Bill > HF503

Introduced Session

This bill relates to consumer data protection. Under Code section 715D.1, “child” is defined as any natural person younger than 13 years of age. Under the bill, “child” is defined as any natural person younger than 18 years of age. The bill expands the definition of “health record” to include, in addition to any record containing related health information, any record containing nonhealth information that is related to health information provided in confidence to a health care provider. The bill expands the definition of “sensitive data” to include health data. “Health data” is defined in the bill. Under the bill, except as it relates to health data, the Code chapter shall not apply to the state or any political subdivision of the state; financial institutions, affiliates of financial institutions, or data subject to Tit. V of the federal Gramm-Leach-Bliley Act of 1999, 15 U.S.C. §6801 et seq.; persons who are subject to and comply with regulations promulgated pursuant to Tit. II, subtit. F, of the federal Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, and Tit. XIII, subtit. D, of the federal Health Information Technology for Economic and Clinical Health Act of 2009, 42 U.S.C. §17921 - 17954; nonprofit organizations; or institutions of higher education. The bill exempts information or data maintained by a public health authority, as defined by HIPAA, from the Code chapter provided the public health authority has received the consumer’s authorization, unless otherwise required by HIPAA. The bill exempts information used only for public health activities and purposes as authorized by HIPAA, provided that the information is de-identified, aggregated, and processed in batches of no less than 100 consumers from the Code chapter. Under the bill, a consumer shall have the right to request to be notified of, or to opt out of, profiling in furtherance of a decision that produces legal or similarly significant effects concerning a consumer. The bill defines “profiling” as any form of automated processing performed on personal data to evaluate, analyze, or predict specific factors related to the economic status, health, personal preferences, interests, reliability, behavior, location, or movements of an individual. Notification to the consumer shall be in plain language and include the type of data subject to profiling, any requirements for a person receiving the consumer’s data to delete or return the data, and the process for a consumer to file a complaint. “Decision that produces legal or similarly significant effects concerning a consumer” is defined in the bill. The bill applies retroactively to January 1, 2025.

Committee Categories

Eddie Andrews (R)*, 

Introduced, referred to Health and Human Services. H.J. 375. (on 02/20/2025)

Official Document