The Personal Health Data Security Amendment Act of 2025 aims to strengthen privacy protections for the personal health data of District residents. Key provisions of the bill include a prohibition on the use of geofencing technology around health service facilities to prevent location-based tracking of individuals. It requires entities that control personal health data, referred to as "controllers," to publish clear privacy policies, obtain consent before processing or disclosing data, and establish a process for data deletion. Individuals will have the right to withdraw consent and request the deletion of their personal health data, which controllers must comply with within 183 days.

Additionally, the bill mandates that controllers notify third parties about deletion requests and ensure compliance within specified timeframes. The Office of the Attorney General will have exclusive authority to enforce these provisions, investigate violations, and impose civil penalties for non-compliance. The legislation also includes a requirement for the issuance of rules to implement its provisions and a fiscal impact statement adopted from the committee report. The bill will take effect upon approval from the Mayor or following the Council's action to override a veto, with a 30-day congressional review period as outlined in the District of Columbia Home Rule Act.