The proposed bill establishes the "Reproductive Health and Gender-Affirming Healthcare Data Privacy Act," which introduces new regulations into Title 23 of the General Laws concerning health and safety. This legislation focuses on the collection, processing, and sharing of consumer health data specifically related to reproductive and gender-affirming healthcare. It requires that holders of such data obtain explicit consent from consumers before collecting or sharing their data, with specific conditions outlined for valid consent. The bill defines key terms such as "consumer health data," "regulated entity," and "small business," and mandates that these entities maintain a consumer health data privacy policy by January 1, 2027, for regulated entities and by April 1, 2027, for small businesses. This policy must detail the categories of data collected, the purposes for which the data is used, and any third-party sharing.

Additionally, the bill grants consumers rights over their health data, including the right to confirm whether their data is being collected or shared, access their data, withdraw consent, and request deletion of their data. It establishes strict obligations for regulated entities and small businesses to comply with consumer requests and implement data security practices. The legislation also introduces penalties for violations, allowing individuals to pursue civil actions for damages and empowering the attorney general to enforce compliance. Exemptions for certain health information governed by existing federal laws, such as the Health Insurance Portability and Accountability Act (HIPAA), are specified. Overall, the act aims to enhance consumer control over personal health information and provide legal recourse for unauthorized data handling, with provisions taking effect upon passage.