BILL AS INTRODUCED S.173
2024 Page 1 of 29
1 S.173
2 Introduced by Senator Lyons
3 Referred to Committee on
4 Date:
5 Subject: Health; health information; data privacy
6 Statement of purpose of bill as introduced: This bill proposes to regulate the
7 collection, sharing, and selling of consumer health data in Vermont.
8 An act relating to the collection, sharing, and selling of consumer health
9 data
10 It is hereby enacted by the General Assembly of the State of Vermont:
11 Sec. 1. 18 V.S.A. chapter 42B is amended to read:
12 42B. HEALTH CARE PRIVACY
13 Subchapter 1. Disclosure of Protected Health Information
14 § 1881. DISCLOSURE OF PROTECTED HEALTH INFORMATION
15 PROHIBITED
16 ***
17 Subchapter 2. Vermont My Health My Data Act
18 § 1891. SHORT TITLE
19 This subchapter shall be known and may be cited as the “Vermont My
20 Health My Data Act.”
VT LEG #372126 v.1
 BILL AS INTRODUCED S.173
2024 Page 2 of 29
1 § 1892. FINDINGS AND INTENT
2 (a) Findings. The General Assembly finds that:
3 (1) The residents of Vermont regard their privacy as a fundamental right
4 and an essential element of their individual freedom. Fundamental privacy
5 rights have long been and continue to be integral to protecting Vermonters and
6 to safeguarding our democratic republic.
7 (2) Information related to an individual’s health conditions or attempts
8 to obtain health care services is among the most personal and sensitive
9 categories of data collected. Vermonters expect that their health data is
10 protected under laws like the Health Insurance Portability and Accountability
11 Act of 1996 (HIPAA). However, HIPAA only covers health data collected by
12 specific health care entities, including most health care providers. Health data
13 collected by noncovered entities, including certain applications and websites,
14 are not afforded the same protections. This act works to close the gap between
15 consumer knowledge and industry practice by providing stronger privacy
16 protections for all of Vermont consumers’ health data.
17 (b) Intent. By enacting this act, it is the intent of the General Assembly to
18 provide heightened protections for Vermonters’ health data by:
19 (1) requiring additional disclosures and consumer consent regarding the
20 collection, sharing, and use of their health data;
VT LEG #372126 v.1
 BILL AS INTRODUCED S.173
2024 Page 3 of 29
1 (2) empowering consumers with the right to have their health data
2 deleted;
3 (3) prohibiting the selling of consumer health data without valid
4 authorization signed by the consumer; and
5 (4) making it unlawful to utilize a geofence around a facility that
6 provides health care services.
7 § 1893. DEFINITIONS
8 As used in this subchapter:
9 (1) “Abortion” means any medical treatment intended to induce the
10 termination of, or to terminate, a clinically diagnosable pregnancy except for
11 the purpose of producing a live birth.
12 (2) “Affiliate” means a legal entity that shares common branding with
13 another legal entity and controls, is controlled by, or is under common control
14 with another legal entity. For purposes of this definition, “control” or
15 “controlled” means any one or more of the following:
16 (A) ownership of, or the power to vote, more than 50 percent of the
17 outstanding shares of any class of voting security of a company;
18 (B) control in any manner over the election of a majority of the
19 directors or of individuals exercising similar functions; or
20 (C) the power to exercise controlling influence over the management
21 of a company.
VT LEG #372126 v.1
 BILL AS INTRODUCED S.173
2024 Page 4 of 29
1 (3) “Authenticate” means to use reasonable means to determine that a
2 request to exercise any of the rights afforded in this chapter is being made by
3 or on behalf of the consumer who is entitled to exercise those consumer rights
4 with respect to the consumer health data at issue.
5 (4) “Biometric data” means data that is generated from the measurement
6 or technological processing of an individual’s physiological, biological, or
7 behavioral characteristics and that identifies a consumer, whether individually
8 or in combination with other data. Biometric data includes:
9 (A) imagery of the iris, retina, fingerprint, face, hand, palm, vein
10 patterns, and voice recordings, from which an identifier template can be
11 extracted; and
12 (B) keystroke patterns or rhythms and gait patterns or rhythms that
13 contain identifying information.
14 (5) “Collect” means to buy, rent, access, retain, receive, acquire, infer,
15 derive, or otherwise process consumer health data in any manner.
16 (6)(A) “Consent” means a clear affirmative act that signifies the
17 consumer’s freely given, specific, informed, opt-in, voluntary, and
18 unambiguous agreement, which may include written consent provided by
19 electronic means.
20 (B) “Consent” shall not be obtained by:
VT LEG #372126 v.1
 BILL AS INTRODUCED S.173
2024 Page 5 of 29
1 (i) a consumer’s acceptance of a general or broad terms-of-use
2 agreement or a similar document that contains descriptions of personal data
3 processing along with other unrelated information;
4 (ii) a consumer hovering over, muting, pausing, or closing a given
5 piece of content; or
6 (iii) a consumer’s agreement obtained through the use of deceptive
7 designs.
8 (7)(A) “Consumer” means a natural person who meets one or both of
9 the following conditions:
10 (i) the person is a Vermont resident; or
11 (ii) the person’s consumer health data is collected in Vermont.
12 (B) “Consumer” means a natural person who acts only in an
13 individual or household context, however identified, including by any unique
14 identifier. The term does not include an individual acting in an employment
15 context.
16 (8)(A) “Consumer health data” means personal information that is
17 linked or reasonably linkable to a consumer and that identifies the consumer’s
18 past, present, or future physical or mental health status.
19 (B) For purposes of this definition, physical or mental health status
20 includes:
21 (i) individual health conditions, treatment diseases, or diagnosis;
VT LEG #372126 v.1
 BILL AS INTRODUCED S.173
2024 Page 6 of 29
1 (ii) social, psychological, behavioral, and medical interventions;
2 (iii) health-related surgeries or procedures;
3 (iv) use or purchased of prescribed medication;
4 (v) bodily functions, vital signs, symptoms, or measurements of
5 the information described in this subdivision (B);
6 (vi) diagnoses or diagnostic testing, treatment, or medication;
7 (vii) gender-affirming care information;
8 (viii) reproductive or sexual health information;
9 (ix) biometric data;
10 (x) genetic data;
11 (xi) precise location information that could reasonably indicate a
12 consumer’s attempt to acquire or receive health services or supplies;
13 (xii) data that identifies a consumer seeking health care services;
14 or
15 (xiii) any information that a regulated entity or a small business,
16 or its respective processor, processes to associate or identify a consumer with
17 the data described in subdivisions (i)–(xii) of this subdivision (B) that is
18 derived or extrapolated from nonhealth information, such as proxy, derivative,
19 inferred, or emergency data by any means, including algorithms or machine
20 learning.
VT LEG #372126 v.1
 BILL AS INTRODUCED S.173
2024 Page 7 of 29
1 (C) “Consumer health data” does not include personal information
2 that is used to engage in public or peer-reviewed scientific, historical, or
3 statistical research in the public interest that adheres to all other applicable
4 ethics and privacy laws and is approved, monitored, and governed by an
5 institutional review board, human subjects research ethics review board, or a
6 similar independent oversight entity that determines that the regulated entity or
7 the small business has implemented reasonable safeguards to mitigate privacy
8 risks associated with research, including any risks associated with
9 reidentification.
10 (9) “Deceptive design” means a user interface designed or manipulated
11 with the effect of subverting or impairing user autonomy, decision making, or
12 choice.
13 (10) “Deidentified data” means data that cannot reasonably be used to
14 infer information about, or otherwise be linked to, an identified or identifiable
15 consumer, or a device linked to such consumer, if the regulated entity or the
16 small business that possesses the data does all of the following:
17 (A) takes reasonable measures to ensure that the data cannot be
18 associated with a consumer;
19 (B) publicly commits to process the data only in a deidentified
20 fashion and not to attempt to reidentify the data; and VT LEG #372126 v.1
 BILL AS INTRODUCED S.173
2024 Page 8 of 29
1 (C) contractually obligates any recipients of the data to satisfy the
2 criteria set forth in this subdivision (10).
3 (11) “Gender-affirming care information” means personal information
4 relating to seeking or obtaining past, present, or future gender-affirming health
5 care services. “Gender-affirming care information” includes:
6 (A) precise location information that could reasonably indicate a
7 consumer’s attempt to acquire or receive gender-affirming health care services;
8 (B) efforts to research or obtain gender-affirming health care
9 services; or
10 (C) any gender-affirming care information that is derived,
11 extrapolated, or inferred, including from nonhealth information such as proxy,
12 derivative, inferred, emergent, or algorithmic data.
13 (12) “Gender-affirming health care services” has the same meaning as in
14 1 V.S.A. § 150.
15 (13) “Genetic data” means any data, regardless of its format, that
16 concerns a consumer’s genetic characteristics. “Genetic data” includes:
17 (A) raw sequence data that result from the sequencing of a
18 consumer’s complete extracted deoxyribonucleic acid (DNA) or a portion of
19 the extracted DNA;
20 (B) genotypic and phenotypic information that results from analyzing
21 the raw sequence data; and VT LEG #372126 v.1
 BILL AS INTRODUCED S.173
2024 Page 9 of 29
1 (C) self-reported health data that a consumer submits to a regulated
2 entity or a small business and that is analyzed in connection with the
3 consumer’s raw sequence data.
4 (14) “Geofence” means technology that uses global positioning
5 coordinates, cell tower connectivity, cellular data, radio frequency
6 identification, Wi-Fi data, or any other form of spatial or location detection,
7 individually or in combination, to establish a virtual boundary around a
8 specific physical location or to locate a consumer within a virtual boundary.
9 For purposes of this definition, “geofence” means a virtual boundary that is
10 2,000 feet or less from the perimeter of the physical location.
11 (15) “Health care service” means any service provided to a person to
12 assess, measure, improve, or learn about a person’s mental or physical health,
13 including:
14 (A) individual health conditions, status, diseases, or diagnoses;
15 (B) social, psychological, behavioral, and medical interventions;
16 (C) health-related surgeries or procedures;
17 (D) use or purchase of medication;
18 (E) bodily functions, vital signs, symptoms, or measurements of the
19 information described in this subdivision (15);
20 (F) diagnoses or diagnostic testing, treatment, or medication;
21 (G) reproductive health services; or VT LEG #372126 v.1
 BILL AS INTRODUCED S.173
2024 Page 10 of 29
1 (H) gender-affirming health care services.
2 (16) “Homepage” means the introductory page of an internet website
3 and any internet web page on which personal information is collected. In the
4 case of an online service such as a mobile application, “homepage” means the
5 application’s platform page or download page, and a link within the
6 application, such as from the application configuration or the “about,”
7 “information,” or “settings” page.
8 (17) “Person” means, where applicable, a natural person, corporation,
9 trust, unincorporated association, or partnership. The term does not include a
10 government agency, tribal nation, or a contracted service provider when
11 processing consumer health data on behalf of a government agency.
12 (18)(A) “Personal information” means information that identifies or is
13 reasonably capable of being associated or linked, directly or indirectly, with a
14 particular consumer. “Personal information” includes data associated with a
15 persistent unique identifier, such as a cookie ID, an IP address, a device
16 identifier, or any other form of persistent unique identifier.
17 (B) “Personal information” does not include publicly available
18 information or deidentified data.
19 (19) “Precise location information” means information derived from
20 technology, including global positioning system level latitude and longitude
21 coordinates and other mechanisms, that directly identifies the specific location VT LEG #372126 v.1
 BILL AS INTRODUCED S.173
2024 Page 11 of 29
1 of an individual with precision and accuracy within a radius of 1,750 feet.
2 “Precise location information” does not include the content of communications
3 or any data generated by or connected to advanced utility metering
4 infrastructure systems or equipment for use by a utility.
5 (20) “Process” or “processing” means any operation or set of operations
6 performed on consumer health data.
7 (21) “Processor” means a person who processes consumer health data
8 on behalf of a regulated entity or a small business.
9 (22)(A) “Publicly available information” means information that:
10 (i) is lawfully made available through federal, state, or municipal
11 government records or widely distributed media; and
12 (ii) a regulated entity or a small business has a reasonable basis to
13 believe a consumer has lawfully made available to the general public.
14 (B) “Publicly available information” does not include any biometric
15 data collected about a consumer by a business without the consumer’s consent.
16 (23)(A) “Regulated entity” means any legal entity that:
17 (i) conducts business in Vermont, or produces or provides
18 products or services that are targeted to consumers in Vermont; and
19 (ii) alone or jointly with others, determines the purpose and means
20 of collecting, processing, sharing, or selling of consumer health data.
VT LEG #372126 v.1
 BILL AS INTRODUCED S.173
2024 Page 12 of 29
1 (B) “Regulated entity” does not mean government agencies or
2 contracted service providers when processing consumer health data on behalf
3 of a government agency.
4 (24)(A) “Reproductive or sexual health information” means personal
5 information relating to seeking or obtaining past, present, or future
6 reproductive or sexual health services.
7 (B) “Reproductive or sexual health information” includes:
8 (i) precise location informat