The Health Data Privacy Act establishes comprehensive regulations for the handling of regulated health information by entities that are not licensed healthcare providers. It defines key terms such as "regulated entity," "regulated health information," and "service provider," and outlines the responsibilities of these entities regarding data privacy. Regulated entities must provide clear privacy information, implement robust data security practices, and ensure accessibility for individuals with disabilities. They are required to obtain explicit consent from individuals before processing their health information, detailing the types of data collected, the purposes of processing, and the entities with whom the data may be shared. The Act also grants individuals rights to access, correct, and delete their regulated health information, while prohibiting retaliatory actions against those who assert their rights.

The bill introduces new provisions that explicitly prohibit retaliation against individuals exercising their rights under the Act, barring regulated entities from denying services or altering pricing as a form of retaliation. It establishes enforcement mechanisms and penalties for violations, allowing affected individuals to seek civil penalties ranging from $2,500 for negligent violations to $7,500 for intentional violations. The Attorney General or district attorneys can initiate civil actions for suspected violations. Additionally, the bill clarifies that it does not impose liability inconsistent with federal law and includes provisions for severability, ensuring that the remaining sections of the Act remain enforceable if any part is invalidated. The provisions of this act are set to take effect on July 1, 2025.