This bill establishes strict regulations regarding the acquisition and disclosure of personal health information, specifically biometric data, health data, and protected health information, by health care providers, mobile application developers, and third parties. It mandates that these entities must obtain explicit consent from individuals before acquiring their personal health information and no more than three calendar days prior to any disclosure of such information. While a single consent can cover multiple acquisitions, each disclosure requires a separate consent. The bill also clarifies definitions for terms such as "acquire," "disclose," and "consent," ensuring that individuals' rights to their health information are protected.

Additionally, the bill includes provisions that exempt health care providers from these requirements when sharing information for medical treatment or diagnosis purposes. It emphasizes that the rights of individuals under the Health Insurance Portability and Accountability Act (HIPAA) remain intact and that violations of this bill can result in damages of $1,000 per violation, along with reasonable attorney fees and costs. The private right of action provided by this bill does not replace any other legal claims available under common law or statute, thereby reinforcing the legal protections for individuals regarding their personal health information.