Bill > A6050

Introduced Session

This bill prohibits a health care provider, mobile application developer, or third party from acquiring or disclosing a person's biometric data, health data, or protected health information (collectively hereinafter referred to as "personal health information"), which information is acquired through the use of in-person or telephone communication, a mobile application, an Internet website, or a wearable device, without obtaining the person's consent. The bill requires the health care provider, mobile application developer, or third party to obtain the person's consent before acquiring a person's personal health information and no more than three calendar days before each disclosure of the person's personal health information. After obtaining the consent of the person, a health care provider, mobile application developer, or third party would not be required to obtain a separate and distinct form of consent before each subsequent acquisition of personal health information, provided that the consent obtained from the person has explicitly authorized such acquisition. However, each disclosure of the personal health information would constitute a separate and distinct disclosure, which would require a separate and distinct grant of consent from the person from whom the personal health information was acquired. Under the bill, the term "acquire" means to collect, obtain, generate, or store any information from a person through any means. In contrast, the term "disclose" means to transmit, release, transfer, share, disseminate, distribute, make available, rent, sell, or otherwise communicate any information to a third party. The provisions of this bill would not apply to a health care provider that discloses or acquires the personal health information of a person to or from another health care provider for the purposes of medical treatment or medical diagnosis. Moreover, nothing contained in the bill may be construed to limit, diminish, or abrogate the rights of a person under the "Health Insurance Portability and Accountability Act of 1996," and any regulations promulgated thereunder by the Secretary of the U.S. Department of Health and Human Services (HIPAA) or the obligations of a health care provider or third party under HIPAA. The bill further provides that if a court of competent jurisdiction finds a health care provider, mobile application developer, or third party has violated the provisions of the bill, the court may award damages, computed at a rate of $1,000 per violation, reasonable attorney's fees, and costs incurred in maintaining that civil action; and the private right of action authorized pursuant to this bill does not supplant any other claim or cause of action available to a person under common law or by statute.

AI Summary

Committee Categories

Ellen Park (D)*, 

Introduced, Referred to Assembly Health Committee (on 11/17/2025)

Official Document