Amendment ID: S2538-8
Amendment 8
Selling of Consumer Health Data
Ms. Kennedy and Mr. Payano move that the proposed new draft be amended by inserting the following section:-
“SECTION XX. The General Laws, as appearing in the 2022 Official Edition, are hereby amended by inserting after chapter 93L the following chapter:
Chapter 93M. Consumer Health Data Sharing
Section 1. Definitions
As used in this chapter, the following words shall, unless the context clearly requires otherwise, have the following meanings:—
“Consent,” a clear affirmative act by a consumer that openly communicates a consumer’s freely given, informed, opt-in, voluntary, specific, and unambiguous agreement (which may include written consent provided by electronic means). Consent cannot be obtained by:
(i) A consumer’s acceptance of a general or broad Terms of Use agreement or a similar document that contains descriptions of personal data processing along with other, unrelated information;
(ii) A consumer hovering over, muting, pausing, or closing a given piece of content; or
(iii) A consumer’s agreement obtained through the use of deceptive designs,
“Consumer,” a natural person who is a Massachusetts resident acting only in an individual or household context, however identified, including by any unique identifier. A person that a business entity knows to be located in Massachusetts when their Consumer Health Data is collected by such business entity will create a presumption that the person is a Massachusetts resident for purposes of enforcing this chapter.
“Consumer Health Data,” personal information a business entity uses to identify the past, present, or future physical or mental health of a consumer, including any personal information relating to:
(i) Individual health conditions, treatment, status, diseases, or diagnoses;
(ii) Social, psychological, behavioral, and medical interventions;
(iii) Health related surgeries or procedures;
(iv) Use or purchase of medication;
(v) Bodily functions, vital signs, measurements, or symptoms;
(vi) Diagnoses or diagnostic testing, treatment, or medication;
(vii) Efforts to research or obtain health services or supplies;
(viii) Precise location information that a business entity uses to determine a consumer’s primary purpose to acquire or receive health services or supplies; and
(ix) Any information described in subparagraphs (i) through (ix) that is derived or extrapolated from non-health information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning).
(b) Consumer Health Data does not include:
(i) Data processed or maintained in the course of employment, including applications for employment and the administration of benefits; or
(ii) Personal Information that is used to engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, human subjects research ethics review board, or a similar independent oversight entity that determines that the business entity has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification, so long as consent has first been obtained;
“Sell” or “Sale,” the sharing of Consumer Health Data for monetary or other valuable consideration to a Third Party. Sell or Sale does not include the sharing of Consumer Health Data for monetary or other valuable consideration to:
(i) A Third Party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the Third Party assumes control of all or part of the business entity’s assets that shall comply with the requirements and obligations in this chapter;
(ii) A Third Party at the direction of a consumer; or
(iii) A Third Party where the business entity maintains control and ownership of the Consumer Health Data, and the third-party only uses the Consumer Health Data at direction from the business entity and consistent with the purpose for which it was collected and disclosed to the consumer.
“Share” or “Sharing,” to release, disclose, disseminate, divulge, make available, provide access to, license, or otherwise communicate orally, in writing, or by electronic or other means, Consumer Health Data by a business entity to a Third Party where the business entity maintains control and ownership of the Consumer Health Data. The term share or sharing does not include:
(i) The disclosure of Consumer Health Data to an entity who collects and/or processes the personal data on behalf of the business entity, when the business entity maintains control and ownership of the data and the Third Party only uses the Consumer Health Data at direction from the business entity and consistent with the purpose for which it was collected and disclosed to the consumer;
(ii) The disclosure of Consumer Health Data to a Third Party with whom the consumer has a direct relationship for purposes of providing a product or service requested by the consumer when the business entity maintains control and ownership of the data and the Third Party only uses the Consumer Health Data at direction from the business entity and consistent with the purpose for which it was collected and disclosed to the consumer; or
(iii) The disclosure or transfer of personal data to a Third Party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the Third Party assumes control of all or part of the business entity’s assets and shall comply with the requirements and obligations in this chapter.
“Third Party,” any legal entity other than a consumer, business entity, or an affiliate of the business entity.
Section 2. (a) Any business entity providing health information or services shall not sell or share consumer health data with a third-party entity related to the information or services provided to the consumer.
(b) A consumer may consent to the sharing or selling of consumer health data by the business entity.
(c) The Attorney General shall have exclusive authority to enforce the provisions of this chapter under chapter 93A of the general laws.