The "Health Data Privacy Act" establishes comprehensive regulations for the handling of regulated health information by entities that are not licensed healthcare providers. It defines key terms such as "regulated entity," "regulated health information," and "service provider," and outlines the responsibilities of these entities regarding data privacy. Regulated entities must provide clear privacy information, implement robust data security practices, and ensure accessibility for individuals with disabilities. They are required to obtain explicit consent from individuals before processing their health information and must provide mechanisms for individuals to access, correct, or delete their data. The bill also prohibits processing health information for targeted advertising without consent and mandates that service providers enter into written agreements to ensure compliance.

Additionally, the bill emphasizes the prohibition of retaliation against individuals exercising their rights under the Act, explicitly barring regulated entities from denying services or charging different prices as a form of retaliation. It introduces enforcement mechanisms and penalties for violations, allowing affected individuals to seek civil penalties ranging from $2,500 for negligent violations to $7,500 for intentional violations. The Attorney General or district attorneys can initiate civil actions for suspected violations. The legislation clarifies that it does not impose liability inconsistent with federal law and includes provisions for severability, ensuring that if any part of the Act is invalidated, the remaining sections will still be enforceable. The provisions of this act are set to take effect on July 1, 2025.