2. "DEACTIVATION" MEANS A USER'S DELETION, REMOVAL, OR OTHER ACTION
MADE TO TERMINATE HIS OR HER USE OF AN ELECTRONIC HEALTH PRODUCT OR
SERVICE.
3. "ELECTRONIC HEALTH PRODUCT OR SERVICE" MEANS ANY SOFTWARE OR HARD-
WARE, INCLUDING A MOBILE APPLICATION, WEBSITE, OR OTHER RELATED PRODUCT
OR SERVICE, THAT IS DESIGNED TO MAINTAIN PERSONAL HEALTH INFORMATION,
DESIGNED TO DIAGNOSE OR DESIGNED TO INFER A MEDICAL DIAGNOSIS, IN ORDER
TO MAKE SUCH PERSONAL HEALTH INFORMATION AVAILABLE TO A USER OR TO A
HEALTH CARE PROVIDER AT THE REQUEST OF SUCH USER OR HEALTH CARE PROVID-
ER, FOR THE PURPOSES OF ALLOWING SUCH USER TO MANAGE HIS OR HER INFORMA-
TION, OR FOR THE DIAGNOSIS, INFERRED DIAGNOSIS, TREATMENT, OR MANAGEMENT
OF A MEDICAL CONDITION.
4. "HEALTH CARE PROVIDER" MEANS:
(A) A HOSPITAL AS DEFINED IN ARTICLE TWENTY-EIGHT OF THE PUBLIC HEALTH
LAW, A HOME CARE SERVICES AGENCY AS DEFINED IN ARTICLE THIRTY-SIX OF THE
PUBLIC HEALTH LAW, A HOSPICE AS DEFINED IN ARTICLE FORTY OF THE PUBLIC
HEALTH LAW, A HEALTH MAINTENANCE ORGANIZATION AS DEFINED IN ARTICLE
FORTY-FOUR OF THE PUBLIC HEALTH LAW, OR A SHARED HEALTH FACILITY AS
DEFINED IN ARTICLE FORTY-SEVEN OF THE PUBLIC HEALTH LAW; OR
(B) A PERSON LICENSED UNDER ARTICLE ONE HUNDRED THIRTY-ONE, ONE
HUNDRED THIRTY-ONE-B, ONE HUNDRED THIRTY-TWO, ONE HUNDRED THIRTY-THREE,
ONE HUNDRED THIRTY-SIX, ONE HUNDRED THIRTY-NINE, ONE HUNDRED FORTY-ONE,
ONE HUNDRED FORTY-THREE, ONE HUNDRED FORTY-FOUR, ONE HUNDRED FIFTY-
THREE, ONE HUNDRED FIFTY-FOUR, ONE HUNDRED FIFTY-SIX OR ONE HUNDRED
FIFTY-NINE OF THE EDUCATION LAW.
5. "PERSONAL HEALTH INFORMATION" MEANS ANY INDIVIDUALLY IDENTIFIABLE
INFORMATION ABOUT AN INDIVIDUAL'S MENTAL OR PHYSICAL CONDITION PROVIDED
BY SUCH INDIVIDUAL, OR OTHERWISE GAINED FROM MONITORING SUCH INDIVID-
UAL'S MENTAL OR PHYSICAL CONDITION.
6. "USER" MEANS AN INDIVIDUAL WHO HAS DOWNLOADED OR USES AN ELECTRONIC
HEALTH PRODUCT OR SERVICE.
7. "CONSUMER DATA" MEANS ANY INFORMATION THAT IDENTIFIES, RELATES TO,
DESCRIBES, IS CAPABLE OF BEING ASSOCIATED WITH, OR COULD REASONABLY BE
LINKED, EITHER DIRECTLY OR INDIRECTLY, WITH A PARTICULAR CONSUMER
REGARDLESS IF SUCH DATA CAN BE DERIVED BY THE CONSUMER, HOUSEHOLD, OR
CONSUMER DEVICE OR DERIVED FROM OTHER SOURCES SUCH AS AN INTERNET PROTO-
COL ADDRESS.
8. "DATA PROCESSING" MEANS THE COLLECTION, USE, DISCLOSURE, RETENTION,
OR PROCESSING OF PERSONAL HEALTH INFORMATION OR OTHER DATA.
9. "COVERED ORGANIZATION" MEANS AN ENTITY, INCLUDING A DATA BROKER,
THAT OFFERS AN ELECTRONIC HEALTH PRODUCT OR SERVICE THAT IS SUBJECT TO
THE PROVISIONS OF THIS ARTICLE.
10. "DATA BROKER" MEANS A PERSON OR ENTITY THAT COLLECTS, BUYS,
LICENSES, OR INFERS DATA ABOUT INDIVIDUALS AND THEN SELLS, LICENSES, OR
TRADES THAT DATA.
11. "DIGITAL ADVERTISER" MEANS ANY PERSON, CORPORATION, PARTNERSHIP OR
ASSOCIATION THAT DELIVERS DIGITAL ADVERTISEMENTS BY ELECTRONIC MEANS.
12. "DIGITAL ADVERTISEMENT" SHALL INCLUDE ANY COMMUNICATION DELIVERED
BY ELECTRONIC MEANS THAT IS INTENDED TO BE USED FOR THE PURPOSES OF
MARKETING, SOLICITATION, OR DISSEMINATION OF INFORMATION RELATED,
DIRECTLY OR INDIRECTLY, TO GOODS OR SERVICES PROVIDED BY THE DIGITAL
ADVERTISER OR A THIRD PARTY.
13. "GEOFENCING" MEANS A TECHNOLOGY THAT USES GLOBAL POSITIONING
SYSTEM COORDINATES, CELL TOWER CONNECTIVITY, CELLULAR DATA, RADIO
FREQUENCY IDENTIFICATION, WI-FI DATA AND/OR ANY OTHER FORM OF LOCATION
DETECTION, TO ESTABLISH A VIRTUAL BOUNDARY OR "GEOFENCE" AROUND A
S. 158 3
PARTICULAR LOCATION THAT ALLOWS A DIGITAL ADVERTISER TO TRACK THE
LOCATION OF AN INDIVIDUAL USER AND ELECTRONICALLY DELIVER TARGETED
DIGITAL ADVERTISEMENTS DIRECTLY TO SUCH USER'S MOBILE DEVICE UPON SUCH
USER'S ENTRY INTO THE GEOFENCED AREA.
§ 1101. ELECTRONIC HEALTH PRODUCTS AND SERVICES; PRIVACY. 1. (A) IT
SHALL BE UNLAWFUL FOR A COVERED ORGANIZATION TO ENGAGE IN DATA PROCESS-
ING, GEOFENCING, OR DATA BROKERING UNLESS:
(I) THE USER TO WHOM THE INFORMATION OR DATA PERTAINS HAS GIVEN AFFIR-
MATIVE EXPRESS CONSENT TO SUCH DATA PROCESSING AND IF SUCH COVERED
ORGANIZATION WILL BROKER USER DATA, THE USER MUST ALSO GIVE SEPARATE
AFFIRMATIVE CONSENT TO SUCH DATA BROKERING; AND
(II) SUCH DATA PROCESSING, GEOFENCING OR DATA BROKERING, IS STRICTLY
NECESSARY AND FOR THE PURPOSE OF:
(A) PROTECTING AGAINST MALICIOUS, FRAUDULENT, OR ILLEGAL ACTIVITY;
(B) DETECTING, RESPONDING TO, OR PREVENTING SECURITY INCIDENTS OR
THREATS; OR
(C) COMPLYING WITH A COURT ORDER ISSUED TO THE COVERED ORGANIZATION.
(B) THE GENERAL NATURE OF ANY DATA PROCESSING OR DATA BROKERING SHALL
BE CONVEYED BY THE COVERED ORGANIZATION IN CLEAR AND PROMINENT TERMS IN
SUCH A WAY THAT AN ORDINARY CONSUMER WOULD NOTICE AND UNDERSTAND SUCH
TERMS.
(C) A USER MAY CONSENT TO DATA PROCESSING OR DATA BROKERING ON BEHALF
OF HIS OR HER DEPENDENT MINORS.
(D) A COVERED ORGANIZATION SHALL PROVIDE AN EFFECTIVE MECHANISM FOR A
USER TO REVOKE THEIR CONSENT AFTER IT IS GIVEN. AFTER A USER REVOKES
THEIR CONSENT, THE COVERED ORGANIZATION SHALL CEASE ALL DATA PROCESSING
AND DATA BROKERING OF SUCH USER'S PERSONAL HEALTH INFORMATION OR OTHER
DATA AS SOON AS PRACTICABLE, BUT NOT LATER THAN FIFTEEN DAYS AFTER SUCH
USER REVOKES SUCH CONSENT.
2. IN ORDER TO OBTAIN CONSENT IN COMPLIANCE WITH SUBDIVISION ONE OF
THIS SECTION, A COVERED ORGANIZATION OFFERING AN ELECTRONIC HEALTH PROD-
UCT OR SERVICE SHALL:
(A) DISCLOSE TO THE USER ALL DATA, PERSONAL HEALTH INFORMATION,
LOCATION DATA, AND OTHER PERSONAL DATA SUCH ELECTRONIC HEALTH PRODUCT OR
SERVICE WILL COLLECT FROM THE USER UPON OBTAINING CONSENT;
(B) DISCLOSE TO THE USER ALL THIRD PARTIES WITH WHOM SUCH USER'S
PERSONAL HEALTH INFORMATION OR OTHER PERSONAL DATA MAY BE SHARED BY THE
ELECTRONIC HEALTH PRODUCT OR SERVICE UPON OBTAINING CONSENT;
(C) DISCLOSE TO THE USER THE PURPOSE FOR COLLECTING ANY PERSONAL
HEALTH INFORMATION OR OTHER PERSONAL DATA; AND
(D) ALLOW THE USER TO WITHDRAW CONSENT AT ANY TIME.
3. NO ELECTRONIC HEALTH PRODUCT OR SERVICE SHALL COLLECT ANY PERSONAL
HEALTH INFORMATION OR OTHER PERSONAL DATA BEYOND WHICH A USER HAS
SPECIFICALLY CONSENTED TO SHARE WITH SUCH ELECTRONIC HEALTH PRODUCT OR
SERVICE UNDER SUBDIVISION ONE OF THIS SECTION.
4. (A) AN ELECTRONIC HEALTH PRODUCT OR SERVICE SHALL DELETE OR OTHER-
WISE DESTROY ANY PERSONAL HEALTH INFORMATION OR OTHER PERSONAL DATA
COLLECTED FROM A USER IMMEDIATELY UPON SUCH USER'S REQUEST, WITHDRAWAL
OF CONSENT; OR UPON SUCH USER'S DEACTIVATION OF HIS OR HER ACCOUNT.
(B) A COVERED ORGANIZATION THAT COLLECTS A USER'S PERSONAL HEALTH
INFORMATION OR OTHER DATA SHALL LIMIT ITS COLLECTION AND SHARING OF THAT
INFORMATION WITH THIRD PARTIES TO WHAT IS STRICTLY NECESSARY TO PROVIDE
A SERVICE OR CONDUCT AN ACTIVITY THAT A USER HAS REQUESTED OR IS STRICT-
LY NECESSARY FOR SECURITY OR FRAUD PREVENTION.
(C) A COVERED ORGANIZATION THAT COLLECTS A USER'S PERSONAL HEALTH
INFORMATION OR OTHER DATA SHALL LIMIT ITS USE AND RETENTION OF SUCH
S. 158 4
INFORMATION TO WHAT IS REASONABLY NECESSARY TO PROVIDE A SERVICE OR
CONDUCT AN ACTIVITY THAT A USER HAS REQUESTED OR A RELATED OPERATIONAL
PURPOSE, PROVIDED THAT INFORMATION COLLECTED OR RETAINED SOLELY FOR
SECURITY OR FRAUD PREVENTION MAY NOT BE USED FOR OPERATIONAL PURPOSES.
5. A COVERED ORGANIZATION SHALL NOT DISCRIMINATE AGAINST A USER
BECAUSE THE USER EXERCISED ANY OF THE USER'S RIGHTS UNDER THIS TITLE, OR
DID NOT AGREE TO INFORMATION PROCESSING FOR A SEPARATE PRODUCT OR
SERVICE, INCLUDING, BUT NOT LIMITED TO, BY:
(A) DENYING GOODS OR SERVICES TO THE USER.
(B) CHARGING DIFFERENT PRICES OR RATES FOR GOODS OR SERVICES, INCLUD-
ING THROUGH THE USE OF DISCOUNTS OR OTHER BENEFITS OR IMPOSING PENAL-
TIES.
(C) PROVIDING A DIFFERENT LEVEL OR QUALITY OF GOODS OR SERVICES TO THE
USER.
(D) SUGGESTING THAT THE CONSUMER WILL RECEIVE A DIFFERENT PRICE OR
RATE FOR GOODS OR SERVICES OR A DIFFERENT LEVEL OR QUALITY OF GOODS OR
SERVICES.
6. A COVERED ORGANIZATION SHALL IMPLEMENT AND MAINTAIN REASONABLE
SECURITY PROCEDURES AND PRACTICES, INCLUDING ADMINISTRATIVE, PHYSICAL,
AND TECHNICAL SAFEGUARDS, APPROPRIATE TO THE NATURE OF THE INFORMATION
AND THE PURPOSES FOR WHICH THE PERSONAL HEALTH INFORMATION OR OTHER DATA
WILL BE USED, TO PROTECT CONSUMERS' PERSONAL HEALTH INFORMATION OR OTHER
DATA FROM UNAUTHORIZED USE, DISCLOSURE, ACCESS, DESTRUCTION, OR MODIFI-
CATION.
7. (A) IT SHALL BE UNLAWFUL FOR ANY PERSON, CORPORATION, PARTNERSHIP
OR ASSOCIATION TO DELIVER BY ELECTRONIC MEANS ANY DIGITAL ADVERTISEMENT
TO A USER THROUGH THE USE OF GEOFENCING AT ANY HEALTH CARE FACILITY AS
DEFINED IN SUBDIVISION ONE OF THIS SECTION.
(B) IT SHALL BE UNLAWFUL FOR ANY PERSON, CORPORATION, PARTNERSHIP OR
ASSOCIATION TO ESTABLISH A GEOFENCE OR SIMILAR VIRTUAL BOUNDARY IN OR
AROUND ANY HEALTH CARE FACILITY FOR THE PURPOSE OF DELIVERING BY ELEC-
TRONIC MEANS A DIGITAL ADVERTISEMENT TO A USER WITHIN SUCH HEALTH CARE
FACILITY.
§ 1102. PRIVATE RIGHT OF ACTION. 1. ANY PERSON WHO HAS BEEN INJURED BY
REASON OF A VIOLATION OF THIS ARTICLE MAY BRING AN ACTION IN HIS OR HER
OWN NAME, OR IN THE NAME OF HIS OR HER MINOR CHILD, TO SEEK DECLARATORY
RELIEF, TO ENJOIN SUCH UNLAWFUL ACT, TO RECOVER HIS OR HER ACTUAL
DAMAGES, TO SEEK STATUTORY DAMAGES AS PROVIDED PURSUANT TO THIS SECTION,
OR ANY COMBINATION OF SUCH ACTIONS. ANY VIOLATION OF THIS ARTICLE
CONSTITUTES AN INJURY-IN-FACT AND A HARM TO ANY AFFECTED INDIVIDUAL. THE
COURT SHALL AWARD REASONABLE ATTORNEY'S FEES TO A PREVAILING PLAINTIFF.
2. ANY COVERED ORGANIZATION THAT VIOLATES THIS ARTICLE IS SUBJECT TO
DECLARATORY JUDGMENT, AN INJUNCTION AND LIABLE FOR DAMAGES AND A CIVIL
PENALTY. WHEN CALCULATING DAMAGES AND CIVIL PENALTIES, THE COURT SHALL
CONSIDER THE NUMBER OF AFFECTED INDIVIDUALS, THE SEVERITY OF THE
VIOLATION, AND THE SIZE AND REVENUES OF THE COVERED ORGANIZATION. ADDI-
TIONALLY, STATUTORY DAMAGES SHALL BE AWARDED IN THE AMOUNT OF FIVE
HUNDRED DOLLARS PER VIOLATION. EACH INDIVIDUAL WHOSE DATA WAS UNLAWFULLY
PROCESSED COUNTS AS A SEPARATE VIOLATION. EACH PROVISION OF THIS ARTICLE
THAT WAS VIOLATED COUNTS AS A SEPARATE VIOLATION.
§ 1103. ACTIONS THAT ARE HIPAA COMPLIANT. NOTHING IN THIS ARTICLE
SHALL PROHIBIT ANY ACTION TAKEN WITH RESPECT TO THE HEALTH INFORMATION
OF AN INDIVIDUAL BY A DATA BROKER THAT IS A BUSINESS ASSOCIATE OR
COVERED ORGANIZATION THAT IS PERMISSIBLE UNDER THE FEDERAL REGULATIONS
CONCERNING STANDARDS FOR PRIVACY OF INDIVIDUALLY IDENTIFIABLE HEALTH
S. 158 5
INFORMATION PROMULGATED UNDER SECTION 264(C) OF THE HEALTH INSURANCE
PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (42 U.S.C. 1320D- 20 2 NOTE).
§ 2. Severability. If any clause, sentence, paragraph, subdivision,
section or part of this act shall be adjudged by any court of competent
jurisdiction to be invalid, such judgment shall not affect, impair, or
invalidate the remainder thereof, but shall be confined in its operation
to the clause, sentence, paragraph, subdivision, section or part thereof
directly involved in the controversy in which such judgment shall have
been rendered. It is hereby declared to be the intent of the legislature
that this act would have been enacted even if such invalid provisions
had not been included herein.
§ 3. This act shall take effect on the sixtieth day after it shall
have become a law.