Back to Illinois

HB3494 • 2026

HEALTH DATA PRIVACY ACT

HEALTH DATA PRIVACY ACT

Privacy
Passed Legislature

This bill passed both chambers and reached final enrollment, even if later executive action is not shown here.

Sponsor
Mary Beth Canty
Last action
2026-04-17
Official status
Rule 19(a) / Re-referred to Rules Committee
Effective date
Not listed

Plain English Breakdown

Using official source text because the generated explanation was unavailable or could not be confirmed against the official bill text.

HEALTH DATA PRIVACY ACT

HEALTH DATA PRIVACY ACT

What This Bill Does

  • HEALTH DATA PRIVACY ACT

Limits and Unknowns

  • This entry is temporarily using official source text because the generated explanation could not be confirmed against the official bill text during the last sync.

Bill History

  1. 2026-05-30 Illinois General Assembly

    Added Co-Sponsor Rep. Daniel Didech

  2. 2026-05-26 Illinois General Assembly

    Added Co-Sponsor Rep. Nicolle Grasse

  3. 2026-05-21 Illinois General Assembly

    Added Co-Sponsor Rep. Elizabeth "Lisa" Hernandez

  4. 2026-05-21 Illinois General Assembly

    Added Co-Sponsor Rep. Stephanie A. Kifowit

  5. 2026-05-06 Illinois General Assembly

    Added Co-Sponsor Rep. Lisa Davis

  6. 2026-05-06 Illinois General Assembly

    Added Co-Sponsor Rep. Michael Crawford

  7. 2026-05-06 Illinois General Assembly

    Added Co-Sponsor Rep. Justin Cochran

  8. 2026-05-06 Illinois General Assembly

    Added Co-Sponsor Rep. Justin Slaughter

  9. 2026-05-06 Illinois General Assembly

    Added Co-Sponsor Rep. Norma Hernandez

  10. 2026-05-06 Illinois General Assembly

    Added Co-Sponsor Rep. Jay Hoffman

  11. 2026-04-17 Illinois General Assembly

    Rule 19(a) / Re-referred to Rules Committee

  12. 2026-04-16 Illinois General Assembly

    Added Co-Sponsor Rep. Robyn Gabel

  13. 2026-04-16 Illinois General Assembly

    Added Co-Sponsor Rep. Aarón M. Ortíz

  14. 2026-04-15 Illinois General Assembly

    Added Co-Sponsor Rep. Rita Mayfield

  15. 2026-04-15 Illinois General Assembly

    Added Co-Sponsor Rep. Diane Blair-Sherlock

  16. 2026-04-15 Illinois General Assembly

    Added Co-Sponsor Rep. Jennifer Gong-Gershowitz

  17. 2026-04-14 Illinois General Assembly

    Added Co-Sponsor Rep. Dagmara Avelar

  18. 2026-04-14 Illinois General Assembly

    Added Co-Sponsor Rep. Kevin John Olickal

  19. 2026-04-14 Illinois General Assembly

    Added Co-Sponsor Rep. Anna Moeller

  20. 2026-04-14 Illinois General Assembly

    Added Co-Sponsor Rep. Laura Faver Dias

  21. 2026-04-14 Illinois General Assembly

    Added Co-Sponsor Rep. Katie Stuart

  22. 2026-04-14 Illinois General Assembly

    Added Co-Sponsor Rep. Marcus C. Evans, Jr.

  23. 2026-04-07 Illinois General Assembly

    Added Co-Sponsor Rep. Nabeela Syed

  24. 2026-04-07 Illinois General Assembly

    Added Co-Sponsor Rep. Lilian Jiménez

  25. 2026-03-03 Illinois General Assembly

    Added Chief Co-Sponsor Rep. Maurice A. West, II

  26. 2026-03-03 Illinois General Assembly

    Added Chief Co-Sponsor Rep. Ann M. Williams

  27. 2026-03-03 Illinois General Assembly

    Remove Chief Co-Sponsor Rep. Ann M. Williams

  28. 2026-03-03 Illinois General Assembly

    Added Chief Co-Sponsor Rep. Ann M. Williams

  29. 2026-03-03 Illinois General Assembly

    Remove Chief Co-Sponsor Rep. Maurice A. West, II

  30. 2026-02-25 Illinois General Assembly

    Added Co-Sponsor Rep. Kam Buckner

  31. 2026-02-25 Illinois General Assembly

    Added Co-Sponsor Rep. Tracy Katz Muhl

  32. 2026-02-25 Illinois General Assembly

    Added Co-Sponsor Rep. Maura Hirschauer

  33. 2026-02-25 Illinois General Assembly

    Added Co-Sponsor Rep. Will Guzzardi

  34. 2026-02-25 Illinois General Assembly

    Added Co-Sponsor Rep. Theresa Mah

  35. 2026-02-25 Illinois General Assembly

    Added Co-Sponsor Rep. Janet Yang Rohr

  36. 2026-02-25 Illinois General Assembly

    Added Co-Sponsor Rep. Margaret Croke

  37. 2026-02-17 Illinois General Assembly

    Approved for Consideration Rules Committee ; 003-002-000

  38. 2026-02-17 Illinois General Assembly

    Placed on Calendar 2nd Reading - Short Debate

  39. 2026-02-10 Illinois General Assembly

    Chief Sponsor Changed to Rep. Mary Beth Canty

  40. 2025-04-11 Illinois General Assembly

    Rule 19(a) / Re-referred to Rules Committee

  41. 2025-04-09 Illinois General Assembly

    Added Co-Sponsor Rep. Camille Y. Lilly

  42. 2025-03-26 Illinois General Assembly

    Second Reading - Short Debate

  43. 2025-03-26 Illinois General Assembly

    Held on Calendar Order of Second Reading - Short Debate

  44. 2025-03-26 Illinois General Assembly

    Added Co-Sponsor Rep. Barbara Hernandez

  45. 2025-03-24 Illinois General Assembly

    Added Co-Sponsor Rep. Kelly M. Cassidy

  46. 2025-03-19 Illinois General Assembly

    Do Pass / Short Debate Judiciary - Civil Committee ; 013-007-000

  47. 2025-03-19 Illinois General Assembly

    Placed on Calendar 2nd Reading - Short Debate

  48. 2025-03-19 Illinois General Assembly

    Added Co-Sponsor Rep. Anne Stava

  49. 2025-03-11 Illinois General Assembly

    Assigned to Judiciary - Civil Committee

  50. 2025-02-18 Illinois General Assembly

    First Reading

  51. 2025-02-18 Illinois General Assembly

    Referred to Rules Committee

  52. 2025-02-07 Illinois General Assembly

    Filed with the Clerk by Rep. Ann M. Williams

Official Summary Text

HEALTH DATA PRIVACY ACT

Current Bill Text

Read the full stored bill text
Illinois General Assembly - Full Text of HB3494

Select Language

×

The Illinois General Assembly offers the Google Translate™ service for visitor convenience. In no way should it be considered accurate as to the translation of any content herein.

Visitors of the Illinois General Assembly website are encouraged to use other translation services available on the internet.

The English language version is always the official and authoritative version of this website.

NOTE: To return to the original English language version, select the "Show Original" button on the Google Translate™ menu bar at the top of the window.

Choose Language

English

Afrikaans

Albanian

Arabic

Armenian

Azerbaijani

Basque

Bengali

Bosnian

Catalan

Croatian

Czech

Danish

Dutch

Esperanto

Estonian

Filipino

Finnish

French

Galician

Georgian

German

Greek

Gujarati

Haitian Creole

Hausa

Hawaiian

Hebrew

Hindi

Hungarian

Icelandic

Indonesian

Interlingua

Interlingue

Inuktitut

Irish

Italian

Japanese

Javanese

Kannada

Khmer

Korean

Latin

Latvian

Lithuanian

Luxembourgish

Macedonian

Malagasy

Malayalam

Maltese

Maori

Marathi

Myanmar

Nepali

Norwegian

Odia

Pashto

Punjabi

Romanian

Russian

Samoan

Sango

Sanskrit

Sardinian

Sindhi

Sinhala

Slovak

Slovenian

Somali

Southern Sotho

Spanish

Sundanese

Swahili

Swedish

Tamil

Telugu

Thai

Tigrinya

Tonga

Turkish

Ukrainian

Urdu

Vietnamese

Welsh

Xhosa

Yiddish

Yoruba

Zulu

Powered by
Translate

Close

Illinois General Assembly

Top Navigation Bar

Translate

Learn

Select General Assembly

Search the 104th General Assembly

Enter search terms for legislation, members, committees, or schedules.

ILGA.GOV

LEGISLATION & LAWS

Bills & Resolutions

Public Acts

Illinois Compiled Statutes

Illinois Constitution

Search Legislation

Glossary

Guide

Reports & Inquiry

Legislative Reports

Special Reports

FTP Site

Legislator Lookup

Capitol Complex Phone Numbers

Rules & Regulations

Illinois Register

Administrative Rules

Senate

Members

Schedules

Committees

Request for Remote Testimony

Journals

Transcripts

Rules

Audio/Video

FOIA Information

Senate Employment Opportunities

Media Guidelines

House

Members

Schedules

Committees

Submit testimony for House Committees

Journals

Transcripts

Rules

Audio/Video

FOIA Information

House Employment Opportunities

Log In

Mobile Top Bar

Search the 104th General Assembly

Enter keywords to search the Illinois General Assembly website.

Full Text of HB3494

Home

Legislation

Full Text

HB3494 - 104th General Assembly

Bill Status

Full Text

Votes

Witness Slips

Select Menu

Bill Status

Full Text

Votes

Witness Slips

Printer Friendly Version

Introduced

Printer Friendly Version

Introduced

Open PDF

104TH GENERAL ASSEMBLY
State of Illinois
2025 and 2026
HB3494

Introduced 2/18/2025, by Rep. Ann M. Williams

SYNOPSIS AS INTRODUCED:

New Act
815 ILCS 505/2HHHH new

Creates the Protect Health Data Privacy Act. Provides that a
regulated entity shall disclose and maintain a health data privacy policy
that clearly and conspicuously discloses specified information. Sets forth
provisions concerning health data privacy policies. Provides that a
regulated entity shall not collect, share, or store health data, except in
specified circumstances. Provides that it is unlawful for any person to
sell or offer to sell health data concerning an individual without first
obtaining valid authorization from the individual. Provides that a valid
authorization to sell individual health data must contain specified
information; a copy of the signed valid authorization must be provided to
the individual; and the seller and purchaser of health data must retain a
copy of all valid authorizations for sale of health data for 6 years after
the date of its signature or the date when it was last in effect, whichever
is later. Sets forth provisions concerning the consent required for
collection, sharing, and storage of health data. Provides that an
individual has the right to withdraw consent from the processing of the
individual's health data. Provides that it is unlawful for a regulated
entity to engage in discriminatory practices against individuals solely
because they have not provided consent to the processing of their health
data or have exercised any other rights provided by the provisions or
guaranteed by law. Sets forth provisions concerning an individual's right
to confirm whether a regulated entity is collecting, selling, sharing, or
storing any of the individual's health data; an individual's right to have
the individual's health data that is collected by a regulated entity
deleted; prohibitions regarding geofencing; and individual health data
security. Provides that any person aggrieved by a violation of the
provisions shall have a right of action in a State circuit court or as a
supplemental claim in federal district court against an offending party.
Provides that the Attorney General may enforce a violation of the
provisions as an unlawful practice under the Consumer Fraud and Deceptive
Business Practices Act. Defines terms. Makes a conforming change in the
Consumer Fraud and Deceptive Business Practices Act.
LRB104 11205 BAB 21287 b

A BILL FOR

HB3494
LRB104 11205 BAB 21287 b
1

AN ACT concerning regulation.

2

Be it enacted by the People of the State of Illinois,
3
represented in the General Assembly:

4

Section 1.
Short title.
This Act may be cited as the
5
Protect Health Data Privacy Act.

6

Section 5.
Definitions.
As used in this Act:
7

"Affiliate" means a legal entity that shares common
8
branding with another legal entity or controls, is controlled
9
by or is under common control with another legal entity. For
10
the purposes of this definition, "control" and "controlled"
11
mean (A) ownership of, or the power to vote, more than 50% of
12
the outstanding shares of any class of voting security of a
13
company, (B) control in any manner over the election of a
14
majority of the directors or of individuals exercising similar
15
functions, or (C) the power to exercise controlling influence
16
over the management of a company.
17

"Collect" means to buy, rent, lease, access, retain,
18
receive, or acquire health data in any manner.
19

"Consent" means a clear affirmative act by an individual
20
that unambiguously communicates the individual's express,
21
freely given, informed, opt-in, voluntary, specific, and
22
unambiguous written agreement, including written consent
23
provided by electronic means, to the processing of health

HB3494
- 2 -
LRB104 11205 BAB 21287 b
1
data. Consent may not be implied, and consent cannot be
2
obtained by:
3

(1) acceptance of a general or broad terms of use
4

agreement or a similar document that contains descriptions
5

of personal data processing along with other, unrelated
6

information;
7

(2) hovering over, muting, pausing, or closing a given
8

piece of digital content; or
9

(3) agreement obtained through the use of deceptive
10

designs.
11

"Deceptive design" means any user interface or element
12
thereof that has the substantial effect of subverting,
13
impairing, or impeding an individual's autonomy,
14
decision-making, or choice.
15

"Deidentified data" means data that cannot be used to
16
infer information about, or otherwise be linked to, an
17
identified or identifiable individual, or a device linked to
18
such individual. A regulated entity that possesses
19
deidentified data shall: (i) take reasonable measures to
20
ensure that such data cannot be associated with an individual;
21
(ii) publicly commit to process such data only in a
22
deidentified fashion and not attempt to reidentify such data;
23
and (iii) contractually obligate any recipients of such data
24
to satisfy the criteria set forth in items (i) and (ii).
25

"Geofence" means technology that uses global positioning
26
coordinates, cell tower connectivity, cellular data, radio

HB3494
- 3 -
LRB104 11205 BAB 21287 b
1
frequency identification, wireless Internet data, or any other
2
form of spatial or location detection to establish a virtual
3
boundary around a specific physical location, or to locate an
4
individual within a virtual boundary. For the purposes of this
5
Act, "geofence" means a virtual boundary that is no more than
6
1,750 feet around a specific physical location.
7

"Health data" means information regarding, relating to,
8
derived, or extrapolated from the past, present, or future
9
physical or mental health of an individual, including, but not
10
limited to, any information relating to:
11

(1) individual health conditions, treatment, status,
12

diseases, or diagnoses;
13

(2) health related surgeries or procedures;
14

(3) use or purchase of medication;
15

(4) social, psychological, behavioral, and medical
16

interventions;
17

(5) bodily functions, vital signs, measurements, or
18

symptoms;
19

(6) diagnoses or diagnostic testing, treatment, or
20

medication;
21

(7) efforts to research or obtain health services or
22

supplies;
23

(8) health services or products that support or relate
24

to lawful health care, as defined by Public Act 102-1117;
25

(9) precise location information that could reasonably
26

be used to determine an individual's attempt to acquire or

HB3494
- 4 -
LRB104 11205 BAB 21287 b
1

receive health services or supplies; and
2

(10) any information described in paragraphs (1)
3

through (9) that is derived or extrapolated from
4

non-health information, including by use of algorithms or
5

machine learning, if such information is used or processed
6

in connection with the advertising, marketing, or
7

provision of health services.
8

"Health data" does not include:
9

(1) personal information collected with the
10

individual's consent that is used in research conducted in
11

accordance with the Federal Policy for the Protection of
12

Human Subjects, also known as the Common Rule, at Part 46
13

of Title 45 of the Code of Federal Regulations; the Good
14

Clinical Practice Guidelines issued by the International
15

Council for Harmonisation of Technical Requirements for
16

Pharmaceuticals for Human Use; or the United States Food
17

and Drug Administration human subjects protection
18

requirements under Parts 50 and 56 of Title 21 of the Code
19

of Federal Regulations and that adheres to all other
20

applicable ethics and privacy laws and is approved,
21

monitored, and governed by an institutional review board,
22

human subjects research ethics review board, or a similar
23

independent oversight entity that determines that the
24

regulated entity has implemented reasonable safeguards to
25

mitigate privacy risks associated with research, including
26

any risks associated with reidentification; or

HB3494
- 5 -
LRB104 11205 BAB 21287 b
1

(2) deidentified data.
2

"Health services" means any service, medical care, or
3
information related to an individual's health data provided to
4
an individual.
5

"HIPAA" means the Health Insurance Portability and
6
Accountability Act of 1996, Public Law 104-191, the Health
7
Information Technology for Economic and Clinical Health Act,
8
and any subsequent amendments thereto and any regulations
9
promulgated thereunder, including the Privacy Rule, as
10
specified in 45 CFR 164.500-534, the Security Rule, as
11
specified in 45 CFR 164.302-318, and the Breach Notification
12
rule, as specified in 45 CFR 164.400-414.
13

"Homepage" means the introductory page of a website where
14
personal information is collected. In the case of an online
15
service, such as a mobile application, "homepage" means the
16
application's platform page or download page, such as from the
17
application configuration, "About" page, "Information" page,
18
or settings page, and any other location that allows
19
individuals to review the notice.
20

"Individual" means a person who is a resident of this
21
State, however identified, including by any unique identifier.
22
A person located in this State when the person's health data is
23
collected by a regulated entity shall create a presumption
24
that the person is a resident of this State for purposes of
25
enforcing this Act. "Individual" does not include a person
26
acting in a commercial or within an employment context.

HB3494
- 6 -
LRB104 11205 BAB 21287 b
1

"Personal information" means information that identifies,
2
relates to, describes, is reasonably capable of being
3
associated with, or linked, directly or indirectly, with a
4
particular individual or household. "Personal information"
5
does not include publicly available information or
6
deidentified data.
7

"Precise location information" means information that
8
identifies the location of an individual within a radius of
9
1,750 feet. "Precise location information" does not include:
10
(i) the content of communications, or (ii) any data generated
11
by or connected to advanced utility metering infrastructure
12
systems or equipment for use by a utility.
13

"Process" or "Processing" means any operation or set of
14
operations performed, whether by manual or automated means, on
15
personal information or on sets of personal information,
16
whether alone or in combination with other data, such as the
17
collection, use, access, sharing, sale, monetization,
18
analysis, retention, creation, generation, derivation,
19
recording, organization, structuring, storage, disclosure,
20
transmission, disposal, licensing, destruction, deletion,
21
retrieval, modification, or deidentification of health data.
22

"Processor" means a person or legal entity that processes
23
health data on behalf of a regulated entity pursuant to a
24
written agreement or contract.
25

"Publicly available" means information that is lawfully
26
made available from federal, State, or local government

HB3494
- 7 -
LRB104 11205 BAB 21287 b
1
records.
2

"Regulated entity" means any individual, partnership,
3
corporation, limited liability company, association, or other
4
group, however organized, that: (i) conducts business in this
5
State or produces products or services that are available to
6
individuals in this State; and (ii) for any purpose, processes
7
or otherwise deals with health data. "Regulated entity" does
8
not include government agencies, including the Illinois
9
Insurance Guaranty Fund as described under Article XXXIV of
10
the Illinois Insurance Code, tribal nations, a clerk of the
11
court, or a judge or justice thereof, or contracted service
12
providers or processors when processing an individual's health
13
data on behalf of the governmental agency. "Regulated entity"
14
does not include any entity that is a covered entity or a
15
business associate, as defined in Section 160.103 of Title 45
16
of the Code of Federal Regulations, subject to and in
17
substantial compliance with HIPAA to the extent such entity is
18
acting as a covered entity or business associate under the
19
Privacy and Security rules issued by the United States
20
Department of Health and Human Services, Parts 160 and 164 of
21
Title 45 of the Code of Federal Regulations. "Regulated
22
entity" does not include any entity that is subject to and in
23
compliance with restrictions on disclosure of records under
24
Section 543 of the Public Health Service Act, 42 U.S.C.
25
290dd–2, to the extent such entity is acting in a capacity
26
subject to such restrictions.

HB3494
- 8 -
LRB104 11205 BAB 21287 b
1

"Sell" or "sale" means when a regulated entity, directly
2
or indirectly, receives any form of remuneration or other
3
valuable consideration from the use of health data or from the
4
recipient of the health data in exchange for the health data.
5
"Sell" or "sale" does not include:
6

(1) the sharing of health data to a recipient where
7

the regulated entity maintains control and ownership of
8

the health data;
9

(2) the sharing of health data to comply with
10

applicable laws or regulations;
11

(3) the use of the health data by an entity
12

exclusively at the direction of the regulated entity and
13

consistent with the purpose for which it was collected and
14

disclosed; and
15

(4) the transfer of health data to a third party as an
16

asset as part of a merger, acquisition, bankruptcy, or
17

other transaction in which the third party assumes control
18

of all or part of the regulated entity's assets that shall
19

comply with the requirements and obligations in this Act.
20

"Share" or "sharing" means to release, disclose,
21
disseminate, divulge, loan, make available, provide access to,
22
license, or otherwise communicate orally, in writing, or by
23
electronic or other means, health data by a regulated entity
24
to a third party except where the regulated entity maintains
25
exclusive control and ownership of the health data. "Share" or
26
"sharing" does not include:

HB3494
- 9 -
LRB104 11205 BAB 21287 b
1

(1) the disclosure or transfer of health data to a
2

processor that collects or processes the personal data on
3

behalf of the regulated entity, when the regulated entity
4

maintains control and ownership of the data and the
5

processor maintains or uses the health data only for the
6

regulated entity's distinct purposes pursuant to a
7

contract;
8

(2) the disclosure or transfer of health data to a
9

third party with whom the individual has a direct
10

relationship for purposes of and only to the extent
11

necessary for providing a product or service requested by
12

the individual when the regulated entity maintains control
13

and ownership of the data and the third party maintains or
14

uses the health data only for the regulated entity's
15

distinct purposes; or
16

(3) the disclosure or transfer of personal data to a
17

third party as an asset that is part of a merger,
18

acquisition, bankruptcy, or other transaction in which the
19

third party assumes control of all or part of the
20

regulated entity's assets and shall comply with the
21

requirements and obligations in this Act.
22

"Strictly necessary" means essential or required to be
23
done.
24

"Substantial compliance" means a level of compliance with
25
Title 45 of the Code of Federal Regulations Sections 164.502,
26
164.508, 164.510, 164.512, 164.514, 164.520, 164.522, 164.524,

HB3494
- 10 -
LRB104 11205 BAB 21287 b
1
164.526, 164.528, and 164.530 that does not arise from gross
2
negligence, recklessness, or willful misconduct by the entity
3
acting as a covered entity or business associate.
4

"Third party" means an entity other than an individual,
5
regulated entity, service provider, or affiliate of the
6
regulated entity.

7

Section 10.
Scope.
8

(a) This Act applies to individuals seeking, researching,
9
or obtaining health services within this State, or information
10
about health services available in this State and regulated
11
entities.
12

(b) This Act does not affect an individual's right to
13
voluntarily share the individual's own health information with
14
another person or entity.

15

Section 15.
Health data privacy policy required.
16

(a) A regulated entity shall disclose and maintain a
17
health data privacy policy that, in plain language, clearly
18
and conspicuously includes and discloses:
19

(1) the specific types of health data collected and
20

the purpose for which the data is collected and used;
21

(2) the categories of sources from which the health
22

data is collected;
23

(3) whether the regulated entity collects health data
24

when the individual is not directly interacting with the

HB3494
- 11 -
LRB104 11205 BAB 21287 b
1

regulated entity or its services.
2

(4) the specific types of health data that are shared
3

and sold;
4

(5) the categories of third parties with whom the
5

regulated entity sells and processes health data, and the
6

process to withdraw consent from having health data
7

processed and sold;
8

(6) a list of the third parties with whom the
9

regulated entity shares health data;
10

(7) the length of time the regulated entity intends to
11

retain each category of health data, or if that is not
12

possible, the criteria used to determine that period;
13

however, a regulated entity shall not retain health data
14

for each disclosed purpose for which the health data was
15

collected for longer than is reasonably necessary to
16

fulfill that disclosed purpose or as otherwise permitted
17

by this Act;
18

(8) how an individual may exercise the rights provided
19

in this Act, including, but not limited to, identifying 2
20

or more designated methods for an individual to contact
21

the regulated entity in connection with the exercise of
22

any rights provided in this Act;
23

(9) the process to opt out of having health data
24

collected; and
25

(10) an active electronic mail address or other online
26

mechanism that the individual may use to contact the

HB3494
- 12 -
LRB104 11205 BAB 21287 b
1

regulated entities free of charge.
2

(b) A regulated entity shall prominently publish or link
3
to its health data privacy policy on its website homepage,
4
mobile application, or in another manner that is clear and
5
conspicuous to individuals. Its health data privacy policy
6
must be distinguishable from other matters. Any regulated
7
entity providing health services in a physical location shall
8
also post its health data privacy policy in a conspicuous
9
place that is readily available for viewing by individuals.
10

(c) A regulated entity shall not process or sell
11
additional categories of health data not disclosed in the
12
health data privacy policy without first disclosing the
13
additional categories of health data and obtaining the
14
individual's consent before the processing or selling of the
15
health data.
16

(d) A regulated entity shall not process or sell health
17
data for additional purposes not disclosed in the health data
18
privacy policy without first disclosing the additional
19
purposes and obtaining the individual's consent before the
20
processing or selling of the health data.
21

(e) It is a violation of this Act for a regulated entity to
22
contract with a processor to process an individual's health
23
data in a manner that is inconsistent with the regulated
24
entity's health data privacy policy.

25

Section 20.
Prohibition on processing of health data.

HB3494
- 13 -
LRB104 11205 BAB 21287 b
1

(a) A regulated entity shall not process health data,
2
except:
3

(1) with the consent of the individual to whom the
4

information relates for a specified purpose; or
5

(2) as is strictly necessary to provide a product or
6

service that the individual to whom the health data
7

relates has specifically requested from the regulated
8

entity.
9

(b) Consent required under this Section must be obtained
10
before the use of any health data for any additional purpose
11
that was not specified before obtaining an individual's
12
consent for the use of the health data.

13

Section 25.
Prohibition on sale of health data.
14

(a) It is unlawful for any person to sell or offer to sell
15
health data concerning an individual without first obtaining
16
valid authorization from the individual. The sale of
17
individual health data must be consistent with the valid
18
authorization signed by the individual.
19

(b) A valid authorization to sell an individual's health
20
data is an agreement consistent with this Section and must be
21
written in plain language. The valid authorization to sell the
22
individual's health data must contain the following:
23

(1) the specific health data concerning the individual
24

that the person intends to sell;
25

(2) the name and contact information of any person or

HB3494
- 14 -
LRB104 11205 BAB 21287 b
1

entity collecting and selling the health data;
2

(3) the name and contact information of any person or
3

entity purchasing the health data from the seller
4

identified in paragraph (2) of this subsection;
5

(4) a description of the purpose for the sale,
6

including how the health data will be gathered and how it
7

will be used by the purchaser identified in paragraph (3)
8

of this subsection when sold;
9

(5) a statement that the provision of goods or
10

services may not be conditioned on the individual signing
11

the valid authorization;
12

(6) a statement that the individual has a right to
13

revoke the valid authorization at any time and a
14

description on how an individual may revoke the valid
15

authorization;
16

(7) a statement that the individual health data sold
17

pursuant to the valid authorization may be subject to
18

redisclosure by the purchaser and may no longer be
19

protected by this Section;
20

(8) an expiration date for the valid authorization
21

that expires one year from when the individual signs the
22

valid authorization; and
23

(9) the signature of the individual and date.
24

(c) An authorization is not valid if the document has any
25
of the following defects:
26

(1) the expiration date has passed;

HB3494
- 15 -
LRB104 11205 BAB 21287 b
1

(2) the authorization does not contain all the
2

information required under this Section;
3

(3) the authorization has been revoked by the
4

individual;
5

(4) the authorization has been combined with other
6

documents to create a compound authorization; or
7

(5) the provision of goods or services is conditioned
8

on the individual signing the authorization.
9

(d) A copy of the signed valid authorization must be
10
provided to the individual.
11

(e) The seller and purchaser of health data must retain a
12
copy of all valid authorizations for sale of health data for 6
13
years after the date of its signature or the date when it was
14
last in effect, whichever is later.

15

Section 30.
Consent required for processing health data.
16

(a) A regulated entity shall not seek consent to process
17
health data without first disclosing its health data privacy
18
policy as required under Section 15.
19

(b) Consent required under this Section must be obtained
20
before the processing, as applicable, of any health data, and
21
the request for consent must clearly and conspicuously
22
disclose, separate and apart from its health data privacy
23
policy:
24

(1) the categories of health data processed;
25

(2) the purpose of the processing of the health data,

HB3494
- 16 -
LRB104 11205 BAB 21287 b
1

including the specific ways in which it will be used; and
2

(3) how the individual can withdraw consent from
3

future processing of their health data.
4

(c) Consent required under this Section must be obtained
5
before the use of any health data for any additional purpose
6
that was not specified before obtaining an individual's
7
consent for the use of the health data.
8

(d) An individual may exercise rights under this Section
9
by submitting a request to a regulated entity using the method
10
the regulated entity specifies in the privacy policy under
11
paragraph (8) of subsection (a) of Section 15.

12

Section 35.
Right to withdraw consent.
An individual has
13
the right to withdraw consent from the sale or processing of
14
the individual's health data, consistent with the requirements
15
of Section 30.

16

Section 40.
Prohibition on discriminatory practices.
17

(a) It is unlawful for a regulated entity to engage in
18
discriminatory practices against an individual solely because
19
the individual has not provided consent to the sale or
20
processing of the individual's health data pursuant to this
21
Act, or have exercised any other rights provided by this Act or
22
guaranteed by law. Discriminatory practices include, but are
23
not limited to:
24

(1) denying or limiting goods or services to the

HB3494
- 17 -
LRB104 11205 BAB 21287 b
1

individual;
2

(2) imposing additional requirements or restrictions
3

on the individual that would not be necessary if the
4

individual provided consent;
5

(3) providing materially different treatment to
6

individuals who provide consent as compared to individuals
7

who do not provide consent;
8

(4) providing or suggesting that the individual will
9

receive a lower level or quality of goods or services;
10

(5) suggesting that the individual will receive a
11

different price or rate for goods or services; or
12

(6) charging different prices or rates for goods or
13

services, including using discounts or other benefits or
14

imposing penalties.
15

(b) It shall not be a discriminatory practice under this
16
Section to use health data as is strictly necessary to provide
17
a product or service that the individual to whom the health
18
data relates has specifically requested from a regulated
19
entity.

20

Section 45.
Right to confirm.

(a) An individual has
21
the right to confirm whether a regulated entity is collecting,
22
selling, sharing, or storing any of the individual's health
23
data, and to confirm that a regulated entity has deleted the
24
individual's health data following a deletion request pursuant
25
to Section 50.

HB3494
- 18 -
LRB104 11205 BAB 21287 b
1

(b) A regulated entity that receives an individual's
2
request to confirm shall respond within 45 calendar days after
3
receiving the request to confirm from the individual.
4

(c) The regulated entity shall, without reasonable delay,
5
promptly take all steps necessary to verify the individual's
6
request, but this shall not extend the regulated entity's duty
7
to respond within 45 days of receipt of the individual's
8
request.
9

(d) The time period to provide the required confirmation
10
may be extended once by an additional 45 calendar days when
11
reasonably necessary, if the individual is provided notice of
12
the extension within the first 45-day period.

13

Section 50.
Right to deletion.
14

(a) An individual whose health data is collected by a
15
regulated entity has the right to have the individual's health
16
data that is collected by a regulated entity deleted by
17
informing the regulated entity of the individual's request for
18
deletion, except as provided in subsection (g).
19

(b) Except as otherwise specified in subsection (f), a
20
regulated entity that receives an individual's request to
21
delete any of the individual's health data shall without
22
unreasonable delay, and no more than 45 calendar days from
23
receiving the deletion request:
24

(1) delete the individual's health data from its
25

records, including from all parts of the regulated

HB3494
- 19 -
LRB104 11205 BAB 21287 b
1

entity's network; and
2

(2) notify all service providers, contractors, and
3

third parties with whom the regulated entity has shared
4

the individual's health data of the deletion request.
5

(c) If a regulated entity stores any health data on
6
archived or backup systems, it may delay compliance with the
7
individual's request to delete with respect to the health data
8
stored on the archived or backup system until the archived or
9
backup system relating to that data is restored to an active
10
system or is next accessed or used.
11

(d) Any processor, service provider, contractor, and other
12
third party that receives notice of an individual's deletion
13
request from a regulated entity shall honor the individual's
14
deletion request and delete the health data from the regulated
15
entity's records, including from all parts of its network or
16
backup systems.
17

(e) An individual or an individual's authorized agent may
18
exercise the rights set forth in this Act by submitting a
19
request, at any time, to a regulated entity. Such a request may
20
be made by:
21

(1) contacting the regulated entity through the manner
22

included in its health data privacy policy;
23

(2) by designating an authorized agent who may
24

exercise the rights on behalf of the individual;
25

(3) in the case of collecting health data of a minor,
26

the minor seeking health services may exercise their

HB3494
- 20 -
LRB104 11205 BAB 21287 b
1

rights under this Act, or the parent or legal guardian of
2

the minor may exercise the rights of this Act on the
3

minor's behalf; or
4

(4) in the case of collecting health data concerning
5

an individual subject to guardianship, conservatorship, or
6

other protective arrangement under the Probate Act of
7

1975, the guardian or the conservator of the individual
8

may exercise the rights of this Act on the individual's
9

behalf.
10

(f) The time period to delete any of the individual's
11
health data may be extended once by an additional 45 calendar
12
days when reasonably necessary, if the individual is provided
13
notice of the extension within the first 45-day period.
14

(g) Neither a regulated entity nor a processor shall be
15
required to comply with an individual's request to delete the
16
individual's health data if it is necessary for the regulated
17
entity or the processor to maintain the individual's health
18
data to:
19

(1) complete the transaction for which the health data
20

was collected, provide a good or service requested by the
21

individual, or otherwise fulfill the requirements of an
22

agreement between the regulated entity and the individual;
23

(2) prevent or detect security incidents, protect
24

against malicious, deceptive, fraudulent, or illegal
25

activity, if the use of health data for such purposes is
26

limited in time pursuant to a valid record retention

HB3494
- 21 -
LRB104 11205 BAB 21287 b
1

schedule;
2

(3) engage in public or peer-reviewed scientific,
3

historical, or statistical research in the public interest
4

that adheres to all other applicable ethics and privacy
5

laws, if the entities' deletion of the information is
6

likely to render impossible or seriously impair the
7

achievement of such research, and if the individual has
8

provided consent to such use of their health data;
9

(4) comply with any applicable data retention
10

requirements in accordance with State and federal law,
11

including the data retention requirements set forth in
12

Section 6 of the Hospital Licensing Act, 45 CFR 164.316,
13

and 45 CFR 164.530; or
14

(5) retain the health data if the regulated entity has
15

been notified, in writing by an attorney, that there is
16

litigation pending in court involving the individual's
17

health data as possible evidence and that the individual
18

is the attorney's client or is the person who has
19

instituted the litigation against their client, then the
20

regulated entity shall retain the record of that
21

individual until notified in writing by the plaintiff's
22

attorney, with the approval of the defendant's attorney of
23

record, that the case in court involving the record has
24

been concluded or for a period of 12 years after the date
25

that the record was produced, whichever occurs first in
26

time.

HB3494
- 22 -
LRB104 11205 BAB 21287 b
1

Section 55.
Authentication of identity.
2

(a) A regulated entity that receives an individual's
3
request to confirm or delete may take reasonable measures to
4
authenticate the individual's identity or an authorized
5
agent's identity to a reasonably high degree of certainty. A
6
reasonably high degree of certainty may include matching at
7
least 3 pieces of personal information provided by the
8
individual or the individual's authorized agent with personal
9
information maintained by the regulated entity that it has
10
determined to be reliable for the purpose of authenticating
11
the individual or the individual's authorized agent together
12
with a signed declaration under penalty of perjury that the
13
individual or the individual's authorized agent making the
14
request is the individual or the individual's authorized agent
15
whose health data is the subject of the request. If a regulated
16
entity uses this method for authentication, the regulated
17
entity shall make all forms necessary for authentication of an
18
individual's or the individual's authorized agent's identity
19
available to the individual or the individual's authorized
20
agent, and shall maintain all signed declarations as part of
21
its recordkeeping obligations.
22

(b) A regulated entity is not required to comply with an
23
individual's or the individual's authorized agent's request to
24
confirm or delete if the regulated entity, using commercially
25
reasonable efforts, is unable to authenticate the identity of

HB3494
- 23 -
LRB104 11205 BAB 21287 b
1
the individual or the individual's authorized agent making the
2
request. If a regulated entity is unable to authenticate the
3
individual's or the individual's authorized agent's identity,
4
the regulated entity shall inform the individual or the
5
individual's authorized agent that it was unable to
6
authenticate the individual's or the individual's authorized
7
agent's identity and advise the individual or the individual's
8
authorized agent of other methods, if available, of
9
authenticating their identity.
10

(c) If a regulated entity denies an authenticated
11
individual's request to delete that individual's health data,
12
in whole or in part, because of a conflict with federal or
13
State law, the regulated entity shall inform the requesting
14
individual and explain the basis for the denial, unless
15
prohibited from doing so by law.
16

(d) Any information provided by an individual or the
17
individual's authorized agent to a regulated entity for the
18
purpose of authenticating the individual's or the individual's
19
authorized agent's identity shall not be used for any purpose
20
other than authenticating the individual's identity and shall
21
be destroyed immediately following the authentication process.

22

Section 60.
Individual health data security and
23
minimization.
24

(a) A regulated entity shall restrict access to health
25
data by the employees, processors, service providers, and

HB3494
- 24 -
LRB104 11205 BAB 21287 b
1
contractors of the regulated entity to only those employees,
2
processors, services providers, and contractors for whom
3
access is necessary to provide a product or service that the
4
individuals to whom the health data relates have requested
5
from the regulated entity.
6

(b) A regulated entity shall establish, implement, and
7
maintain administrative, technical, and physical data security
8
practices that at least satisfy a reasonable standard of care
9
within the regulated entity's industry to protect the
10
confidentiality, integrity, and accessibility of health data
11
appropriate to the volume and nature of the personal data at
12
issue.

13

Section 65.
Prohibition on geofencing.
14

(a) It shall be unlawful for any person to implement a
15
geofence that enables the sending of notifications, messages,
16
alerts, advertisements, or other pieces of information to an
17
individual that enters the perimeter around any entity that
18
provides health services or products, unless such messages are
19
directly related to an individual's appointment in the
20
facility or the provision of requested health services or
21
products by the regulated entity.
22

(b) It shall be unlawful for any person to implement a
23
geofence around any entity that provides in-person health care
24
services and products where the geofence is used to:
25

(1) identify or track individuals seeking health care

HB3494
- 25 -
LRB104 11205 BAB 21287 b
1

services or products or to determine whether the
2

individual is seeking health care services or products; or
3

(2) collect data from an individual who enters the
4

virtual perimeter.

5

Section 70.
Limits on access to an individual's health
6
information by government agencies, officials, and law
7
enforcement.
8

(a) A regulated entity shall not disclose an individual's
9
health data to a federal, state, or local governmental agency,
10
official, or law enforcement agent or agency unless: (1)
11
disclosure is requested by the individual to whom the health
12
data pertains or (2) the governmental entity or official
13
serves the regulated entity with a valid warrant, except as
14
prohibited under the laws of this State, including, but not
15
limited to, Section 3.5 of the Uniform Interstate Depositions
16
and Discovery Act.
17

(b) A regulated entity shall not sell, share, allow access
18
to, or disclose an individual's health data to any State or
19
local jurisdiction for the purpose of investigating or
20
enforcing a law that denies or interferes with an individual's
21
right to obtain any lawful health care services, as defined by
22
the Lawful Health Care Activity Act.

23

Section 75.
Private right of action.
Any person aggrieved
24
by a violation of this Act shall have a right of action in a

HB3494
- 26 -
LRB104 11205 BAB 21287 b
1
State circuit court or as a supplemental claim in federal
2
district court against an offending party. A prevailing party
3
may recover for each violation:
4

(1) against any offending party that negligently
5

violates a provision of this Act, liquidated damages of
6

$1,000 or actual damages, whichever is greater;
7

(2) against any offending party that intentionally or
8

recklessly violates a provision of this Act, liquidated
9

damages of $5,000 or actual damages, whichever is greater;
10

(3) reasonable attorney's fees and costs, including
11

expert witness fees and other litigation expenses; and
12

(4) other relief, including an injunction, as the
13

State or federal court may deem appropriate.

14

Section 80.
Enforcement by the Attorney General.
The
15
Attorney General may enforce a violation of this Act as an
16
unlawful practice under the Consumer Fraud and Deceptive
17
Business Practices Act. All rights and remedies provided to
18
the Attorney General under the Consumer Fraud and Deceptive
19
Business Practices Act shall be available for enforcement of a
20
violation of this Act.

21

Section 85.
Conflict with other laws.
22

(a) Nothing in this Act shall be construed to prohibit the
23
lawful and authorized disclosure of health data by regulated
24
entities to local health departments or State government

HB3494
- 27 -
LRB104 11205 BAB 21287 b
1
agencies or by or among local health departments and State
2
government agencies as may be required by State and federal
3
law, including under the Adult Protective Services Act, the
4
Abused and Neglected Child Reporting Act, the Criminal Code of
5
2012, and the Disclosure of Offenses Against Children Act.
6

(b) If any provision of this Act, or the application
7
thereof to any person or circumstance, is held invalid, the
8
remainder of this Act and the application of such provision to
9
other persons not similarly situated or to other circumstances
10
shall not be affected by the invalidation.
11

(c) This Act shall not apply to:
12

(1) personal information collected, processed, sold,
13

or disclosed subject to the federal Gramm-Leach-Bliley
14

Act, Public Law 106-102, and implementing regulations; and
15

(2) entities subject to, and in compliance with, the
16

Insurance Information and Privacy Protection Act, the
17

Insurance Data Security Law in the Illinois Insurance
18

Code, and any corresponding privacy protection rules
19

adopted by the Director of Insurance.
20

(d) This Act shall not be construed to conflict with, or
21
limit the application of, any of the following laws, rules, or
22
regulations governing the sharing, collection, processing, or
23
disclosure of personal information or health data: the Medical
24
Patient Rights Act; the Hospital Licensing Act; Sections 2, 4,
25
5, 6, 7, 8, 9, 9.3, 9.8, and 11 the Mental Health and
26
Developmental Disabilities Confidentiality Act; subsections

HB3494
- 28 -
LRB104 11205 BAB 21287 b
1
(c) through (f) of Section 10 of the Mental Health and
2
Developmental Disabilities Confidentiality Act; and Sections
3
8-2001 and 8-2001.5 of the Code of Civil Procedure.
4

(e) In the event of a conflict between the provisions of
5
this Act and any other law, rule, or regulation listed in
6
subsections (c) and (d), the law, rule, or regulation that
7
provides the greater right, benefit, or protection to
8
individuals shall apply. Nothing in this Act shall be
9
construed to diminish or limit any rights, benefits, or
10
protections afforded under the laws, rules, or regulations
11
referenced in subsections (c) and (d).

12

Section 97.
Severability.
The provisions of this Act are
13
severable under Section 1.31 of the Statute on Statutes.

14

Section 100.
The Consumer Fraud and Deceptive Business
15
Practices Act is amended by adding Section 2HHHH as follows:

16

(815 ILCS 505/2HHHH new)
17

Sec. 2HHHH.
Violations of the Protect Health Data Privacy
18
Act.
Any person who violates the Protect Health Data Privacy
19
Act commits an unlawful practice within the meaning of this
20
Act.

Footer

Disclaimer

This site is maintained for the Illinois General Assembly by the
Legislative Information System, 705 Stratton Building, Springfield, Illinois 62706.

Contact ILGA Webmaster

ILGA.gov uses cookies to ensure you get the best experience on our website. By continuing to browse ILGA.gov you consent to our use of cookies.
Read About Cookies

ILGA.GOV

2026 ILGA.gov | All Rights Reserved |
ADA

|
Disclaimers
|
Learn

This site is maintained for the Illinois General Assembly by the
Legislative Information System, 705 Stratton Building, Springfield, Illinois 62706.
Contact ILGA Webmaster

ILGA.gov uses cookies to ensure you get the best experience on our website. By continuing to browse ILGA.gov you consent to our use of cookies.
Read About Cookies

ILGA.GOV

2026 ILGA.gov | All Rights Reserved |
ADA

|
Disclaimers
|
Learn