The Health Data Privacy Act establishes comprehensive regulations for the handling of regulated health information by entities that are not licensed healthcare providers. It defines key terms such as "regulated entity," "regulated health information," and "service provider," and outlines the responsibilities of these entities regarding data privacy. Regulated entities must provide clear privacy information, implement robust data security practices, and ensure accessibility for individuals with disabilities. They are required to obtain explicit consent from individuals before processing their health information and must detail the types of data collected, the purposes of processing, and the entities with whom the data may be shared. The Act also grants individuals rights to access, correct, and delete their health information, while prohibiting retaliatory actions against those who assert their rights.

The bill introduces new provisions to enhance protections under the Health Data Privacy Act, including a prohibition against retaliating against individuals for exercising their rights, such as denying services or altering pricing. It establishes that no contract can waive or limit the rights conferred by the Act and outlines penalties for violations, including civil penalties and the ability for individuals to seek damages in court. The Attorney General or district attorneys are empowered to initiate civil actions for violations. Additionally, the bill clarifies that the Act does not impose liability inconsistent with federal law and allows regulated entities to comply with legal obligations, respond to emergencies, and conduct medical research under specific conditions. The provisions of this act are set to take effect on July 1, 2025.