 well-being, including: 18
293293 (A) individual health conditions, status, diseases, or diagnoses; 19
294294 (B) social, psychological, behavioral, and medical interventions; 20
295295 (C) health-related surgeries or procedures, including abortions; 21 BILL AS INTRODUCED S.74
296296 2025 Page 13 of 30
297297
298298
299299 VT LEG #379087 v.1
300300 (D) use or purchase of medication, including medications for the 1
301301 purposes of abortion; 2
302302 (E) bodily functions, vital signs, symptoms, or measurements of the 3
303303 information described in this subdivision (26); 4
304304 (F) diagnoses or diagnostic testing, treatment, or medication; 5
305305 (G) medical or nonmedical services related to and provided in 6
306306 conjunction with an abortion, including associated diagnostics, counseling, 7
307307 supplies, and follow-up services; and 8
308308 (H) any other services included in the definition of “reproductive 9
309309 health care services” in 1 V.S.A. § 150. 10
310310 (27)(A) “Sell” or “sale” means the exchange of consumer health data for 11
311311 monetary or other valuable consideration. 12
312312 (B) “Sell” or “sale” does not include the exchange of consumer 13
313313 health data for monetary or other valuable consideration: 14
314314 (i) to a third party as an asset that is part of a merger, acquisition, 15
315315 bankruptcy, or other transaction in which the third party assumes control of all 16
316316 or part of the regulated entity’s or the small business’s assets and complies 17
317317 with the requirements and obligations in this chapter; or 18
318318 (ii) by a regulated entity or a small business to a processor when 19
319319 such exchange is consistent with the purpose for which the consumer health 20
320320 data was collected and the exchange was disclosed to the consumer. 21 BILL AS INTRODUCED S.74
321321 2025 Page 14 of 30
322322
323323
324324 VT LEG #379087 v.1
325325 (28)(A) “Share” or “sharing” means to release, disclose, disseminate, 1
326326 divulge, make available, provide access to, license, or otherwise communicate 2
327327 orally, in writing, or by electronic or other means consumer health data by a 3
328328 regulated entity or a small business to a third party or affiliate. 4
329329 (B) The term “share” or “sharing” does not include: 5
330330 (i) the disclosure of consumer health data by a regulated entity or 6
331331 a small business to a processor when the sharing is to provide goods or 7
332332 services in a manner consistent with the purpose for which the consumer health 8
333333 data was collected and the exchange was disclosed to the consumer; 9
334334 (ii) the disclosure of consumer health data to a third party with 10
335335 whom the consumer has a direct relationship when: 11
336336 (I) the disclosure is for purposes of providing a product or 12
337337 service requested by the consumer; 13
338338 (II) the regulated entity or the small business maintains control 14
339339 and ownership of the data; and 15
340340 (III) the third party uses the consumer health data only at the 16
341341 direction of the regulated entity or the small business and consistent with the 17
342342 purpose for which it was collected and consented to by the consumer; or 18
343343 (iii) the disclosure or transfer of personal data to a third party as an 19
344344 asset that is part of a merger, acquisition, bankruptcy, or other transaction in 20
345345 which the third party assumes control of all or part of the regulated entity’s or 21 BILL AS INTRODUCED S.74
346346 2025 Page 15 of 30
347347
348348
349349 VT LEG #379087 v.1
350350 the small business’s assets and complies with the requirements and obligations 1
351351 in this chapter. 2
352352 (29) “Small business” means a regulated entity that satisfies one or both 3
353353 of the following thresholds: 4
354354 (A) the entity collects, processes, sells, or shares the consumer health 5
355355 data of fewer than 100,000 consumers during a calendar year; or 6
356356 (B) the entity derives less than 50 percent of its gross revenue from 7
357357 the collection, processing, selling, or sharing of consumer health data and the 8
358358 entity controls, processes, sells, or shares consumer health data of fewer than 9
359359 25,000 consumers. 10
360360 (30) “Third party” means an entity other than a consumer, regulated 11
361361 entity, processor, small business, or affiliate of the regulated entity or the small 12
362362 business. 13
363363 § 1891d. CONSUMER HEALTH DATA PRIVACY POLICY REQUIRED 14
364364 (a) Each regulated entity or each small business shall maintain a consumer 15
365365 health data privacy policy that clearly and conspicuously discloses: 16
366366 (1) the categories of consumer health data collected and the purpose for 17
367367 which the data is collected, including how the data will be used; 18
368368 (2) the categories of sources from which the consumer health data is 19
369369 collected; 20
370370 (3) the categories of consumer health data that is shared; 21 BILL AS INTRODUCED S.74
371371 2025 Page 16 of 30
372372
373373
374374 VT LEG #379087 v.1
375375 (4) a list of the categories of third parties and specific affiliates with 1
376376 whom the regulated entity or small business shares the consumer health data; 2
377377 and 3
378378 (5) how a consumer can exercise the rights provided in section 1891f of 4
379379 this chapter. 5
380380 (b) A regulated entity or small business shall prominently publish a link to 6
381381 its consumer health data privacy policy on its homepage. 7
382382 (c) A regulated entity or small business shall not collect, use, or share 8
383383 additional categories of consumer health data not disclosed in the consumer 9
384384 health data privacy policy without first disclosing the additional categories and 10
385385 obtaining the consumer’s affirmative consent prior to the collection, use, or 11
386386 sharing of the consumer health data. 12
387387 (d) A regulated entity or small business shall not collect, use, or share 13
388388 consumer health data for additional purposes not disclosed in the consumer 14
389389 health data privacy policy without first disclosing the additional purposes and 15
390390 obtaining the consumer’s affirmative consent prior to the collection, use, or 16
391391 sharing of the consumer health data. 17
392392 (e) It is a violation of this subchapter for a regulated entity or small 18
393393 business to contract with a processor to process consumer health data in a 19
394394 manner that is inconsistent with the regulated entity’s or small business’s 20
395395 consumer health data privacy policy. 21 BILL AS INTRODUCED S.74
396396 2025 Page 17 of 30
397397
398398
399399 VT LEG #379087 v.1
400400 § 1891e. COLLECTION AND SHARING OF CONSUMER HEALTH 1
401401 DATA 2
402402 (a) A regulated entity or small business shall not collect any consumer 3
403403 health data except: 4
404404 (1) with consent from the consumer for such collection for a specified 5
405405 purpose; or 6
406406 (2) to the extent necessary to provide a product or service that the 7
407407 consumer to whom the consumer health data relates has requested from the 8
408408 regulated entity or small business. 9
409409 (b) A regulated entity or small business shall not share any consumer health 10
410410 data except: 11
411411 (1) with consent from the consumer for the sharing that is separate and 12
412412 distinct from the consent obtained to collect consumer health data; or 13
413413 (2) to the extent necessary to provide a product or service that the 14
414414 consumer to whom the consumer health data relates has requested from the 15
415415 regulated entity or small business. 16
416416 (c) Consent required under this section shall be obtained prior to the 17
417417 collection or sharing, as applicable, of any consumer health data, and the 18
418418 request for consent must clearly and conspicuously disclose: 19
419419 (1) the categories of consumer health data collected or shared; 20 BILL AS INTRODUCED S.74
420420 2025 Page 18 of 30
421421
422422
423423 VT LEG #379087 v.1
424424 (2) the purpose of the collection or sharing of the consumer health data, 1
425425 including the specific ways in which it will be used; 2
426426 (3) the categories of entities with whom the consumer health data is 3
427427 shared; and 4
428428 (4) how the consumer can withdraw consent from future collection or 5
429429 sharing of the consumer’s health data. 6
430430 (d) A regulated entity or small business shall not unlawfully discriminate 7
431431 against a consumer for exercising any rights included in this chapter. 8
432432 § 1891f. CONSUMER RIGHTS 9
433433 (a) Confirmation. A consumer has the right to confirm whether a regulated 10
434434 entity or a small business is collecting, sharing, or selling consumer health data 11
435435 regarding the consumer and to access that data, including a list of all third 12
436436 parties and affiliates with whom the regulated entity or small business has 13
437437 shared or sold the consumer’s health data and an active email address or other 14
438438 online mechanism that the consumer may use to contact these third parties. 15
439439 (b) Withdrawal of consent. A consumer has the right to withdraw consent 16
440440 from a regulated entity’s or small business’s collection and sharing of 17
441441 consumer health data regarding the consumer. 18
442442 (c) Right to delete. A consumer has the right to have consumer health data 19
443443 regarding the consumer deleted and may exercise that right by informing the 20
444444 regulated entity or small business of the consumer’s request for deletion. 21 BILL AS INTRODUCED S.74
445445 2025 Page 19 of 30
446446
447447
448448 VT LEG #379087 v.1
449449 (1) A regulated entity or small business that receives a consumer’s 1
450450 request to delete any consumer health data regarding the consumer shall: 2
451451 (A) delete the consumer health data from its records, including from 3
452452 all parts of the regulated entity’s or small business’s network, including 4
453453 archived or backup systems pursuant to subdivision (3) of this subsection (c); 5
454454 and 6
455455 (B) notify all affiliates, processors, contractors, and other third parties 7
456456 with whom the regulated entity or the small business has shared consumer 8
457457 health data of the deletion request. 9
458458 (2) All affiliates, processors, contractors, and other third parties that 10
459459 receive notice of a consumer’s deletion request shall honor the consumer’s 11
460460 deletion request and delete the consumer health data from its records in 12
461461 accordance with the requirements of this subchapter. 13
462462 (3) If consumer health data that a consumer requests to be deleted is 14
463463 stored on archived or backup systems, then the request for deletion may be 15
464464 delayed to enable restoration of the archived or backup systems, provided that 16
465465 the delay shall not exceed six months from the date of authentication of the 17
466466 deletion request. 18
467467 (d) Request requirements. 19
468468 (1) A consumer may exercise the rights set forth in this chapter by 20
469469 submitting a request to a regulated entity or small business at any time. The 21 BILL AS INTRODUCED S.74
470470 2025 Page 20 of 30
471471
472472
473473 VT LEG #379087 v.1
474474 request may be made by a secure and reliable means established by the 1
475475 regulated entity or small business and described in its consumer health data 2
476476 privacy policy. The method shall take into account the ways in which 3
477477 consumers normally interact with the regulated entity or small business, the 4
478478 need for secure and reliable communication of such requests, and the ability of 5
479479 the regulated entity or the small business to authenticate the identity of the 6
480480 consumer making the request. A regulated entity or small business shall not 7
481481 require a consumer to create a new account in order to exercise consumer 8
482482 rights pursuant to this subchapter but may require a consumer to use an 9
483483 existing account. 10
484484 (2) If a regulated entity or small business is unable to authenticate the 11
485485 request using commercially reasonable efforts, the regulated entity or small 12
486486 business is not required to comply with a request to initiate an action under this 13
487487 section and may request that the consumer provide additional information 14
488488 reasonably necessary to authenticate the consumer and the consumer’s request. 15
489489 (3) Information provided in response to a consumer request shall be 16
490490 provided by a regulated entity or small business free of charge, up to twice 17
491491 annually per consumer. If requests from a consumer are manifestly unfounded, 18
492492 excessive, or repetitive, the regulated entity or small business may charge the 19
493493 consumer a reasonable fee to cover the administrative costs of complying with 20
494494 the request or decline to act on the request. The regulated entity or small 21 BILL AS INTRODUCED S.74
495495 2025 Page 21 of 30
496496
497497
498498 VT LEG #379087 v.1
499499 business bears the burden of demonstrating the manifestly unfounded, 1
500500 excessive, or repetitive nature of the request. 2
501501 (4) A regulated entity or small business shall comply with a consumer’s 3
502502 requests under subsections (a) through (c) of this section without undue delay, 4
503503 but in all cases within 45 days following receipt of the request submitted 5
504504 pursuant to the methods described in this section. A regulated entity or small 6
505505 business shall promptly take steps to authenticate a consumer request; 7
506506 provided, however, that completion of these steps does not extend the 8
507507 regulated entity’s or small business’s duty to comply with the consumer’s 9
508508 request within 45 days following receipt of the consumer’s request. The 10
509509 response period may be extended once by 45 additional days when reasonably 11
510510 necessary, taking into account the complexity and number of the consumer’s 12
511511 requests, provided the regulated entity or small business informs the consumer 13
512512 of any such extension within the initial 45-day response period, together with 14
513513 the reason for the extension. 15
514514 (e) Consumer appeal. A regulated entity or small business shall establish a 16
515515 process for a consumer to appeal the regulated entity’s or small business’s 17
516516 refusal to take action on a request within a reasonable period of time after the 18
517517 consumer’s receipt of the decision. The appeal process shall be conspicuously 19
518518 available and similar to the process for submitting requests to initiate action 20
519519 pursuant to this section. Within 45 days following receipt of an appeal, a 21 BILL AS INTRODUCED S.74
520520 2025 Page 22 of 30
521521
522522
523523 VT LEG #379087 v.1
524524 regulated entity or small business shall inform the consumer in writing of any 1
525525 action taken or not taken in response to the appeal, including a written 2
526526 explanation of the reasons for the decisions. If the appeal is denied, the 3
527527 regulated entity or small business shall also provide the consumer with an 4
528528 online mechanism, if available, or other method through which the consumer 5
529529 may contact the Office of the Attorney General to submit a complaint. 6
530530 § 1891g. PROTECTION OF CONSUMER HEALTH DATA 7
531531 A regulated entity or small business shall: 8
532532 (1) restrict access to consumer health data by the regulated entity’s or 9
533533 small business’s employees, processors, and contractors to only those 10
534534 employees, processors, and contractors for whom access is necessary to further 11
535535 the purposes for which the consumer provided consent or where necessary to 12
536536 provide a product or service that the consumer to whom such consumer health 13
537537 data relates has requested from the regulated entity or small business; and 14
538538 (2) establish, implement, and maintain administrative, technical, and 15
539539 physical data security practices that, at a minimum, satisfy reasonable 16
540540 standards of care within the regulated entity’s or small business’s industry to 17
541541 protect the confidentiality, integrity, and accessibility of consumer health data 18
542542 appropriate to the volume and nature of the consumer health data at issue. 19 BILL AS INTRODUCED S.74
543543 2025 Page 23 of 30
544544
545545
546546 VT LEG #379087 v.1
547547 § 1891h. PROCESSORS OF CONSUMER HEALTH DATA 1
548548 (a) Contract required. 2
549549 (1) A processor may process consumer health data only pursuant to a 3
550550 binding contract between the processor and the regulated entity or small 4
551551 business that sets forth the processing instructions and limits the actions the 5
552552 processor may take with respect to the consumer health data it processes on 6
553553 behalf of the regulated entity or small business. 7
554554 (2) A processor may process consumer health data only in a manner that 8
555555 is consistent with the binding instructions set forth in the contract with the 9
556556 regulated entity or small business. 10
557557 (b) Obligation to assist. To the extent possible, a processor shall use 11
558558 appropriate technical and organizational measures to assist the regulated entity 12
559559 or small business in fulfilling the regulated entity’s and the small business’s 13
560560 obligations under this chapter. 14
561561 (c) Failure to adhere. If a processor fails to adhere to the regulated entity’s 15
562562 or small business’s instructions or processes consumer health data in a manner 16
563563 that is outside the scope of the processor’s contract with the regulated entity or 17
564564 small business, the processor is considered a regulated entity or small business 18
565565 with respect to the data and is subject to all the requirements of this chapter 19
566566 with regard to the data. 20 BILL AS INTRODUCED S.74
567567 2025 Page 24 of 30
568568
569569
570570 VT LEG #379087 v.1
571571 § 1891i. LIMITATIONS ON SALE OF CONSUMER HEALTH DATA 1
572572 (a) Authorization required. It is unlawful for any person to sell or offer to 2
573573 sell consumer health data regarding a consumer without first obtaining valid 3
574574 authorization from the consumer. The sale of consumer health data must be 4
575575 consistent with the valid authorization signed by the consumer. This 5
576576 authorization shall be separate and distinct from the consent obtained to collect 6
577577 or share consumer health data, as required under section 1891e of this chapter. 7
578578 (b) Requirements of a valid authorization. A valid authorization to sell 8
579579 consumer health data shall be a document that is consistent with this section 9
580580 and is written in plain language. A valid authorization to sell consumer health 10
581581 data shall contain all of the following: 11
582582 (1) the specific consumer health data regarding the consumer that the 12
583583 person intends to sell; 13
584584 (2) the name and contact information of the person collecting and selling 14
585585 the consumer health data; 15
586586 (3) the name and contact information of the person purchasing the 16
587587 consumer health data from the seller identified in subdivision (2) of this 17
588588 subsection; 18
589589 (4) a description of the purpose for the sale, including how the consumer 19
590590 health data will be gathered and how it will be used by the purchaser identified 20
591591 in subdivision (3) of this subsection when sold; 21 BILL AS INTRODUCED S.74
592592 2025 Page 25 of 30
593593
594594
595595 VT LEG #379087 v.1
596596 (5) a statement that the provision of goods or services shall not be 1
597597 conditioned on the consumer signing the valid authorization; 2
598598 (6) a statement that the consumer has a right to revoke the valid 3
599599 authorization at any time and a description of how to submit a revocation of 4
600600 the valid authorization; 5
601601 (7) a statement that the consumer health data sold pursuant to the valid 6
602602 authorization may be subject to redisclosure by the purchaser and may no 7
603603 longer be protected by this section; 8
604604 (8) an expiration date for the valid authorization that expires one year 9
605605 after the consumer signs the valid authorization; and 10
606606 (9) the signature of the consumer and date. 11
607607 (c) Invalid authorizations. An authorization is not valid if the document 12
608608 has any of the following defects: 13
609609 (1) the expiration date has passed; 14
610610 (2) the authorization does not contain all of the information required 15
611611 under this section; 16
612612 (3) the authorization has been revoked by the consumer; 17
613613 (4) the authorization has been combined with other documents to create 18
614614 a compound authorization; or 19
615615 (5) the provision of goods or services is conditioned on the consumer 20
616616 signing the authorization. 21 BILL AS INTRODUCED S.74
617617 2025 Page 26 of 30
618618
619619
620620 VT LEG #379087 v.1
621621 (d) Copies and retention. 1
622622 (1) A copy of the signed valid authorization shall be provided to the 2
623623 consumer. 3
624624 (2) A seller or purchaser of consumer health data shall retain a copy of 4
625625 each valid authorization for the sale of consumer health data for six years from 5
626626 the date of its signature or the date when it was last in effect, whichever is 6
627627 later. 7
628628 § 1891j. GEOFENCES PROHIBITED 8
629629 It is unlawful for any person to implement a geofence to establish a virtual 9
630630 boundary that is within 1,850 feet of any health care facility, including any 10
631631 mental health facility or reproductive or sexual health facility, for the purpose 11
632632 of identifying, tracking, collecting data from, or sending any notification to a 12
633633 consumer regarding the consumer’s consumer health data. 13
634634 § 1891k. VIOLATIONS; ENFORCEMENT 14
635635 (a) A violation of this subchapter shall be deemed a violation of the 15
636636 Consumer Protection Act, 9 V.S.A. chapter 63. The Attorney General has the 16
637637 same authority to make rules, conduct civil investigations, enter into 17
638638 assurances of discontinuance, and bring civil actions, and private parties have 18
639639 the same rights and remedies, as provided under 9 V.S.A. chapter 63, 19
640640 subchapter 1. 20 BILL AS INTRODUCED S.74
641641 2025 Page 27 of 30
642642
643643
644644 VT LEG #379087 v.1
645645 (b) Nothing in this section shall be construed to preclude or supplant any 1
646646 other statutory or common law remedies. 2
647647 § 1891l. EXEMPTIONS 3
648648 (a) This subchapter shall not apply to: 4
649649 (1) information that meets the definition of: 5
650650 (A) protected health information for purposes of the federal Health 6
651651 Insurance Portability and Accountability Act of 1996 and related regulations; 7
652652 (B) patient-identifying information collected, used, or disclosed in 8
653653 accordance with 42 C.F.R. Part 2, established pursuant to 42 U.S.C. § 290dd-2; 9
654654 or 10
655655 (C) identifiable private information for purposes of the federal policy 11
656656 for the protection of human subjects, 45 C.F.R. Part 46; identifiable private 12
657657 information that is otherwise information collected as part of human subjects 13
658658 research pursuant to the Good Clinical Practice Guidelines issued by the 14
659659 International Council for Harmonization; the protection of human subjects 15
660660 under 21 C.F.R. Parts 50 and 56; or personal data used or shared in research 16
661661 conducted in accordance with one or more of the requirements set forth in this 17
662662 subsection (a); 18
663663 (2) information and documents created specifically for, and collected 19
664664 and maintained as part of, the patient safety surveillance and improvement 20
665665 system established pursuant to chapter 43A of this title; 21 BILL AS INTRODUCED S.74
666666 2025 Page 28 of 30
667667
668668
669669 VT LEG #379087 v.1
670670 (3) information and documents created for purposes of the federal 1
671671 Health Care Quality Improvement Act of 1986, and related regulations; 2
672672 (4) patient safety work product for purposes of 42 C.F.R. Part 3, 3
673673 established pursuant to 42 U.S.C. §§ 299b-21–299b-26; 4
674674 (5) information that is deidentified in accordance with the requirements 5
675675 for deidentification set forth in 45 C.F.R. Part 164; 6
676676 (6) information originating from, and intermingled so as to be 7
677677 indistinguishable with, information described under subdivisions (1)–(5) of 8
678678 this subsection that is maintained by: 9
679679 (A) a covered entity that is not a hybrid entity, any health care 10
680680 component of a hybrid entity, or a business associate as those terms are defined 11
681681 by the Health Insurance Portability and Accountability Act of 1996 and related 12
682682 regulations; 13
683683 (B) a health care facility or health care provider, as defined in section 14
684684 9402 of this title; or 15
685685 (C) a program or a qualified service organization as defined by 42 16
686686 C.F.R. Part 2, established pursuant to 42 U.S.C. § 290dd-2; 17
687687 (7) information used only for public health activities and purposes as 18
688688 described in 45 C.F.R. § 164.512 or that is part of a limited data set, as defined, 19
689689 and is used, disclosed, and maintained in the manner required, by 45 C.F.R. 20
690690 § 164.514; or 21 BILL AS INTRODUCED S.74
691691 2025 Page 29 of 30
692692
693693
694694 VT LEG #379087 v.1
695695 (8) an area agency on aging. 1
696696 (b) Personal information that is governed by and collected, used, or 2
697697 disclosed pursuant to the following regulations, parts, titles, or acts is exempt 3
698698 from this subchapter: 4
699699 (1) the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq. and 5
700700 implementing regulations; 6
701701 (2) part C of Title XI of the Social Security Act, 42 U.S.C. § 1320d et 7
702702 seq.; 8
703703 (3) the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.; 9
704704 (4) the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g 10
705705 and 34 C.F.R. Part 99; and 11
706706 (5) the Vermont Health Benefit Exchange, 33 V.S.A. chapter 18, 12
707707 subchapter 1, and related federal laws and Vermont rules, including 45 C.F.R. 13
708708 § 155.260. 14
709709 (c) The obligations imposed on regulated entities, small businesses, and 15
710710 processors under this subchapter shall not be construed to restrict a regulated 16
711711 entity’s, small business’s, or processor’s ability to collect, use, or disclose 17
712712 consumer health data to prevent, detect, protect against, or respond to security 18
713713 incidents, identity theft, fraud, harassment, malicious or deceptive activities, or 19
714714 any activity that is illegal under Vermont or federal law; preserve the integrity 20 BILL AS INTRODUCED S.74
715715 2025 Page 30 of 30
716716
717717
718718 VT LEG #379087 v.1
719719 or security of systems; or investigate, report, or prosecute those responsible for 1
720720 any such action that is illegal under Vermont or federal law. 2
721721 (d) If a regulated entity, small business, or processor processes consumer 3
722722 health data pursuant to subsection (c) of this section, that entity shall bear the 4
723723 burden of demonstrating that the processing qualifies for the exemption and 5
724724 complies with the requirements of this section. 6
725725 Sec. 2. EFFECTIVE DATE 7
726726 This act shall take effect on January 1, 2026. 8