BILL AS INTRODUCED S.74
2025 Page 1 of 30
VT LEG #379087 v.1
S.74 1
Introduced by Senators Lyons, Gulick and Harrison 2
Referred to Committee on 3
Date: 4
Subject: Health; health information; data privacy 5
Statement of purpose of bill as introduced: This bill proposes to regulate the 6
collection, sharing, and selling of consumer health data in Vermont. 7
An act relating to the collection, sharing, and selling of consumer health 8
data 9
It is hereby enacted by the General Assembly of the State of Vermont: 10
Sec. 1. 18 V.S.A. chapter 42B is amended to read: 11
42B. HEALTH CARE PRIVACY 12
Subchapter 1. Disclosure of Protected Health Information 13
§ 1881. DISCLOSURE OF PROTECTED HEALTH INFORMATION 14
PROHIBITED 15
* * * 16
Subchapter 2. Vermont My Health My Data Act 17
§ 1891a. SHORT TITLE 18
This subchapter shall be known and may be cited as the “Vermont My 19
Health My Data Act.” 20 BILL AS INTRODUCED S.74
2025 Page 2 of 30
VT LEG #379087 v.1
§ 1891b. FINDINGS AND INTENT 1
(a) Findings. The General Assembly finds that: 2
(1) The residents of Vermont regard their privacy as a fundamental right 3
and an essential element of their individual freedom. Fundamental privacy 4
rights have long been and continue to be integral to protecting Vermonters and 5
to safeguarding our democratic republic. 6
(2) Information related to an individual’s health conditions or attempts 7
to obtain health care services is among the most personal and sensitive 8
categories of data collected. Vermonters expect that their health data is 9
protected under laws like the Health Insurance Portability and Accountability 10
Act of 1996 (HIPAA). However, HIPAA only covers health data collected by 11
specific health care entities, including most health care providers. Health data 12
collected by noncovered entities, including certain applications and websites, 13
are not afforded the same protections. This act works to close the gap between 14
consumer knowledge and industry practice by providing stronger privacy 15
protections for all of Vermont consumers’ health data. 16
(b) Intent. By enacting this subchapter, it is the intent of the General 17
Assembly to provide heightened protections for Vermonters’ health data by: 18
(1) requiring additional disclosures and consumer consent regarding the 19
collection, sharing, and use of their health data; 20 BILL AS INTRODUCED S.74
2025 Page 3 of 30
VT LEG #379087 v.1
(2) empowering consumers with the right to have their health data 1
deleted; 2
(3) prohibiting the selling of consumer health data without valid 3
authorization signed by the consumer; and 4
(4) making it unlawful to utilize a geofence around a facility that 5
provides health care services. 6
§ 1891c. DEFINITIONS 7
As used in this subchapter: 8
(1) “Abortion” means any medical treatment intended to induce the 9
termination of, or to terminate, a clinically diagnosable pregnancy except for 10
the purpose of producing a live birth. 11
(2) “Affiliate” means a legal entity that shares common branding with 12
another legal entity and controls, is controlled by, or is under common control 13
with another legal entity. For purposes of this definition, “control” or 14
“controlled” means any one or more of the following: 15
(A) ownership of, or the power to vote, more than 50 percent of the 16
outstanding shares of any class of voting security of a company; 17
(B) control in any manner over the election of a majority of the 18
directors or of individuals exercising similar functions; or 19
(C) the power to exercise controlling influence over the management 20
of a company. 21 BILL AS INTRODUCED S.74
2025 Page 4 of 30
VT LEG #379087 v.1
(3) “Area agency on aging” has the same meaning as in 33 V.S.A. 1
§ 6203. 2
(4) “Authenticate” means to use reasonable means to determine that a 3
request to exercise any of the rights afforded in this chapter is being made by 4
or on behalf of the consumer who is entitled to exercise those consumer rights 5
with respect to the consumer health data at issue. 6
(5) “Biometric data” means data that is generated from the measurement 7
or technological processing of an individual’s physiological, biological, or 8
behavioral characteristics and that identifies a consumer, whether individually 9
or in combination with other data. Biometric data includes: 10
(A) imagery of the iris, retina, fingerprint, face, hand, palm, vein 11
patterns, and voice recordings, from which an identifier template can be 12
extracted; and 13
(B) keystroke patterns or rhythms and gait patterns or rhythms that 14
contain identifying information. 15
(6) “Collect” means to buy, rent, access, retain, receive, acquire, infer, 16
derive, or otherwise process consumer health data in any manner. 17
(7)(A) “Consent” means a clear affirmative act that signifies the 18
consumer’s freely given, specific, informed, opt-in, voluntary, and 19
unambiguous agreement, which may include written consent provided by 20
electronic means. 21 BILL AS INTRODUCED S.74
2025 Page 5 of 30
VT LEG #379087 v.1
(B) “Consent” shall not be obtained by: 1
(i) a consumer’s acceptance of a general or broad terms-of-use 2
agreement or a similar document that contains descriptions of personal data 3
processing along with other unrelated information; 4
(ii) a consumer hovering over, muting, pausing, or closing a given 5
piece of content; or 6
(iii) a consumer’s agreement obtained through the use of deceptive 7
designs. 8
(8)(A) “Consumer” means a natural person who meets one or both of 9
the following conditions: 10
(i) the person is a Vermont resident; or 11
(ii) the person’s consumer health data is collected in Vermont. 12
(B) “Consumer” means a natural person who acts only in an 13
individual or household context, however identified, including by any unique 14
identifier. The term does not include an individual acting in an employment 15
context. 16
(9)(A) “Consumer health data” means personal information that is 17
linked or reasonably linkable to a consumer and that identifies the consumer’s 18
past, present, or future physical or mental health status. 19
(B) For purposes of this definition, physical or mental health status 20
includes: 21 BILL AS INTRODUCED S.74
2025 Page 6 of 30
VT LEG #379087 v.1
(i) individual health conditions, treatment diseases, or diagnosis; 1
(ii) social, psychological, behavioral, and medical interventions; 2
(iii) health-related surgeries or procedures; 3
(iv) use or purchase of prescribed medication; 4
(v) bodily functions, vital signs, symptoms, or measurements of 5
the information described in this subdivision (B); 6
(vi) diagnoses or diagnostic testing, treatment, or medication; 7
(vii) gender-affirming care information; 8
(viii) reproductive or sexual health information; 9
(ix) biometric data; 10
(x) genetic data; 11
(xi) precise location information that could reasonably indicate a 12
consumer’s attempt to acquire or receive health services or supplies; 13
(xii) data that identifies a consumer seeking health care services; 14
or 15
(xiii) any information that a regulated entity or a small business, 16
or its respective processor, processes to associate or identify a consumer with 17
the data described in subdivisions (i)–(xii) of this subdivision (B) that is 18
derived or extrapolated from nonhealth information, such as proxy, derivative, 19
inferred, or emergency data by any means, including algorithms or machine 20
learning. 21 BILL AS INTRODUCED S.74
2025 Page 7 of 30
VT LEG #379087 v.1
(C) “Consumer health data” does not include personal information 1
that is used to engage in public or peer-reviewed scientific, historical, or 2
statistical research in the public interest that adheres to all other applicable 3
ethics and privacy laws and is approved, monitored, and governed by an 4
institutional review board, human subjects research ethics review board, or a 5
similar independent oversight entity that determines that the regulated entity or 6
the small business has implemented reasonable safeguards to mitigate privacy 7
risks associated with research, including any risks associated with 8
reidentification. 9
(10) “Deceptive design” means a user interface designed or manipulated 10
with the effect of subverting or impairing user autonomy, decision making, or 11
choice. 12
(11) “Deidentified data” means data that cannot reasonably be used to 13
infer information about, or otherwise be linked to, an identified or identifiable 14
consumer, or a device linked to such consumer, if the regulated entity or the 15
small business that possesses the data does all of the following: 16
(A) takes reasonable measures to ensure that the data cannot be 17
associated with a consumer; 18
(B) publicly commits to process the data only in a deidentified 19
fashion and not to attempt to reidentify the data; and 20 BILL AS INTRODUCED S.74
2025 Page 8 of 30
VT LEG #379087 v.1
(C) contractually obligates any recipients of the data to satisfy the 1
criteria set forth in this subdivision (11). 2
(12) “Gender-affirming care information” means personal information 3
relating to seeking or obtaining past, present, or future gender-affirming health 4
care services. “Gender-affirming care information” includes: 5
(A) precise location information that could reasonably indicate a 6
consumer’s attempt to acquire or receive gender-affirming health care services; 7
(B) efforts to research or obtain gender-affirming health care 8
services; or 9
(C) any gender-affirming care information that is derived, 10
extrapolated, or inferred, including from nonhealth information such as proxy, 11
derivative, inferred, emergent, or algorithmic data. 12
(13) “Gender-affirming health care services” has the same meaning as in 13
1 V.S.A. § 150. 14
(14) “Genetic data” means any data, regardless of its format, that 15
concerns a consumer’s genetic characteristics. “Genetic data” includes: 16
(A) raw sequence data that result from the sequencing of a 17
consumer’s complete extracted deoxyribonucleic acid (DNA) or a portion of 18
the extracted DNA; 19
(B) genotypic and phenotypic information that results from analyzing 20
the raw sequence data; and 21 BILL AS INTRODUCED S.74
2025 Page 9 of 30
VT LEG #379087 v.1
(C) self-reported health data that a consumer submits to a regulated 1
entity or a small business and that is analyzed in connection with the 2
consumer’s raw sequence data. 3
(15) “Geofence” means technology that uses global positioning 4
coordinates, cell tower connectivity, cellular data, radio frequency 5
identification, Wi-Fi data, or any other form of spatial or location detection, 6
individually or in combination, to establish a virtual boundary around a 7
specific physical location or to locate a consumer within a virtual boundary. 8
(16) “Health care service” means any service provided to a person to 9
assess, measure, improve, or learn about a person’s mental or physical health, 10
including: 11
(A) individual health conditions, status, diseases, or diagnoses; 12
(B) social, psychological, behavioral, and medical interventions; 13
(C) health-related surgeries or procedures; 14
(D) use or purchase of medication; 15
(E) bodily functions, vital signs, symptoms, or measurements of the 16
information described in this subdivision (16); 17
(F) diagnoses or diagnostic testing, treatment, or medication; 18
(G) reproductive health services; or 19
(H) gender-affirming health care services. 20 BILL AS INTRODUCED S.74
2025 Page 10 of 30
VT LEG #379087 v.1
(17) “Homepage” means the introductory page of an internet website 1
and any internet web page on which personal information is collected. In the 2
case of an online service such as a mobile application, “homepage” means the 3
application’s platform page or download page, and a link within the 4
application, such as from the application configuration or the “about,” 5
“information,” or “settings” page. 6
(18) “Person” means, where applicable, a natural person, corporation, 7
trust, unincorporated association, or partnership. The term does not include a 8
government agency, tribal nation, or a contracted service provider when 9
processing consumer health data on behalf of a government agency. 10
(19)(A) “Personal information” means information that identifies or is 11
reasonably capable of being associated or linked, directly or indirectly, with a 12
particular consumer. “Personal information” includes data associated with a 13
persistent unique identifier, such as a cookie ID, an IP address, a device 14
identifier, or any other form of persistent unique identifier. 15
(B) “Personal information” does not include publicly available 16
information or deidentified data. 17
(20) “Precise location information” means information derived from 18
technology, including global positioning system level latitude and longitude 19
coordinates and other mechanisms, that directly identifies the specific location 20
of an individual with precision and accuracy within a radius of 1,850 feet. 21 BILL AS INTRODUCED S.74
2025 Page 11 of 30
VT LEG #379087 v.1
“Precise location information” does not include the content of communications 1
or any data generated by or connected to advanced utility metering 2
infrastructure systems or equipment for use by a utility. 3
(21) “Process” or “processing” means any operation or set of operations 4
performed on consumer health data. 5
(22) “Processor” means a person who processes consumer health data 6
on behalf of a regulated entity or a small business. 7
(23)(A) “Publicly available information” means information that: 8
(i) is lawfully made available through federal, state, or municipal 9
government records or widely distributed media; and 10
(ii) a regulated entity or a small business has a reasonable basis to 11
believe a consumer has lawfully made available to the general public. 12
(B) “Publicly available information” does not include any biometric 13
data collected about a consumer by a business without the consumer’s consent. 14
(24)(A) “Regulated entity” means any legal entity that: 15
(i) conducts business in Vermont, or produces or provides 16
products or services that are targeted to consumers in Vermont; and 17
(ii) alone or jointly with others, determines the purpose and means 18
of collecting, processing, sharing, or selling of consumer health data. 19 BILL AS INTRODUCED S.74
2025 Page 12 of 30
VT LEG #379087 v.1
(B) “Regulated entity” does not mean government agencies or 1
contracted service providers when processing consumer health data on behalf 2
of a government agency. 3
(25)(A) “Reproductive or sexual health information” means personal 4
information relating to seeking or obtaining past, present, or future 5
reproductive or sexual health services. 6
(B) “Reproductive or sexual health information” includes: 7
(i) precise location information that could reasonably indicate a 8
consumer’s attempt to acquire or receive reproductive or sexual health 9
services; 10
(ii) efforts to research or obtain reproductive or sexual health 11
services; or 12
(iii) any reproductive or sexual health information that is derived, 13
extrapolated, or inferred, including from nonhealth information, such as proxy, 14
derivative, inferred, emergent, or algorithmic data. 15
(26) “Reproductive or sexual health services” means health services or 16
products that support or relate to a consumer’s reproductive system or sexual 17
well-being, including: 18
(A) individual health conditions, status, diseases, or diagnoses; 19
(B) social, psychological, behavioral, and medical interventions; 20
(C) health-related surgeries or procedures, including abortions; 21 BILL AS INTRODUCED S.74
2025 Page 13 of 30
VT LEG #379087 v.1
(D) use or purchase of medication, including medications for the 1
purposes of abortion; 2
(E) bodily functions, vital signs, symptoms, or measurements of the 3
information described in this subdivision (26); 4
(F) diagnoses or diagnostic testing, treatment, or medication; 5
(G) medical or nonmedical services related to and provided in 6
conjunction with an abortion, including associated diagnostics, counseling, 7
supplies, and follow-up services; and 8
(H) any other services included in the definition of “reproductive 9
health care services” in 1 V.S.A. § 150. 10
(27)(A) “Sell” or “sale” means the exchange of consumer health data for 11
monetary or other valuable consideration. 12
(B) “Sell” or “sale” does not include the exchange of consumer 13
health data for monetary or other valuable consideration: 14
(i) to a third party as an asset that is part of a merger, acquisition, 15
bankruptcy, or other transaction in which the third party assumes control of all 16
or part of the regulated entity’s or the small business’s assets and complies 17
with the requirements and obligations in this chapter; or 18
(ii) by a regulated entity or a small business to a processor when 19
such exchange is consistent with the purpose for which the consumer health 20
data was collected and the exchange was disclosed to the consumer. 21 BILL AS INTRODUCED S.74
2025 Page 14 of 30
VT LEG #379087 v.1
(28)(A) “Share” or “sharing” means to release, disclose, disseminate, 1
divulge, make available, provide access to, license, or otherwise communicate 2
orally, in writing, or by electronic or other means consumer health data by a 3
regulated entity or a small business to a third party or affiliate. 4
(B) The term “share” or “sharing” does not include: 5
(i) the disclosure of consumer health data by a regulated entity or 6
a small business to a processor when the sharing is to provide goods or 7
services in a manner consistent with the purpose for which the consumer health 8
data was collected and the exchange was disclosed to the consumer; 9
(ii) the disclosure of consumer health data to a third party with 10
whom the consumer has a direct relationship when: 11
(I) the disclosure is for purposes of providing a product or 12
service requested by the consumer; 13
(II) the regulated entity or the small business maintains control 14
and ownership of the data; and 15
(III) the third party uses the consumer health data only at the 16
direction of the regulated entity or the small business and consistent with the 17
purpose for which it was collected and consented to by the consumer; or 18
(iii) the disclosure or transfer of personal data to a third party as an 19
asset that is part of a merger, acquisition, bankruptcy, or other transaction in 20
which the third party assumes control of all or part of the regulated entity’s or 21 BILL AS INTRODUCED S.74
2025 Page 15 of 30
VT LEG #379087 v.1
the small business’s assets and complies with the requirements and obligations 1
in this chapter. 2
(29) “Small business” means a regulated entity that satisfies one or both 3
of the following thresholds: 4
(A) the entity collects, processes, sells, or shares the consumer health 5
data of fewer than 100,000 consumers during a calendar year; or 6
(B) the entity derives less than 50 percent of its gross revenue from 7
the collection, processing, selling, or sharing of consumer health data and the 8
entity controls, processes, sells, or shares consumer health data of fewer than 9
25,000 consumers. 10
(30) “Third party” means an entity other than a consumer, regulated 11
entity, processor, small business, or affiliate of the regulated entity or the small 12
business. 13
§ 1891d. CONSUMER HEALTH DATA PRIVACY POLICY REQUIRED 14
(a) Each regulated entity or each small business shall maintain a consumer 15
health data privacy policy that clearly and conspicuously discloses: 16
(1) the categories of consumer health data collected and the purpose for 17
which the data is collected, including how the data will be used; 18
(2) the categories of sources from which the consumer health data is 19
collected; 20
(3) the categories of consumer health data that is shared; 21 BILL AS INTRODUCED S.74
2025 Page 16 of 30
VT LEG #379087 v.1
(4) a list of the categories of third parties and specific affiliates with 1
whom the regulated entity or small business shares the consumer health data; 2
and 3
(5) how a consumer can exercise the rights provided in section 1891f of 4
this chapter. 5
(b) A regulated entity or small business shall prominently publish a link to 6
its consumer health data privacy policy on its homepage. 7
(c) A regulated entity or small business shall not collect, use, or share 8
additional categories of consumer health data not disclosed in the consumer 9
health data privacy policy without first disclosing the additional categories and 10
obtaining the consumer’s affirmative consent prior to the collection, use, or 11
sharing of the consumer health data. 12
(d) A regulated entity or small business shall not collect, use, or share 13
consumer health data for additional purposes not disclosed in the consumer 14
health data privacy policy without first disclosing the additional purposes and 15
obtaining the consumer’s affirmative consent prior to the collection, use, or 16
sharing of the consumer health data. 17
(e) It is a violation of this subchapter for a regulated entity or small 18
business to contract with a processor to process consumer health data in a 19
manner that is inconsistent with the regulated entity’s or small business’s 20
consumer health data privacy policy. 21 BILL AS INTRODUCED S.74
2025 Page 17 of 30
VT LEG #379087 v.1
§ 1891e. COLLECTION AND SHARING OF CONSUMER HEALTH 1
DATA 2
(a) A regulated entity or small business shall not collect any consumer 3
health data except: 4
(1) with consent from the consumer for such collection for a specified 5
purpose; or 6
(2) to the extent necessary to provide a product or service that the 7
consumer to whom the consumer health data relates has requested from the 8
regulated entity or small business. 9
(b) A regulated entity or small business shall not share any consumer health 10
data except: 11
(1) with consent from the consumer for the sharing that is separate and 12
distinct from the consent obtained to collect consumer health data; or 13
(2) to the extent necessary to provide a product or service that the 14
consumer to whom the consumer health data relates has requested from the 15
regulated entity or small business. 16
(c) Consent required under this section shall be obtained prior to the 17
collection or sharing, as applicable, of any consumer health data, and the 18
request for consent must clearly and conspicuously disclose: 19
(1) the categories of consumer health data collected or shared; 20 BILL AS INTRODUCED S.74
2025 Page 18 of 30
VT LEG #379087 v.1
(2) the purpose of the collection or sharing of the consumer health data, 1
including the specific ways in which it will be used; 2
(3) the categories of entities with whom the consumer health data is 3
shared; and 4
(4) how the consumer can withdraw consent from future collection or 5
sharing of the consumer’s health data. 6
(d) A regulated entity or small business shall not unlawfully discriminate 7
against a consumer for exercising any rights included in this chapter. 8
§ 1891f. CONSUMER RIGHTS 9
(a) Confirmation. A consumer has the right to confirm whether a regulated 10
entity or a small business is collecting, sharing, or selling consumer health data 11
regarding the consumer and to access that data, including a list of all third 12
parties and affiliates with whom the regulated entity or small business has 13
shared or sold the consumer’s health data and an active email address or other 14
online mechanism that the consumer may use to contact these third parties. 15
(b) Withdrawal of consent. A consumer has the right to withdraw consent 16
from a regulated entity’s or small business’s collection and sharing of 17
consumer health data regarding the consumer. 18
(c) Right to delete. A consumer has the right to have consumer health data 19
regarding the consumer deleted and may exercise that right by informing the 20
regulated entity or small business of the consumer’s request for deletion. 21 BILL AS INTRODUCED S.74
2025 Page 19 of 30
VT LEG #379087 v.1
(1) A regulated entity or small business that receives a consumer’s 1
request to delete any consumer health data regarding the consumer shall: 2
(A) delete the consumer health data from its records, including from 3
all parts of the regulated entity’s or small business’s network, including 4
archived or backup systems pursuant to subdivision (3) of this subsection (c); 5
and 6
(B) notify all affiliates, processors, contractors, and other third parties 7
with whom the regulated entity or the small business has shared consumer 8
health data of the deletion request. 9
(2) All affiliates, processors, contractors, and other third parties that 10
receive notice of a consumer’s deletion request shall honor the consumer’s 11
deletion request and delete the consumer health data from its records in 12
accordance with the requirements of this subchapter. 13
(3) If consumer health data that a consumer requests to be deleted is 14
stored on archived or backup systems, then the request for deletion may be 15
delayed to enable restoration of the archived or backup systems, provided that 16
the delay shall not exceed six months from the date of authentication of the 17
deletion request. 18
(d) Request requirements. 19
(1) A consumer may exercise the rights set forth in this chapter by 20
submitting a request to a regulated entity or small business at any time. The 21 BILL AS INTRODUCED S.74
2025 Page 20 of 30
VT LEG #379087 v.1
request may be made by a secure and reliable means established by the 1
regulated entity or small business and described in its consumer health data 2
privacy policy. The method shall take into account the ways in which 3
consumers normally interact with the regulated entity or small business, the 4
need for secure and reliable communication of such requests, and the ability of 5
the regulated entity or the small business to authenticate the identity of the 6
consumer making the request. A regulated entity or small business shall not 7
require a consumer to create a new account in order to exercise consumer 8
rights pursuant to this subchapter but may require a consumer to use an 9
existing account. 10
(2) If a regulated entity or small business is unable to authenticate the 11
request using commercially reasonable efforts, the regulated entity or small 12
business is not required to comply with a request to initiate an action under this 13
section and may request that the consumer provide additional information 14
reasonably necessary to authenticate the consumer and the consumer’s request. 15
(3) Information provided in response to a consumer request shall be 16
provided by a regulated entity or small business free of charge, up to twice 17
annually per consumer. If requests from a consumer are manifestly unfounded, 18
excessive, or repetitive, the regulated entity or small business may charge the 19
consumer a reasonable fee to cover the administrative costs of complying with 20
the request or decline to act on the request. The regulated entity or small 21 BILL AS INTRODUCED S.74
2025 Page 21 of 30
VT LEG #379087 v.1
business bears the burden of demonstrating the manifestly unfounded, 1
excessive, or repetitive nature of the request. 2
(4) A regulated entity or small business shall comply with a consumer’s 3
requests under subsections (a) through (c) of this section without undue delay, 4
but in all cases within 45 days following receipt of the request submitted 5
pursuant to the methods described in this section. A regulated entity or small 6
business shall promptly take steps to authenticate a consumer request; 7
provided, however, that completion of these steps does not extend the 8
regulated entity’s or small business’s duty to comply with the consumer’s 9
request within 45 days following receipt of the consumer’s request. The 10
response period may be extended once by 45 additional days when reasonably 11
necessary, taking into account the complexity and number of the consumer’s 12
requests, provided the regulated entity or small business informs the consumer 13
of any such extension within the initial 45-day response period, together with 14
the reason for the extension. 15
(e) Consumer appeal. A regulated entity or small business shall establish a 16
process for a consumer to appeal the regulated entity’s or small business’s 17
refusal to take action on a request within a reasonable period of time after the 18
consumer’s receipt of the decision. The appeal process shall be conspicuously 19
available and similar to the process for submitting requests to initiate action 20
pursuant to this section. Within 45 days following receipt of an appeal, a 21 BILL AS INTRODUCED S.74
2025 Page 22 of 30
VT LEG #379087 v.1
regulated entity or small business shall inform the consumer in writing of any 1
action taken or not taken in response to the appeal, including a written 2
explanation of the reasons for the decisions. If the appeal is denied, the 3
regulated entity or small business shall also provide the consumer with an 4
online mechanism, if available, or other method through which the consumer 5
may contact the Office of the Attorney General to submit a complaint. 6
§ 1891g. PROTECTION OF CONSUMER HEALTH DATA 7
A regulated entity or small business shall: 8
(1) restrict access to consumer health data by the regulated entity’s or 9
small business’s employees, processors, and contractors to only those 10
employees, processors, and contractors for whom access is necessary to further 11
the purposes for which the consumer provided consent or where necessary to 12
provide a product or service that the consumer to whom such consumer health 13
data relates has requested from the regulated entity or small business; and 14
(2) establish, implement, and maintain administrative, technical, and 15
physical data security practices that, at a minimum, satisfy reasonable 16
standards of care within the regulated entity’s or small business’s industry to 17
protect the confidentiality, integrity, and accessibility of consumer health data 18
appropriate to the volume and nature of the consumer health data at issue. 19 BILL AS INTRODUCED S.74
2025 Page 23 of 30
VT LEG #379087 v.1
§ 1891h. PROCESSORS OF CONSUMER HEALTH DATA 1
(a) Contract required. 2
(1) A processor may process consumer health data only pursuant to a 3
binding contract between the processor and the regulated entity or small 4
business that sets forth the processing instructions and limits the actions the 5
processor may take with respect to the consumer health data it processes on 6
behalf of the regulated entity or small business. 7
(2) A processor may process consumer health data only in a manner that 8
is consistent with the binding instructions set forth in the contract with the 9
regulated entity or small business. 10
(b) Obligation to assist. To the extent possible, a processor shall use 11
appropriate technical and organizational measures to assist the regulated entity 12
or small business in fulfilling the regulated entity’s and the small business’s 13
obligations under this chapter. 14
(c) Failure to adhere. If a processor fails to adhere to the regulated entity’s 15
or small business’s instructions or processes consumer health data in a manner 16
that is outside the scope of the processor’s contract with the regulated entity or 17
small business, the processor is considered a regulated entity or small business 18
with respect to the data and is subject to all the requirements of this chapter 19
with regard to the data. 20 BILL AS INTRODUCED S.74
2025 Page 24 of 30
VT LEG #379087 v.1
§ 1891i. LIMITATIONS ON SALE OF CONSUMER HEALTH DATA 1
(a) Authorization required. It is unlawful for any person to sell or offer to 2
sell consumer health data regarding a consumer without first obtaining valid 3
authorization from the consumer. The sale of consumer health data must be 4
consistent with the valid authorization signed by the consumer. This 5
authorization shall be separate and distinct from the consent obtained to collect 6
or share consumer health data, as required under section 1891e of this chapter. 7
(b) Requirements of a valid authorization. A valid authorization to sell 8
consumer health data shall be a document that is consistent with this section 9
and is written in plain language. A valid authorization to sell consumer health 10
data shall contain all of the following: 11
(1) the specific consumer health data regarding the consumer that the 12
person intends to sell; 13
(2) the name and contact information of the person collecting and selling 14
the consumer health data; 15
(3) the name and contact information of the person purchasing the 16
consumer health data from the seller identified in subdivision (2) of this 17
subsection; 18
(4) a description of the purpose for the sale, including how the consumer 19
health data will be gathered and how it will be used by the purchaser identified 20
in subdivision (3) of this subsection when sold; 21 BILL AS INTRODUCED S.74
2025 Page 25 of 30
VT LEG #379087 v.1
(5) a statement that the provision of goods or services shall not be 1
conditioned on the consumer signing the valid authorization; 2
(6) a statement that the consumer has a right to revoke the valid 3
authorization at any time and a description of how to submit a revocation of 4
the valid authorization; 5
(7) a statement that the consumer health data sold pursuant to the valid 6
authorization may be subject to redisclosure by the purchaser and may no 7
longer be protected by this section; 8
(8) an expiration date for the valid authorization that expires one year 9
after the consumer signs the valid authorization; and 10
(9) the signature of the consumer and date. 11
(c) Invalid authorizations. An authorization is not valid if the document 12
has any of the following defects: 13
(1) the expiration date has passed; 14
(2) the authorization does not contain all of the information required 15
under this section; 16
(3) the authorization has been revoked by the consumer; 17
(4) the authorization has been combined with other documents to create 18
a compound authorization; or 19
(5) the provision of goods or services is conditioned on the consumer 20
signing the authorization. 21 BILL AS INTRODUCED S.74
2025 Page 26 of 30
VT LEG #379087 v.1
(d) Copies and retention. 1
(1) A copy of the signed valid authorization shall be provided to the 2
consumer. 3
(2) A seller or purchaser of consumer health data shall retain a copy of 4
each valid authorization for the sale of consumer health data for six years from 5
the date of its signature or the date when it was last in effect, whichever is 6
later. 7
§ 1891j. GEOFENCES PROHIBITED 8
It is unlawful for any person to implement a geofence to establish a virtual 9
boundary that is within 1,850 feet of any health care facility, including any 10
mental health facility or reproductive or sexual health facility, for the purpose 11
of identifying, tracking, collecting data from, or sending any notification to a 12
consumer regarding the consumer’s consumer health data. 13
§ 1891k. VIOLATIONS; ENFORCEMENT 14
(a) A violation of this subchapter shall be deemed a violation of the 15
Consumer Protection Act, 9 V.S.A. chapter 63. The Attorney General has the 16
same authority to make rules, conduct civil investigations, enter into 17
assurances of discontinuance, and bring civil actions, and private parties have 18
the same rights and remedies, as provided under 9 V.S.A. chapter 63, 19
subchapter 1. 20 BILL AS INTRODUCED S.74
2025 Page 27 of 30
VT LEG #379087 v.1
(b) Nothing in this section shall be construed to preclude or supplant any 1
other statutory or common law remedies. 2
§ 1891l. EXEMPTIONS 3
(a) This subchapter shall not apply to: 4
(1) information that meets the definition of: 5
(A) protected health information for purposes of the federal Health 6
Insurance Portability and Accountability Act of 1996 and related regulations; 7
(B) patient-identifying information collected, used, or disclosed in 8
accordance with 42 C.F.R. Part 2, established pursuant to 42 U.S.C. § 290dd-2; 9
or 10
(C) identifiable private information for purposes of the federal policy 11
for the protection of human subjects, 45 C.F.R. Part 46; identifiable private 12
information that is otherwise information collected as part of human subjects 13
research pursuant to the Good Clinical Practice Guidelines issued by the 14
International Council for Harmonization; the protection of human subjects 15
under 21 C.F.R. Parts 50 and 56; or personal data used or shared in research 16
conducted in accordance with one or more of the requirements set forth in this 17
subsection (a); 18
(2) information and documents created specifically for, and collected 19
and maintained as part of, the patient safety surveillance and improvement 20
system established pursuant to chapter 43A of this title; 21 BILL AS INTRODUCED S.74
2025 Page 28 of 30
VT LEG #379087 v.1
(3) information and documents created for purposes of the federal 1
Health Care Quality Improvement Act of 1986, and related regulations; 2
(4) patient safety work product for purposes of 42 C.F.R. Part 3, 3
established pursuant to 42 U.S.C. §§ 299b-21–299b-26; 4
(5) information that is deidentified in accordance with the requirements 5
for deidentification set forth in 45 C.F.R. Part 164; 6
(6) information originating from, and intermingled so as to be 7
indistinguishable with, information described under subdivisions (1)–(5) of 8
this subsection that is maintained by: 9
(A) a covered entity that is not a hybrid entity, any health care 10
component of a hybrid entity, or a business associate as those terms are defined 11
by the Health Insurance Portability and Accountability Act of 1996 and related 12
regulations; 13
(B) a health care facility or health care provider, as defined in section 14
9402 of this title; or 15
(C) a program or a qualified service organization as defined by 42 16
C.F.R. Part 2, established pursuant to 42 U.S.C. § 290dd-2; 17
(7) information used only for public health activities and purposes as 18
described in 45 C.F.R. § 164.512 or that is part of a limited data set, as defined, 19
and is used, disclosed, and maintained in the manner required, by 45 C.F.R. 20
§ 164.514; or 21 BILL AS INTRODUCED S.74
2025 Page 29 of 30
VT LEG #379087 v.1
(8) an area agency on aging. 1
(b) Personal information that is governed by and collected, used, or 2
disclosed pursuant to the following regulations, parts, titles, or acts is exempt 3
from this subchapter: 4
(1) the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq. and 5
implementing regulations; 6
(2) part C of Title XI of the Social Security Act, 42 U.S.C. § 1320d et 7
seq.; 8
(3) the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.; 9
(4) the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g 10
and 34 C.F.R. Part 99; and 11
(5) the Vermont Health Benefit Exchange, 33 V.S.A. chapter 18, 12
subchapter 1, and related federal laws and Vermont rules, including 45 C.F.R. 13
§ 155.260. 14
(c) The obligations imposed on regulated entities, small businesses, and 15
processors under this subchapter shall not be construed to restrict a regulated 16
entity’s, small business’s, or processor’s ability to collect, use, or disclose 17
consumer health data to prevent, detect, protect against, or respond to security 18
incidents, identity theft, fraud, harassment, malicious or deceptive activities, or 19
any activity that is illegal under Vermont or federal law; preserve the integrity 20 BILL AS INTRODUCED S.74
2025 Page 30 of 30
VT LEG #379087 v.1
or security of systems; or investigate, report, or prosecute those responsible for 1
any such action that is illegal under Vermont or federal law. 2
(d) If a regulated entity, small business, or processor processes consumer 3
health data pursuant to subsection (c) of this section, that entity shall bear the 4
burden of demonstrating that the processing qualifies for the exemption and 5
complies with the requirements of this section. 6
Sec. 2. EFFECTIVE DATE 7
This act shall take effect on January 1, 2026. 8