The Health Data Privacy Act establishes comprehensive regulations for the handling of regulated health information by entities that process such data. It defines key terms such as "regulated entity," "regulated health information," and "service provider," while outlining the responsibilities of these entities to protect individuals' privacy rights. Regulated entities must provide clear privacy information, implement robust data security practices, and ensure accessibility for individuals with disabilities. The Act prohibits practices such as processing health information without consent and using precise geolocation data for non-essential purposes. It also grants individuals rights to access, correct, and delete their health information, requiring explicit consent for processing activities and easy mechanisms for revoking consent.

The bill introduces new provisions that specifically prohibit retaliation against individuals exercising their rights under the Act, barring regulated entities from denying goods or services or providing varying quality based on these rights. Any contract attempting to waive or limit these rights is deemed invalid. Additionally, the bill establishes enforcement mechanisms, including civil penalties for violations, with amounts ranging from $2,500 for negligent violations to $7,500 for intentional violations. The attorney general or district attorneys can initiate civil actions for suspected violations, and the bill clarifies that it does not impose liability inconsistent with federal law or apply to information processed by government entities. The provisions of this act are set to take effect on July 1, 2025.