103RD GENERAL ASSEMBLY
State of Illinois
2023 and 2024
HB3603
 
Introduced 2/17/2023, by Rep. Ann M. Williams
 
SYNOPSIS AS INTRODUCED:
 

 
New Act

     Amends the Protect Health Data Privacy Act. Provides that a regulated entity shall disclose and maintain a health data privacy policy that, in plain language, clearly and conspicuously disclosures specified information. Provides that a regulated entity shall prominently publish its health data privacy policy on its website homepage. Provides that a regulated entity shall not collect, share, sell, or store categories of health data not disclosed in the health data privacy policy without first disclosing the  categories of health data and obtaining the consumer's consent prior to the collection, sharing, selling, or storing of such  data. Prohibits the collection, sharing, selling, or storing of health data. Describes the regulated entity's duty to obtain consent; the consumer's right to withdraw consent; prohibitions on discrimination; prohibitions on geofencing; a private right of action; enforcement by the Attorney General; and conflicts with other laws. Makes other changes.
  


LRB103 29143 CPF 55529 b

 
 
A BILL FOR
 

  
HB3603LRB103 29143 CPF 55529 b


  
1    AN ACT concerning safety.
  
 
2    Be it enacted by the People of the State of Illinois,
 
3represented in the General Assembly:
  
 
 
4    Section 1. Short title. This Act may be cited as the 
5Protect Health Data Privacy Act.
 
6    Section 5. Definitions.
As used in this Act:


7    "Collect" means to buy, rent, lease, access, retain, 
8receive, acquire, or otherwise process health data in any 
9manner.


10    "Consent" means a clear affirmative act by a consumer that 
11unambiguously communicates the consumer's express, freely 
12given, informed, opt-in, voluntary, specific, and unambiguous 
13written agreement, which may include written consent provided 
14by electronic means, to the collection, sale, sharing or 
15storage of health data.
Consent may not be implied, and 
16consent cannot be obtained by:

17        (1)    acceptance of a general or broad terms of use 
18    agreement or a similar document that contains descriptions 
19    of personal data processing along with other, unrelated 
20    information;

21        (2)    hovering over, muting, pausing, or closing a given 
22    piece of digital content; or

23        (3)   agreement obtained through the use of deceptive 
 
 
HB3603- 2 -LRB103 29143 CPF 55529 b

1    designs.

2    "Consumer" means a person who is a resident of the State, 
3however identified, including by any unique identifier. A 
4person located in the State when the person's health data is 
5collected by a regulated entity will create a presumption that 
6the person is a resident of the State for purposes of enforcing 
7this Act.


8    "Deceptive design" means any user interface or element 
9thereof that has the effect of subverting, impairing, or 
10impeding an individual's autonomy, decision-making, or choice.


11    "Deidentified data" means data that cannot be used to 
12infer information about, or otherwise be linked to, an 
13identified or identifiable individual, or a device linked to 
14such individual. A regulated entity that possesses 
15deidentified data shall: (i) take reasonable measures to 
16ensure that such data cannot be associated with an individual; 
17(ii) publicly commit to process such data only in a 
18deidentified fashion and not attempt to reidentify such data; 
19and, (iii) contractually obligate any recipients of such data 
20to satisfy the criteria set forth in items (i) and (ii).


21    "Geofence" means technology that uses global positioning 
22coordinates, cell tower connectivity, cellular data, radio 
23frequency identification, wireless Internet data, or any other 
24form of location detection to establish a virtual boundary 
25around a specific physical location.


26    "Health data" means information regarding, relating to, 
 
 
HB3603- 3 -LRB103 29143 CPF 55529 b

1derived, or extrapolated from the past, present, or future 
2physical or mental health of a consumer, including, but not 
3limited to, any information relating to:

4        (1)     individual health conditions, treatment, status, 
5    diseases, or diagnoses;

6        (2)      health related surgeries or procedures;

7        (3)      use or purchase of medication;

8        (4)      social, psychological, behavioral, and medical 
9    interventions;

10        (5)      bodily functions, vital signs, measurements, or 
11    symptoms;

12        (6)      diagnoses or diagnostic testing, treatment, or 
13    medication;

14        (7)     efforts to research or obtain health services or 
15    supplies;

16        (8)     health services or products that support or relate 
17    to lawful health care, as defined by Public Act 102-1117;

18        (9)     location information that could reasonably 
19    indicate a consumer's attempt to acquire or receive health 
20    services or supplies; and

21        (10)     any information described in paragraphs (1) 
22    through (9) that is derived or extrapolated from nonhealth 
23    information, including by use of algorithms or machine 
24    learning.

25    "Health data" does not include personal information 
26collected with the consumer's consent that is used to engage 
 
 
HB3603- 4 -LRB103 29143 CPF 55529 b

1in public or peer-reviewed scientific, historical, or 
2statistical research in the public interest that adheres to 
3all other applicable ethics and privacy laws and is approved, 
4monitored, and governed by an institutional review board, 
5human subjects research ethics review board, or a similar 
6independent oversight entity that determines that the 
7regulated entity has implemented reasonable safeguards to 
8mitigate privacy risks associated with research, including any 
9risks associated with reidentification.


10    "Health services" means any service, medical care, or 
11information related to a consumer's health data provided to a 
12consumer.


13    "Homepage" means the introductory page of an Internet 
14website and any Internet web page where personal information 
15is collected. In the case of an online service, such as a 
16mobile application, homepage means the application's platform 
17page or download page, such as from the application 
18configuration, "About," "Information," or settings page, and 
19any other location that allows consumers to review the notice.


20    "Personal information" means information that identifies, 
21relates to, describes, is reasonably capable of being 
22associated with, or linked, directly or indirectly, with a 
23particular consumer or household. "Personal information" does 
24not include publicly available information or deidentified 
25data. "Publicly available" means information that is lawfully 
26made available from federal, State, or local government 
 
 
HB3603- 5 -LRB103 29143 CPF 55529 b

1records.


2    "Regulated entity" means any individual, partnership, 
3corporation, limited liability company, association, or other 
4group, however organized, that: (i) conducts business in the 
5State or produces products or services that are available to 
6consumers in the State, and (ii) for any purpose, handles, 
7collects, shares, sells, stores or otherwise deals with health 
8data. "Regulated entity" does not mean government agencies, 
9tribal nations, a clerk of the court, or a judge or justice 
10thereof.


11    "Sell" or "sale" means when a regulated entity, directly 
12or indirectly, receives any form of remuneration or other 
13valuable consideration from the use of health data or from the 
14recipient of the health data in exchange for the health data. 
15"Sell" does not include:

16        (1)     the sharing of health data to a recipient where 
17    the regulated entity maintains control and ownership of 
18    the health data;

19        (2)     the sharing of health data to comply with 
20    applicable laws or regulations;

21        (3)   the recipient uses the health data only at the 
22    direction of the regulated entity and consistent with the 
23    purpose for which it was collected and disclosed to the 
24    consumer; and

25        (4)     the transfer of health data to a third party as an 
26    asset as part of a merger, acquisition, bankruptcy, or 
 
 
HB3603- 6 -LRB103 29143 CPF 55529 b

1    other transaction in which the third party assumes control 
2    of all or part of the regulated entity's assets that shall 
3    comply with the requirements and obligations in this Act.


4    "Share" means to release, disclose, disseminate, divulge, 
5loans, make available, provide access to, license, or 
6otherwise communicate orally, in writing, or by electronic or 
7other means, health data by a regulated entity to a third party 
8except where the regulated entity maintains exclusive control 
9and ownership of the health data. "Share" does not include:

10        (1)   the disclosure of health data to an entity who 
11    collects or processes the personal data on behalf of the 
12    regulated entity, when the regulated entity maintains 
13    control and ownership of the data and the third party 
14    maintains or uses the health data only for the regulated 
15    entity's distinct purposes;

16        (2)   the disclosure of health data to a third party 
17    with whom the consumer has a direct relationship for 
18    purposes of and only to the extent necessary for providing 
19    a product or service requested by the consumer when the 
20    regulated entity maintains control and ownership of the 
21    data and the third party maintains or uses the health data 
22    only for the regulated entity's distinct purposes; or

23        (3)   the disclosure or transfer of personal data to a 
24    third party as an asset that is part of a merger, 
25    acquisition, bankruptcy, or other transaction in which the 
26    third party assumes control of all or part of the 
 
 
HB3603- 7 -LRB103 29143 CPF 55529 b

1    regulated entity's assets and shall comply with the 
2    requirements and obligations in this Act.


3    "Third party" means an entity other than a consumer, 
4regulated entity, service provider, or affiliate of the 
5regulated entity.

 
6    Section 10. Scope.

7    (a)  This Act applies to consumers seeking, researching, or 
8obtaining health services within the State, or information 
9about health services available in the State and regulated 
10entities.


11    (b)    This Act does not affect an individual's right to 
12voluntarily share the individual's own health care information 
13with another person.

 
14    Section 15. Health data privacy policy required.

15    (a)   A regulated entity shall disclose and maintain a 
16health data privacy policy that, in plain language, clearly 
17and conspicuously discloses:

18        (1)   the specific types of health data collected and 
19    the purpose for which the data is collected and used;

20        (2)   the categories of sources from which the health 
21    data is collected;

22        (3)   the specific types of health data that are shared, 
23    sold, and stored;

24        (4) the categories of third parties with whom the 
 
 
HB3603- 8 -LRB103 29143 CPF 55529 b

1    regulated entity collects, shares, sells, and stores 
2    health data, and the process to withdraw consent from 
3    having health data collected, shared, sold, and stored;

4        (5) a list of the specific third parties to which the 
5    regulated entity shares health data, and an active 
6    electronic mail address or other online mechanism that the 
7    consumer may use to contact these third parties free of 
8    charge;

9        (6)   how a consumer may exercise the rights provided in 
10    this Act, including, but not limited to, identifying 2 or 
11    more designated methods for a consumer to contact the 
12    regulated entity in connection with the exercise of any 
13    rights provided in this Act;

14        (7)   the length of time the regulated entity intends to 
15    retain each category of health data, or if that is not 
16    possible, the criteria used to determine that period 
17    provided that a regulated entity shall not retain health 
18    data for each disclosed purpose for which the health data 
19    was collected for longer than is reasonably necessary to 
20    fulfill that disclosed purpose; and

21        (8)   whether the regulated entity collects health data 
22    when the consumer is not directly interacting with the 
23    regulated entity or its services.


24    (b)   A regulated entity shall prominently publish its 
25health data privacy policy on its website homepage. Such 
26health data privacy policy must be distinguishable from other 
 
 
HB3603- 9 -LRB103 29143 CPF 55529 b

1matters.


2    (c)   A regulated entity shall not collect, share, sell, or 
3store additional categories of health data not disclosed in 
4the health data privacy policy without first disclosing the 
5additional categories of health data and obtaining the 
6consumer's consent prior to the collection, sharing, selling, 
7or storing of such health data.


8    (d)   A regulated entity shall not collect, share, sell, or 
9store health data for additional purposes not disclosed in the 
10health data privacy policy without first disclosing the 
11additional purposes and obtaining the consumer's affirmative 
12consent prior to the collection, sharing, selling, or storing 
13of such health data.


14    (e)   It is a violation of this Act for a regulated entity to 
15contract with a service provider to process consumer health 
16data in a manner that is inconsistent with the regulated 
17entity's consumer health data privacy policy.

 
18    Section 20. Prohibition on collection, sharing, selling, 
19or storing of health data.

20    (a) A regulated entity shall not collect health data, 
21except:

22        (1)    with the consent of the consumer to whom such 
23    information relates for a specified purpose; or

24        (2)   as is strictly necessary to provide a product or 
25    service that the consumer to whom such health data relates 
 
 
HB3603- 10 -LRB103 29143 CPF 55529 b

1    has specifically requested from such regulated entity.


2    (b) A regulated entity shall not share any health data 
3except:

4        (1)   with consent from the consumer for such sharing 
5    that is separate and distinct from the consent obtained to 
6    collect health data; or

7        (2)   to the extent strictly necessary to provide a 
8    product or service that the consumer to whom such health 
9    data relates has specifically requested from such 
10    regulated entity.


11    (c) A regulated entity shall not sell health data to any 
12third party without entering into a separate written agreement 
13with the consumer to whom such health data relates, in which 
14the consumer expressly consents to and authorizes the 
15regulated entity to sell such health data.


16    (d) A regulated entity shall not store any health data 
17except:

18        (1)   with consent from the consumer for such sharing 
19    that is separate and distinct from the consent obtained to 
20    collect health data; or

21        (2)   to the extent strictly necessary to provide a 
22    product or service that the consumer to whom such health 
23    data relates has specifically requested from such 
24    regulated entity.

 
25    Section 25. Consent required.

 
 
HB3603- 11 -LRB103 29143 CPF 55529 b

1    (a) A regulated entity shall not seek consent to collect, 
2share, sell, or store health data without first disclosing its 
3health data privacy policy as required under Section 15.


4    (b) Consent obtained prior to collection, sharing, 
5selling, or storing. Consent required under this Section must 
6be obtained prior to the collection, sharing, selling, or 
7storing, as applicable, of any health data, and the request 
8for consent must clearly and conspicuously disclose, separate 
9and apart from its health data privacy policy:

10        (1)   the categories of health data collected, sold, 
11    shared, or stored;

12        (2)   the purpose of the collection, selling, sharing, 
13    or storage of the health data, including the specific ways 
14    in which it will be used; and

15        (3)   how the consumer can withdraw consent from future 
16    collection, selling, sharing or storage of their health 
17    data.


18    (c) Consent required under this Section must be obtained 
19prior to the use of any health data for any purpose not 
20specified prior to obtaining a consumer's consent for the use 
21of such health data for any new purpose.


 
22    Section 30. Right to withdraw consent.
A consumer has the 
23right to withdraw consent from the collection and sharing of 
24the consumer's health data.

 
 
 
HB3603- 12 -LRB103 29143 CPF 55529 b

1    Section 35. Prohibition on discrimination.
It shall be 
2unlawful for a regulated entity to discriminate against a 
3consumer solely because they have not provided consent 
4pursuant to this Act, or have exercised any other rights 
5provided by this Act or guaranteed by law. Discrimination 
6includes, but is not limited to:

7        (1)     providing different, or a different level or 
8    quality of, goods or services to the consumer;

9        (2)     denying or limiting goods or services to the 
10    consumer;

11        (3)     imposing additional requirements or restrictions 
12    on the individual that would not be necessary if the 
13    consumer provided their consent;

14        (4)     providing materially different treatment to 
15    consumers who provide consent as compared to consumers who 
16    do not provide consent;

17        (5)     suggesting that the consumer will receive a 
18    different price or rate for goods or services or a 
19    different level or quality of goods or services; or

20        (6)     charging different prices or rates for goods or 
21    services, including through the use of discounts or other 
22    benefits or imposing penalties.

 
23    Section 40. Right to confirm.
A consumer has the right to 
24confirm whether a regulated entity is collecting, selling, 
25sharing, or storing any of the consumer's health data, and to 
 
 
HB3603- 13 -LRB103 29143 CPF 55529 b

1confirm that a regulated entity has deleted the consumer's 
2health data following a deletion request pursuant to Section 
345 of this Act.  A regulated entity that receives a consumer 
4request to confirm shall respond within 30 calendar days from 
5receiving the request to confirm from the consumer. The 
6regulated entity shall, without reasonable delay, promptly 
7take all steps necessary to verify the consumer's request, but 
8this shall not extend the regulated entity's duty to respond 
9within 30 days of receipt of the consumer's request. The time 
10period to provide the required confirmation may be extended 
11once by an additional 30 calendar days when reasonably 
12necessary, provided the consumer is provided notice of the 
13extension within the first 30-day period.

 
14    Section 45. Right to deletion.

15    (a)   A consumer has the right to have the consumer's health 
16data that is collected by a regulated entity deleted by 
17informing the regulated entity of the consumer's request for 
18deletion.


19    (b)   A regulated entity that collects health data about 
20consumers shall disclose the consumer's rights to request the 
21deletion of the consumer's health data.


22    (c)   Except as otherwise specified in subsection (f), a 
23regulated entity that receives a consumer request to delete 
24any of the consumer's health data shall without unreasonable 
25delay, and no more than 30 calendar days from receiving the 
 
 
HB3603- 14 -LRB103 29143 CPF 55529 b

1deletion request:

2        (1)   delete the consumer's health data from its 
3    records, including from all parts of the regulated 
4    entity's network or backup systems; and

5        (2)   notify all service providers, contractors, and 
6    third parties with whom the regulated entity has shared 
7    the consumer's health data of the deletion request.


8    (d)   Any service provider, contractor, and other third 
9party that receives notice of a consumer's deletion request 
10from a Regulated Entity shall honor the consumer's deletion 
11request and delete the health data from the regulated entity's 
12records, including from all parts of its network or backup 
13systems.


14    (e)   A consumer or a consumer's authorized agent may 
15exercise the rights set forth in this Act by submitting a 
16request, at any time, to a regulated entity. Such a request may 
17be made by:

18        (1)   contacting the regulated entity through the manner 
19    included in its health data privacy policy;

20        (2)   by designating an authorized agent who may 
21    exercise the rights on behalf of the consumer;

22        (3)   in the case of collecting health data of a minor, 
23    the minor seeking health services may exercise their 
24    rights under this Act, or the parent or legal guardian of 
25    the minor, may exercise the rights of this Act on the 
26    minor's behalf; or

 
 
HB3603- 15 -LRB103 29143 CPF 55529 b

1        (4)   in the case of collecting health data concerning a 
2    consumer subject to guardianship, conservatorship, or 
3    other protective arrangement under the Probate Act of 
4    1975, the guardian or the conservator of the consumer may 
5    exercise the rights of this Act on the consumer's behalf.


6    (f)   The time period to delete any of the consumer's health 
7data may be extended once by an additional 30 calendar days 
8when reasonably necessary, provided the consumer is provided 
9notice of the extension within the first 30-day period.

 
10    Section 50. Consumer health data security and 
11minimization.

12    (a)   A regulated entity shall restrict access to health 
13data by the employees, service providers, and contractors of 
14such regulated entity to only those employees, services 
15providers, and contractors for which access is necessary to 
16provide a product or service that the consumer to whom such 
17health data relates has requested from such regulated entity.


18    (b)   A regulated entity shall establish, implement, and 
19maintain administrative, technical, and physical data security 
20practices that at least satisfy a reasonable standard of care 
21within the regulated entity's industry to protect the 
22confidentiality, integrity, and accessibility of health data 
23appropriate to the volume and nature of the personal data at 
24issue.

 
 
 
HB3603- 16 -LRB103 29143 CPF 55529 b

1    Section 55. Prohibition on geofencing.

2    (a)   It shall be unlawful for any person to implement a 
3geofence that enables the sending of a notification, message, 
4alert, or other pieces of information to a consumer that 
5enters the perimeter around any entity that provides health 
6services.


7    (b)   It shall be unlawful for any person to implement a 
8geofence around any entity that provides in-person health care 
9services where such geofence is used to identify, track, or 
10collect data from a consumer that enters the virtual 
11perimeter.

 
12    Section 60. Private right of action.
Any person aggrieved 
13by a violation of this Act shall have a right of action in a 
14state circuit court or as a supplemental claim in federal 
15district court against an offending party. A prevailing party 
16may recover for each violation:

17        (1)   against any offending party that negligently 
18    violates a provision of this Act, liquidated damages of 
19    $1,000 or actual damages, whichever is greater;

20        (2)   against any offending party that intentionally or 
21    recklessly violates a provision of this Act, liquidated 
22    damages of $5,000 or actual damages, whichever is greater;

23        (3)   reasonable attorneys' fees and costs, including 
24    expert witness fees and other litigation expenses; and

25        (4)   other relief, including an injunction, as the 
 
 
HB3603- 17 -LRB103 29143 CPF 55529 b

1    State or federal court may deem appropriate.

 
2    Section 65. Enforcement by the Attorney General.
The 
3Attorney General may enforce a violation of this Act as an 
4unlawful practice under the Consumer Fraud and Deceptive 
5Business Practices Act. All rights and remedies provided the 
6Attorney General under the Consumer Fraud and Deceptive 
7Business Practices Act shall be available for enforcement of a 
8violation of this Act.

 
9    Section 70. Conflict with other laws.

10    (a)   Nothing in this Act shall be construed to conflict 
11with the Health Insurance Portability and Accountability Act 
12of 1996.


13    (b)   Nothing in this Act shall be construed to prohibit 
14disclosure as required under the Adult Protective Services 
15Act, the Abused and Neglected Child Reporting Act, the 
16Criminal Code of 2012, and the Disclosure of Offenses Against 
17Children Act.


18    (c)   If any provision of this Act, or the application 
19thereof to any person or circumstance, is held invalid, the 
20remainder of this Act and the application of such provision to 
21other persons not similarly situated or to other circumstances 
22shall not be affected by the invalidation.