HB4093 - Protect Health Data Privacy Act

• Creates comprehensive health data privacy protections requiring regulated entities to disclose privacy policies, obtain explicit consumer consent before collecting/sharing/storing health data, and limiting collection to consent-based or service-necessary purposes.

• Prohibits sale of health data without valid written authorization containing specific information (seller/purchaser identity, purpose, data types, consumer rights), with authorizations expiring one year from signature and sellers/purchasers retaining copies for 6 years.

• Grants consumers rights to withdraw consent, request confirmation of data collection/deletion, and have health data deleted within 45 days (extendable 30 days), with exceptions for legal obligations, security incidents, and approved research.

• Bans discriminatory practices against consumers who refuse to provide consent or exercise privacy rights, and prohibits geofencing (location tracking within 1,750 feet) around health service providers to send notifications or collect consumer data.

• Establishes private right of action with liquidated damages ($1,000 for negligent violations, $5,000 for intentional/reckless violations), attorney's fees, and allows Attorney General enforcement as unlawful consumer fraud practice.