BillTrack50 logo
Free Signup Login
Bill

Bill > HB3494

IL HB3494

IL HB3494
HEALTH DATA PRIVACY ACT

summary

Introduced
02/07/2025
In Committee
04/11/2025
Crossed Over
Passed
Dead

Introduced Session

104th General Assembly

Bill Summary

Creates the Protect Health Data Privacy Act. Provides that a regulated entity shall disclose and maintain a health data privacy policy that clearly and conspicuously discloses specified information. Sets forth provisions concerning health data privacy policies. Provides that a regulated entity shall not collect, share, or store health data, except in specified circumstances. Provides that it is unlawful for any person to sell or offer to sell health data concerning an individual without first obtaining valid authorization from the individual. Provides that a valid authorization to sell individual health data must contain specified information; a copy of the signed valid authorization must be provided to the individual; and the seller and purchaser of health data must retain a copy of all valid authorizations for sale of health data for 6 years after the date of its signature or the date when it was last in effect, whichever is later. Sets forth provisions concerning the consent required for collection, sharing, and storage of health data. Provides that an individual has the right to withdraw consent from the processing of the individual's health data. Provides that it is unlawful for a regulated entity to engage in discriminatory practices against individuals solely because they have not provided consent to the processing of their health data or have exercised any other rights provided by the provisions or guaranteed by law. Sets forth provisions concerning an individual's right to confirm whether a regulated entity is collecting, selling, sharing, or storing any of the individual's health data; an individual's right to have the individual's health data that is collected by a regulated entity deleted; prohibitions regarding geofencing; and individual health data security. Provides that any person aggrieved by a violation of the provisions shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party. Provides that the Attorney General may enforce a violation of the provisions as an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act. Defines terms. Makes a conforming change in the Consumer Fraud and Deceptive Business Practices Act.

AI Summary

This bill establishes comprehensive protections for individual health data privacy in Illinois, requiring regulated entities to be transparent about their data collection, use, and sharing practices. The bill mandates that companies must obtain explicit, informed consent from individuals before collecting, processing, or selling their health data, and provides individuals with rights to confirm what data is being collected, request deletion of their data, and withdraw consent at any time. Companies are prohibited from using discriminatory practices against individuals who choose not to provide consent, and they must create clear, plain-language privacy policies that detail exactly how health data will be used. The bill also restricts geofencing around health service providers, limits government access to health data, and provides individuals with a private right of action to sue for violations, with potential damages ranging from $1,000 to $5,000 per violation, depending on whether the breach was negligent or intentional. The Attorney General is empowered to enforce the law, and the bill includes numerous exceptions and protections to ensure it does not conflict with existing healthcare privacy laws like HIPAA.

Committee Categories

Justice

Sponsors (13)

Last Action

Remove Chief Co-Sponsor Rep. Maurice A. West, II (on 03/03/2026)

bill text

bill summary

Loading...

bill summary

Loading...
Loading...