104TH GENERAL ASSEMBLY State of Illinois 2025 and 2026 HB3494

Introduced , by Rep. Ann M. Williams

SYNOPSIS AS INTRODUCED: New Act815 ILCS 505/2HHHH new

    Creates the Protect Health Data Privacy Act. Provides that a regulated entity shall disclose and maintain a health data privacy policy that clearly and conspicuously discloses specified information. Sets forth provisions concerning health data privacy policies. Provides that a regulated entity shall not collect, share, or store health data, except in specified circumstances. Provides that it is unlawful for any person to sell or offer to sell health data concerning an individual without first obtaining valid authorization from the individual. Provides that a valid authorization to sell individual health data must contain specified information; a copy of the signed valid authorization must be provided to the individual; and the seller and purchaser of health data must retain a copy of all valid authorizations for sale of health data for 6 years after the date of its signature or the date when it was last in effect, whichever is later. Sets forth provisions concerning the consent required for collection, sharing, and storage of health data. Provides that an individual has the right to withdraw consent from the processing of the individual's health data. Provides that it is unlawful for a regulated entity to engage in discriminatory practices against individuals solely because they have not provided consent to the processing of their health data or have exercised any other rights provided by the provisions or guaranteed by law. Sets forth provisions concerning an individual's right to confirm whether a regulated entity is collecting, selling, sharing, or storing any of the individual's health data; an individual's right to have the individual's health data that is collected by a regulated entity deleted; prohibitions regarding geofencing; and individual health data security. Provides that any person aggrieved by a violation of the provisions shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party. Provides that the Attorney General may enforce a violation of the provisions as an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act. Defines terms. Makes a conforming change in the Consumer Fraud and Deceptive Business Practices Act. LRB104 11205 BAB 21287 b

A BILL FOR

HB3494LRB104 11205 BAB 21287 b 1    AN ACT concerning regulation. 2    Be it enacted by the People of the State of Illinois, 3represented in the General Assembly: 4    Section 1. Short title. This Act may be cited as the 5Protect Health Data Privacy Act. 6    Section 5. Definitions. As used in this Act: 7    "Affiliate" means a legal entity that shares common 8branding with another legal entity or controls, is controlled 9by or is under common control with another legal entity. For 10the purposes of this definition, "control" and "controlled" 11mean (A) ownership of, or the power to vote, more than 50% of 12the outstanding shares of any class of voting security of a 13company, (B) control in any manner over the election of a 14majority of the directors or of individuals exercising similar 15functions, or (C) the power to exercise controlling influence 16over the management of a company.17    "Collect" means to buy, rent, lease, access, retain, 18receive, or acquire health data in any manner. 19    "Consent" means a clear affirmative act by an individual 20that unambiguously communicates the individual's express, 21freely given, informed, opt-in, voluntary, specific, and 22unambiguous written agreement, including written consent 23provided by electronic means, to the processing of health

HB3494- 2 -LRB104 11205 BAB 21287 b 1data. Consent may not be implied, and consent cannot be 2obtained by: 3        (1) acceptance of a general or broad terms of use 4 agreement or a similar document that contains descriptions 5 of personal data processing along with other, unrelated 6 information; 7        (2) hovering over, muting, pausing, or closing a given 8 piece of digital content; or 9        (3) agreement obtained through the use of deceptive 10 designs. 11    "Deceptive design" means any user interface or element 12thereof that has the substantial effect of subverting, 13impairing, or impeding an individual's autonomy, 14decision-making, or choice. 15    "Deidentified data" means data that cannot be used to 16infer information about, or otherwise be linked to, an 17identified or identifiable individual, or a device linked to 18such individual. A regulated entity that possesses 19deidentified data shall: (i) take reasonable measures to 20ensure that such data cannot be associated with an individual; 21(ii) publicly commit to process such data only in a 22deidentified fashion and not attempt to reidentify such data; 23and (iii) contractually obligate any recipients of such data 24to satisfy the criteria set forth in items (i) and (ii). 25    "Geofence" means technology that uses global positioning 26coordinates, cell tower connectivity, cellular data, radio

HB3494- 3 -LRB104 11205 BAB 21287 b 1frequency identification, wireless Internet data, or any other 2form of spatial or location detection to establish a virtual 3boundary around a specific physical location, or to locate an 4individual within a virtual boundary. For the purposes of this 5Act, "geofence" means a virtual boundary that is no more than 61,750 feet around a specific physical location. 7    "Health data" means information regarding, relating to, 8derived, or extrapolated from the past, present, or future 9physical or mental health of an individual, including, but not 10limited to, any information relating to: 11        (1) individual health conditions, treatment, status, 12 diseases, or diagnoses; 13        (2) health related surgeries or procedures; 14        (3) use or purchase of medication; 15        (4) social, psychological, behavioral, and medical 16 interventions; 17        (5) bodily functions, vital signs, measurements, or 18 symptoms; 19        (6) diagnoses or diagnostic testing, treatment, or 20 medication; 21        (7) efforts to research or obtain health services or 22 supplies; 23        (8) health services or products that support or relate 24 to lawful health care, as defined by Public Act 102-1117; 25        (9) precise location information that could reasonably 26 be used to determine an individual's attempt to acquire or

HB3494- 4 -LRB104 11205 BAB 21287 b 1 receive health services or supplies; and 2        (10) any information described in paragraphs (1) 3 through (9) that is derived or extrapolated from 4 non-health information, including by use of algorithms or 5 machine learning, if such information is used or processed 6 in connection with the advertising, marketing, or 7 provision of health services. 8    "Health data" does not include: 9        (1) personal information collected with the 10 individual's consent that is used in research conducted in 11 accordance with the Federal Policy for the Protection of 12 Human Subjects, also known as the Common Rule, at Part 46 13 of Title 45 of the Code of Federal Regulations; the Good 14 Clinical Practice Guidelines issued by the International 15 Council for Harmonisation of Technical Requirements for 16 Pharmaceuticals for Human Use; or the United States Food 17 and Drug Administration human subjects protection 18 requirements under Parts 50 and 56 of Title 21 of the Code 19 of Federal Regulations and that adheres to all other 20 applicable ethics and privacy laws and is approved, 21 monitored, and governed by an institutional review board, 22 human subjects research ethics review board, or a similar 23 independent oversight entity that determines that the 24 regulated entity has implemented reasonable safeguards to 25 mitigate privacy risks associated with research, including 26 any risks associated with reidentification; or

HB3494- 5 -LRB104 11205 BAB 21287 b 1        (2) deidentified data. 2    "Health services" means any service, medical care, or 3information related to an individual's health data provided to 4an individual. 5    "HIPAA" means the Health Insurance Portability and 6Accountability Act of 1996, Public Law 104-191, the Health 7Information Technology for Economic and Clinical Health Act, 8and any subsequent amendments thereto and any regulations 9promulgated thereunder, including the Privacy Rule, as 10specified in 45 CFR 164.500-534, the Security Rule, as 11specified in 45 CFR 164.302-318, and the Breach Notification 12rule, as specified in 45 CFR 164.400-414. 13    "Homepage" means the introductory page of a website where 14personal information is collected. In the case of an online 15service, such as a mobile application, "homepage" means the 16application's platform page or download page, such as from the 17application configuration, "About" page, "Information" page, 18or settings page, and any other location that allows 19individuals to review the notice. 20    "Individual" means a person who is a resident of this 21State, however identified, including by any unique identifier. 22A person located in this State when the person's health data is 23collected by a regulated entity shall create a presumption 24that the person is a resident of this State for purposes of 25enforcing this Act. "Individual" does not include a person 26acting in a commercial or within an employment context.

HB3494- 6 -LRB104 11205 BAB 21287 b 1    "Personal information" means information that identifies, 2relates to, describes, is reasonably capable of being 3associated with, or linked, directly or indirectly, with a 4particular individual or household. "Personal information" 5does not include publicly available information or 6deidentified data. 7    "Precise location information" means information that 8identifies the location of an individual within a radius of 91,750 feet. "Precise location information" does not include: 10(i) the content of communications, or (ii) any data generated 11by or connected to advanced utility metering infrastructure 12systems or equipment for use by a utility. 13    "Process" or "Processing" means any operation or set of 14operations performed, whether by manual or automated means, on 15personal information or on sets of personal information, 16whether alone or in combination with other data, such as the 17collection, use, access, sharing, sale, monetization, 18analysis, retention, creation, generation, derivation, 19recording, organization, structuring, storage, disclosure, 20transmission, disposal, licensing, destruction, deletion, 21retrieval, modification, or deidentification of health data.22    "Processor" means a person or legal entity that processes 23health data on behalf of a regulated entity pursuant to a 24written agreement or contract.25    "Publicly available" means information that is lawfully 26made available from federal, State, or local government

HB3494- 7 -LRB104 11205 BAB 21287 b 1records. 2    "Regulated entity" means any individual, partnership, 3corporation, limited liability company, association, or other 4group, however organized, that: (i) conducts business in this 5State or produces products or services that are available to 6individuals in this State; and (ii) for any purpose, processes 7or otherwise deals with health data. "Regulated entity" does 8not include government agencies, including the Illinois 9Insurance Guaranty Fund as described under Article XXXIV of 10the Illinois Insurance Code, tribal nations, a clerk of the 11court, or a judge or justice thereof, or contracted service 12providers or processors when processing an individual's health 13data on behalf of the governmental agency. "Regulated entity" 14does not include any entity that is a covered entity or a 15business associate, as defined in Section 160.103 of Title 45 16of the Code of Federal Regulations, subject to and in 17substantial compliance with HIPAA to the extent such entity is 18acting as a covered entity or business associate under the 19Privacy and Security rules issued by the United States 20Department of Health and Human Services, Parts 160 and 164 of 21Title 45 of the Code of Federal Regulations. "Regulated 22entity" does not include any entity that is subject to and in 23compliance with restrictions on disclosure of records under 24Section 543 of the Public Health Service Act, 42 U.S.C. 25290dd2, to the extent such entity is acting in a capacity 26subject to such restrictions.

HB3494- 8 -LRB104 11205 BAB 21287 b 1    "Sell" or "sale" means when a regulated entity, directly 2or indirectly, receives any form of remuneration or other 3valuable consideration from the use of health data or from the 4recipient of the health data in exchange for the health data. 5"Sell" or "sale" does not include: 6        (1) the sharing of health data to a recipient where 7 the regulated entity maintains control and ownership of 8 the health data; 9        (2) the sharing of health data to comply with 10 applicable laws or regulations; 11        (3) the use of the health data by an entity 12 exclusively at the direction of the regulated entity and 13 consistent with the purpose for which it was collected and 14 disclosed; and 15        (4) the transfer of health data to a third party as an 16 asset as part of a merger, acquisition, bankruptcy, or 17 other transaction in which the third party assumes control 18 of all or part of the regulated entity's assets that shall 19 comply with the requirements and obligations in this Act. 20    "Share" or "sharing" means to release, disclose, 21disseminate, divulge, loan, make available, provide access to, 22license, or otherwise communicate orally, in writing, or by 23electronic or other means, health data by a regulated entity 24to a third party except where the regulated entity maintains 25exclusive control and ownership of the health data. "Share" or 26"sharing" does not include:

HB3494- 9 -LRB104 11205 BAB 21287 b 1        (1) the disclosure or transfer of health data to a 2 processor that collects or processes the personal data on 3 behalf of the regulated entity, when the regulated entity 4 maintains control and ownership of the data and the 5 processor maintains or uses the health data only for the 6 regulated entity's distinct purposes pursuant to a 7 contract; 8        (2) the disclosure or transfer of health data to a 9 third party with whom the individual has a direct 10 relationship for purposes of and only to the extent 11 necessary for providing a product or service requested by 12 the individual when the regulated entity maintains control 13 and ownership of the data and the third party maintains or 14 uses the health data only for the regulated entity's 15 distinct purposes; or 16        (3) the disclosure or transfer of personal data to a 17 third party as an asset that is part of a merger, 18 acquisition, bankruptcy, or other transaction in which the 19 third party assumes control of all or part of the 20 regulated entity's assets and shall comply with the 21 requirements and obligations in this Act. 22    "Strictly necessary" means essential or required to be 23done. 24    "Substantial compliance" means a level of compliance with 25Title 45 of the Code of Federal Regulations Sections 164.502, 26164.508, 164.510, 164.512, 164.514, 164.520, 164.522, 164.524,

HB3494- 10 -LRB104 11205 BAB 21287 b 1164.526, 164.528, and 164.530 that does not arise from gross 2negligence, recklessness, or willful misconduct by the entity 3acting as a covered entity or business associate.4    "Third party" means an entity other than an individual, 5regulated entity, service provider, or affiliate of the 6regulated entity. 7    Section 10. Scope. 8    (a) This Act applies to individuals seeking, researching, 9or obtaining health services within this State, or information 10about health services available in this State and regulated 11entities. 12    (b) This Act does not affect an individual's right to 13voluntarily share the individual's own health information with 14another person or entity. 15    Section 15. Health data privacy policy required. 16    (a) A regulated entity shall disclose and maintain a 17health data privacy policy that, in plain language, clearly 18and conspicuously includes and discloses: 19        (1) the specific types of health data collected and 20 the purpose for which the data is collected and used; 21        (2) the categories of sources from which the health 22 data is collected; 23        (3) whether the regulated entity collects health data 24 when the individual is not directly interacting with the

HB3494- 11 -LRB104 11205 BAB 21287 b 1 regulated entity or its services. 2        (4) the specific types of health data that are shared 3 and sold; 4        (5) the categories of third parties with whom the 5 regulated entity sells and processes health data, and the 6 process to withdraw consent from having health data 7 processed and sold; 8        (6) a list of the third parties with whom the 9 regulated entity shares health data; 10        (7) the length of time the regulated entity intends to 11 retain each category of health data, or if that is not 12 possible, the criteria used to determine that period; 13 however, a regulated entity shall not retain health data 14 for each disclosed purpose for which the health data was 15 collected for longer than is reasonably necessary to 16 fulfill that disclosed purpose or as otherwise permitted 17 by this Act;18        (8) how an individual may exercise the rights provided 19 in this Act, including, but not limited to, identifying 2 20 or more designated methods for an individual to contact 21 the regulated entity in connection with the exercise of 22 any rights provided in this Act; 23        (9) the process to opt out of having health data 24 collected; and25        (10) an active electronic mail address or other online 26 mechanism that the individual may use to contact the

HB3494- 12 -LRB104 11205 BAB 21287 b 1 regulated entities free of charge.2    (b) A regulated entity shall prominently publish or link 3to its health data privacy policy on its website homepage, 4mobile application, or in another manner that is clear and 5conspicuous to individuals. Its health data privacy policy 6must be distinguishable from other matters. Any regulated 7entity providing health services in a physical location shall 8also post its health data privacy policy in a conspicuous 9place that is readily available for viewing by individuals. 10    (c) A regulated entity shall not process or sell 11additional categories of health data not disclosed in the 12health data privacy policy without first disclosing the 13additional categories of health data and obtaining the 14individual's consent before the processing or selling of the 15health data. 16    (d) A regulated entity shall not process or sell health 17data for additional purposes not disclosed in the health data 18privacy policy without first disclosing the additional 19purposes and obtaining the individual's consent before the 20processing or selling of the health data. 21    (e) It is a violation of this Act for a regulated entity to 22contract with a processor to process an individual's health 23data in a manner that is inconsistent with the regulated 24entity's health data privacy policy. 25    Section 20. Prohibition on processing of health data.

HB3494- 13 -LRB104 11205 BAB 21287 b 1    (a) A regulated entity shall not process health data, 2except: 3        (1) with the consent of the individual to whom the 4 information relates for a specified purpose; or 5        (2) as is strictly necessary to provide a product or 6 service that the individual to whom the health data 7 relates has specifically requested from the regulated 8 entity. 9    (b) Consent required under this Section must be obtained 10before the use of any health data for any additional purpose 11that was not specified before obtaining an individual's 12consent for the use of the health data. 13    Section 25. Prohibition on sale of health data. 14    (a) It is unlawful for any person to sell or offer to sell 15health data concerning an individual without first obtaining 16valid authorization from the individual. The sale of 17individual health data must be consistent with the valid 18authorization signed by the individual. 19    (b) A valid authorization to sell an individual's health 20data is an agreement consistent with this Section and must be 21written in plain language. The valid authorization to sell the 22individual's health data must contain the following: 23        (1) the specific health data concerning the individual 24 that the person intends to sell; 25        (2) the name and contact information of any person or

HB3494- 14 -LRB104 11205 BAB 21287 b 1 entity collecting and selling the health data; 2        (3) the name and contact information of any person or 3 entity purchasing the health data from the seller 4 identified in paragraph (2) of this subsection; 5        (4) a description of the purpose for the sale, 6 including how the health data will be gathered and how it 7 will be used by the purchaser identified in paragraph (3) 8 of this subsection when sold; 9        (5) a statement that the provision of goods or 10 services may not be conditioned on the individual signing 11 the valid authorization; 12        (6) a statement that the individual has a right to 13 revoke the valid authorization at any time and a 14 description on how an individual may revoke the valid 15 authorization; 16        (7) a statement that the individual health data sold 17 pursuant to the valid authorization may be subject to 18 redisclosure by the purchaser and may no longer be 19 protected by this Section; 20        (8) an expiration date for the valid authorization 21 that expires one year from when the individual signs the 22 valid authorization; and 23        (9) the signature of the individual and date. 24    (c) An authorization is not valid if the document has any 25of the following defects: 26        (1) the expiration date has passed;

HB3494- 15 -LRB104 11205 BAB 21287 b 1        (2) the authorization does not contain all the 2 information required under this Section; 3        (3) the authorization has been revoked by the 4 individual; 5        (4) the authorization has been combined with other 6 documents to create a compound authorization; or 7        (5) the provision of goods or services is conditioned 8 on the individual signing the authorization. 9    (d) A copy of the signed valid authorization must be 10provided to the individual. 11    (e) The seller and purchaser of health data must retain a 12copy of all valid authorizations for sale of health data for 6 13years after the date of its signature or the date when it was 14last in effect, whichever is later. 15    Section 30. Consent required for processing health data. 16    (a) A regulated entity shall not seek consent to process 17health data without first disclosing its health data privacy 18policy as required under Section 15. 19    (b) Consent required under this Section must be obtained 20before the processing, as applicable, of any health data, and 21the request for consent must clearly and conspicuously 22disclose, separate and apart from its health data privacy 23policy: 24        (1) the categories of health data processed; 25        (2) the purpose of the processing of the health data,

HB3494- 16 -LRB104 11205 BAB 21287 b 1 including the specific ways in which it will be used; and 2        (3) how the individual can withdraw consent from 3 future processing of their health data. 4    (c) Consent required under this Section must be obtained 5before the use of any health data for any additional purpose 6that was not specified before obtaining an individual's 7consent for the use of the health data. 8    (d) An individual may exercise rights under this Section 9by submitting a request to a regulated entity using the method 10the regulated entity specifies in the privacy policy under 11paragraph (8) of subsection (a) of Section 15. 12    Section 35. Right to withdraw consent. An individual has 13the right to withdraw consent from the sale or processing of 14the individual's health data, consistent with the requirements 15of Section 30. 16    Section 40. Prohibition on discriminatory practices. 17    (a) It is unlawful for a regulated entity to engage in 18discriminatory practices against an individual solely because 19the individual has not provided consent to the sale or 20processing of the individual's health data pursuant to this 21Act, or have exercised any other rights provided by this Act or 22guaranteed by law. Discriminatory practices include, but are 23not limited to: 24        (1) denying or limiting goods or services to the

HB3494- 17 -LRB104 11205 BAB 21287 b 1 individual; 2        (2) imposing additional requirements or restrictions 3 on the individual that would not be necessary if the 4 individual provided consent; 5        (3) providing materially different treatment to 6 individuals who provide consent as compared to individuals 7 who do not provide consent; 8        (4) providing or suggesting that the individual will 9 receive a lower level or quality of goods or services; 10        (5) suggesting that the individual will receive a 11 different price or rate for goods or services; or 12        (6) charging different prices or rates for goods or 13 services, including using discounts or other benefits or 14 imposing penalties. 15    (b) It shall not be a discriminatory practice under this 16Section to use health data as is strictly necessary to provide 17a product or service that the individual to whom the health 18data relates has specifically requested from a regulated 19entity. 20    Section 45. Right to confirm.     (a) An individual has 21the right to confirm whether a regulated entity is collecting, 22selling, sharing, or storing any of the individual's health 23data, and to confirm that a regulated entity has deleted the 24individual's health data following a deletion request pursuant 25to Section 50.

HB3494- 18 -LRB104 11205 BAB 21287 b 1    (b) A regulated entity that receives an individual's 2request to confirm shall respond within 45 calendar days after 3receiving the request to confirm from the individual.4    (c) The regulated entity shall, without reasonable delay, 5promptly take all steps necessary to verify the individual's 6request, but this shall not extend the regulated entity's duty 7to respond within 45 days of receipt of the individual's 8request.9    (d) The time period to provide the required confirmation 10may be extended once by an additional 45 calendar days when 11reasonably necessary, if the individual is provided notice of 12the extension within the first 45-day period. 13    Section 50. Right to deletion. 14    (a) An individual whose health data is collected by a 15regulated entity has the right to have the individual's health 16data that is collected by a regulated entity deleted by 17informing the regulated entity of the individual's request for 18deletion, except as provided in subsection (g). 19    (b) Except as otherwise specified in subsection (f), a 20regulated entity that receives an individual's request to 21delete any of the individual's health data shall without 22unreasonable delay, and no more than 45 calendar days from 23receiving the deletion request: 24        (1) delete the individual's health data from its 25 records, including from all parts of the regulated

HB3494- 19 -LRB104 11205 BAB 21287 b 1 entity's network; and 2        (2) notify all service providers, contractors, and 3 third parties with whom the regulated entity has shared 4 the individual's health data of the deletion request. 5    (c) If a regulated entity stores any health data on 6archived or backup systems, it may delay compliance with the 7individual's request to delete with respect to the health data 8stored on the archived or backup system until the archived or 9backup system relating to that data is restored to an active 10system or is next accessed or used. 11    (d) Any processor, service provider, contractor, and other 12third party that receives notice of an individual's deletion 13request from a regulated entity shall honor the individual's 14deletion request and delete the health data from the regulated 15entity's records, including from all parts of its network or 16backup systems. 17    (e) An individual or an individual's authorized agent may 18exercise the rights set forth in this Act by submitting a 19request, at any time, to a regulated entity. Such a request may 20be made by: 21        (1) contacting the regulated entity through the manner 22 included in its health data privacy policy; 23        (2) by designating an authorized agent who may 24 exercise the rights on behalf of the individual; 25        (3) in the case of collecting health data of a minor, 26 the minor seeking health services may exercise their

HB3494- 20 -LRB104 11205 BAB 21287 b 1 rights under this Act, or the parent or legal guardian of 2 the minor may exercise the rights of this Act on the 3 minor's behalf; or 4        (4) in the case of collecting health data concerning 5 an individual subject to guardianship, conservatorship, or 6 other protective arrangement under the Probate Act of 7 1975, the guardian or the conservator of the individual 8 may exercise the rights of this Act on the individual's 9 behalf. 10    (f) The time period to delete any of the individual's 11health data may be extended once by an additional 45 calendar 12days when reasonably necessary, if the individual is provided 13notice of the extension within the first 45-day period. 14    (g) Neither a regulated entity nor a processor shall be 15required to comply with an individual's request to delete the 16individual's health data if it is necessary for the regulated 17entity or the processor to maintain the individual's health 18data to: 19        (1) complete the transaction for which the health data 20 was collected, provide a good or service requested by the 21 individual, or otherwise fulfill the requirements of an 22 agreement between the regulated entity and the individual; 23        (2) prevent or detect security incidents, protect 24 against malicious, deceptive, fraudulent, or illegal 25 activity, if the use of health data for such purposes is 26 limited in time pursuant to a valid record retention

HB3494- 21 -LRB104 11205 BAB 21287 b 1 schedule; 2        (3) engage in public or peer-reviewed scientific, 3 historical, or statistical research in the public interest 4 that adheres to all other applicable ethics and privacy 5 laws, if the entities' deletion of the information is 6 likely to render impossible or seriously impair the 7 achievement of such research, and if the individual has 8 provided consent to such use of their health data; 9        (4) comply with any applicable data retention 10 requirements in accordance with State and federal law, 11 including the data retention requirements set forth in 12 Section 6 of the Hospital Licensing Act, 45 CFR 164.316, 13 and 45 CFR 164.530; or14        (5) retain the health data if the regulated entity has 15 been notified, in writing by an attorney, that there is 16 litigation pending in court involving the individual's 17 health data as possible evidence and that the individual 18 is the attorney's client or is the person who has 19 instituted the litigation against their client, then the 20 regulated entity shall retain the record of that 21 individual until notified in writing by the plaintiff's 22 attorney, with the approval of the defendant's attorney of 23 record, that the case in court involving the record has 24 been concluded or for a period of 12 years after the date 25 that the record was produced, whichever occurs first in 26 time.

HB3494- 22 -LRB104 11205 BAB 21287 b 1    Section 55. Authentication of identity. 2    (a) A regulated entity that receives an individual's 3request to confirm or delete may take reasonable measures to 4authenticate the individual's identity or an authorized 5agent's identity to a reasonably high degree of certainty. A 6reasonably high degree of certainty may include matching at 7least 3 pieces of personal information provided by the 8individual or the individual's authorized agent with personal 9information maintained by the regulated entity that it has 10determined to be reliable for the purpose of authenticating 11the individual or the individual's authorized agent together 12with a signed declaration under penalty of perjury that the 13individual or the individual's authorized agent making the 14request is the individual or the individual's authorized agent 15whose health data is the subject of the request. If a regulated 16entity uses this method for authentication, the regulated 17entity shall make all forms necessary for authentication of an 18individual's or the individual's authorized agent's identity 19available to the individual or the individual's authorized 20agent, and shall maintain all signed declarations as part of 21its recordkeeping obligations. 22    (b) A regulated entity is not required to comply with an 23individual's or the individual's authorized agent's request to 24confirm or delete if the regulated entity, using commercially 25reasonable efforts, is unable to authenticate the identity of

HB3494- 23 -LRB104 11205 BAB 21287 b 1the individual or the individual's authorized agent making the 2request. If a regulated entity is unable to authenticate the 3individual's or the individual's authorized agent's identity, 4the regulated entity shall inform the individual or the 5individual's authorized agent that it was unable to 6authenticate the individual's or the individual's authorized 7agent's identity and advise the individual or the individual's 8authorized agent of other methods, if available, of 9authenticating their identity. 10    (c) If a regulated entity denies an authenticated 11individual's request to delete that individual's health data, 12in whole or in part, because of a conflict with federal or 13State law, the regulated entity shall inform the requesting 14individual and explain the basis for the denial, unless 15prohibited from doing so by law. 16    (d) Any information provided by an individual or the 17individual's authorized agent to a regulated entity for the 18purpose of authenticating the individual's or the individual's 19authorized agent's identity shall not be used for any purpose 20other than authenticating the individual's identity and shall 21be destroyed immediately following the authentication process. 22    Section 60. Individual health data security and 23minimization. 24    (a) A regulated entity shall restrict access to health 25data by the employees, processors, service providers, and

HB3494- 24 -LRB104 11205 BAB 21287 b 1contractors of the regulated entity to only those employees, 2processors, services providers, and contractors for whom 3access is necessary to provide a product or service that the 4individuals to whom the health data relates have requested 5from the regulated entity. 6    (b) A regulated entity shall establish, implement, and 7maintain administrative, technical, and physical data security 8practices that at least satisfy a reasonable standard of care 9within the regulated entity's industry to protect the 10confidentiality, integrity, and accessibility of health data 11appropriate to the volume and nature of the personal data at 12issue. 13    Section 65. Prohibition on geofencing. 14    (a) It shall be unlawful for any person to implement a 15geofence that enables the sending of notifications, messages, 16alerts, advertisements, or other pieces of information to an 17individual that enters the perimeter around any entity that 18provides health services or products, unless such messages are 19directly related to an individual's appointment in the 20facility or the provision of requested health services or 21products by the regulated entity. 22    (b) It shall be unlawful for any person to implement a 23geofence around any entity that provides in-person health care 24services and products where the geofence is used to: 25        (1) identify or track individuals seeking health care

HB3494- 25 -LRB104 11205 BAB 21287 b 1 services or products or to determine whether the 2 individual is seeking health care services or products; or3        (2) collect data from an individual who enters the 4 virtual perimeter. 5    Section 70. Limits on access to an individual's health 6information by government agencies, officials, and law 7enforcement. 8    (a) A regulated entity shall not disclose an individual's 9health data to a federal, state, or local governmental agency, 10official, or law enforcement agent or agency unless: (1) 11disclosure is requested by the individual to whom the health 12data pertains or (2) the governmental entity or official 13serves the regulated entity with a valid warrant, except as 14prohibited under the laws of this State, including, but not 15limited to, Section 3.5 of the Uniform Interstate Depositions 16and Discovery Act.17    (b) A regulated entity shall not sell, share, allow access 18to, or disclose an individual's health data to any State or 19local jurisdiction for the purpose of investigating or 20enforcing a law that denies or interferes with an individual's 21right to obtain any lawful health care services, as defined by 22the Lawful Health Care Activity Act. 23    Section 75. Private right of action. Any person aggrieved 24by a violation of this Act shall have a right of action in a

HB3494- 26 -LRB104 11205 BAB 21287 b 1State circuit court or as a supplemental claim in federal 2district court against an offending party. A prevailing party 3may recover for each violation: 4        (1) against any offending party that negligently 5 violates a provision of this Act, liquidated damages of 6 $1,000 or actual damages, whichever is greater; 7        (2) against any offending party that intentionally or 8 recklessly violates a provision of this Act, liquidated 9 damages of $5,000 or actual damages, whichever is greater; 10        (3) reasonable attorney's fees and costs, including 11 expert witness fees and other litigation expenses; and 12        (4) other relief, including an injunction, as the 13 State or federal court may deem appropriate. 14    Section 80. Enforcement by the Attorney General. The 15Attorney General may enforce a violation of this Act as an 16unlawful practice under the Consumer Fraud and Deceptive 17Business Practices Act. All rights and remedies provided to 18the Attorney General under the Consumer Fraud and Deceptive 19Business Practices Act shall be available for enforcement of a 20violation of this Act. 21    Section 85. Conflict with other laws. 22    (a) Nothing in this Act shall be construed to prohibit the 23lawful and authorized disclosure of health data by regulated 24entities to local health departments or State government

HB3494- 27 -LRB104 11205 BAB 21287 b 1agencies or by or among local health departments and State 2government agencies as may be required by State and federal 3law, including under the Adult Protective Services Act, the 4Abused and Neglected Child Reporting Act, the Criminal Code of 52012, and the Disclosure of Offenses Against Children Act. 6    (b) If any provision of this Act, or the application 7thereof to any person or circumstance, is held invalid, the 8remainder of this Act and the application of such provision to 9other persons not similarly situated or to other circumstances 10shall not be affected by the invalidation. 11    (c) This Act shall not apply to:12        (1) personal information collected, processed, sold, 13 or disclosed subject to the federal Gramm-Leach-Bliley 14 Act, Public Law 106-102, and implementing regulations; and15        (2) entities subject to, and in compliance with, the 16 Insurance Information and Privacy Protection Act, the 17 Insurance Data Security Law in the Illinois Insurance 18 Code, and any corresponding privacy protection rules 19 adopted by the Director of Insurance.20    (d) This Act shall not be construed to conflict with, or 21limit the application of, any of the following laws, rules, or 22regulations governing the sharing, collection, processing, or 23disclosure of personal information or health data: the Medical 24Patient Rights Act; the Hospital Licensing Act; Sections 2, 4, 255, 6, 7, 8, 9, 9.3, 9.8, and 11 the Mental Health and 26Developmental Disabilities Confidentiality Act; subsections

HB3494- 28 -LRB104 11205 BAB 21287 b 1(c) through (f) of Section 10 of the Mental Health and 2Developmental Disabilities Confidentiality Act; and Sections 38-2001 and 8-2001.5 of the Code of Civil Procedure.4    (e) In the event of a conflict between the provisions of 5this Act and any other law, rule, or regulation listed in 6subsections (c) and (d), the law, rule, or regulation that 7provides the greater right, benefit, or protection to 8individuals shall apply. Nothing in this Act shall be 9construed to diminish or limit any rights, benefits, or 10protections afforded under the laws, rules, or regulations 11referenced in subsections (c) and (d). 12    Section 97. Severability. The provisions of this Act are 13severable under Section 1.31 of the Statute on Statutes. 14    Section 100. The Consumer Fraud and Deceptive Business 15Practices Act is amended by adding Section 2HHHH as follows: 16    (815 ILCS 505/2HHHH new)17    Sec. 2HHHH. Violations of the Protect Health Data Privacy 18Act. Any person who violates the Protect Health Data Privacy 19Act commits an unlawful practice within the meaning of this 20Act.