HB3603: Protect Health Data Privacy Act

• Requires regulated entities to disclose and maintain a health data privacy policy in plain language, prominently published on their website homepage, listing specific types of health data collected, purposes, sources, sharing practices, and data retention periods.

• Prohibits collection, sharing, selling, or storage of health data without prior express written consent from consumers, with separate consent required for each action; prohibits collection of additional data categories or purposes not disclosed in the privacy policy without new consumer consent.

• Grants consumers rights to withdraw consent, request confirmation of data collection, and request deletion of their health data within 30 days; requires regulated entities to notify all third parties of deletion requests.

• Prohibits discrimination against consumers who refuse to provide consent or exercise privacy rights, including denying services, charging different prices, or imposing additional requirements based on consent status.

• Establishes private right of action with liquidated damages of $1,000 for negligent violations or $5,000 for intentional/reckless violations, plus attorneys' fees and costs; authorizes Attorney General enforcement as unlawful practice under Consumer Fraud and Deceptive Business Practices Act.

• Bans geofencing technology around health service providers that would send notifications to consumers or track/identify individuals entering the perimeter.