104 S4738 IS: Stop Commercial Use of Health Data Act
U.S. Senate
2022-08-02
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.
1.This Act may be cited as the Stop Commercial Use of Health Data Act
.2.Privacy of personally-identifiable health data(a)Prohibition on the use of personally-Identifiable health data in commercial advertising(1)It shall be unlawful for any covered entity to use the personally-identifiable health data of an individual that is collected from any source (including data volunteered by an individual, medical center-derived data, data from a wearable fitness tracker, data from web browsing history, or any other source determined appropriate by the Commission) for commercial advertising.(2)Exception for public health campaignsThe prohibition under paragraph (1) shall not apply to any public health campaign directed toward individuals or subpopulations of individuals. (b)Right of access and deletion(1)(A)A covered entity shall make available an easy-to-use mechanism by which an individual, upon verified request, may access any personally-identifiable health data relating to such individual that is retained by such covered entity.(B)A covered entity shall make the information described in subparagraph (A) available in both a human-readable and a machine-readable format.(2)A covered entity shall make available an easy-to-use mechanism by which an individual, upon verified request, may request the deletion of any personally-identifiable health data relating to such individual that is retained by such covered entity.(3)Requirements for access and deletion(A)Timeline for complying with requestsA covered entity shall comply with a verified request received under this subsection without undue delay, but not later than 45 days after the date on which such covered entity receives such verified request.(B)A covered entity may not charge a fee to an individual for a request made under this subsection.(C)Nothing in this section shall be construed—(i)as supplanting or abrogating any provision of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104–191); or(ii)to require a covered entity to—(I)take an action that would convert information that is not personally-identifiable health data into personally-identifiable health data;(II)collect or retain personally-identifiable health data that such covered entity would not otherwise collect or retain; or(III)retain personally-identifiable health data longer than such covered entity would otherwise retain such data.3.(a)Enforcement by the Commission(1)Unfair and deceptive acts or practicesA violation of section 2 or a regulation promulgated thereunder shall be treated as an unfair and deceptive act or practice proscribed under section 5(a) of the Federal Trade Commission Act (15 U.S.C. 45(a)).(2)(A)The Commission shall enforce this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act.(B)Privileges and immunitiesAny person who violates this Act shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act (15 U.S.C. 41 et seq.).(C)Nothing in this Act shall be construed to limit the authority of the Commission under any other provision of law.(3)The Commission shall promulgate in accordance with section 553 of title 5, United States Code, such rules as may be necessary to carry out this Act.(b)Enforcement by individuals(1)Any individual who suffers an injury (including the denial of a right established under this Act) as a result of a violation of this Act or a regulation promulgated thereunder by a covered entity may bring a civil action against such covered entity in Federal district court.(2)In a civil action brought under paragraph (1) in which the plaintiff prevails, the court may award the plaintiff—(A)for a—(i)violation of section 2(a), an amount equal to the greater of—(I)$1,000 in statutory damages per commercial advertisement generated in violation of such subsection; or(II)the sum of any actual damages sustained; or(ii)violation of section 2(b), an amount equal to the sum of any actual damages sustained; and(B)reasonable attorney’s fees and litigation costs. 4.(a)In this Act:(1)The term collect means, with respect to personally-identifiable health data, to obtain such information in any manner.(2)The term commercial advertising means communications that promote the sale of or interest in goods or services, including goods or services that are published digitally, via video or audio, or in print.(3)The term Commission means the Federal Trade Commission.(4)The term covered entity means a person that—(A)is subject to the Federal Trade Commission Act (15 U.S.C. 41 et seq.); and(B)collects, on an annual basis, the personally-identifiable health data of not less than 1,000 individuals in the United States.(b)Not later than 180 days after the date of enactment of this Act, the Commission shall conduct a rulemaking pursuant to section 553 of title 5, United States Code, to define the terms public health campaign and personally-identifiable health data for purposes of this Act.