The Personal Health Data Security Amendment Act of 2025 aims to strengthen privacy protections for the personal health data of District residents by prohibiting the use of geofencing technology around health service facilities, thereby preventing the tracking of individuals based on their location. The bill requires entities that control personal health data, referred to as "controllers," to publish clear privacy policies, obtain consent before processing or disclosing data, and establish a process for data deletion. Individuals will have the right to confirm whether their data is being processed, withdraw consent, and request deletion of their personal health data.

Additionally, the legislation imposes specific obligations on controllers, including the requirement to delete personal health data upon verified request within 183 days and to notify third parties of such requests. The Office of the Attorney General will be responsible for enforcing these provisions, investigating violations, and imposing civil penalties for non-compliance. The bill also mandates the issuance of rules for implementation and includes a fiscal impact statement. It will take effect after approval from the Mayor or following the Council's action to override a potential veto, along with a 30-day congressional review period as outlined in the District of Columbia Home Rule Act.