WeVote

Bill

Bill

SB 2992

AN ACT RELATING TO HEALTH AND SAFETY -- REPRODUCTIVE HEALTH AND GENDER-AFFIRMING HEALTHCARE DATA PRIVACY ACT

2026 Regular Session Introduced by Jake Bissaillon and 5 co-sponsors

Rhode Island SB 2992 creates a strict consent-based data privacy framework to protect consumer reproductive and gender-affirming health data from collection, sharing, or sale witho

05/07/2026 Committee recommended measure be held for further study
0
WeVote Research Nonpartisan
Bill Summary · SB 2992

Summary of SB 2992 (Rhode Island, 2026) – Reproductive Health and Gender-Affirming Healthcare Data Privacy Act

Purpose and intent
- Establishes a new state data privacy framework focused on consumer health data related to reproductive health and gender-affirming care.
- Aims to protect individuals’ sensitive health information from collection, sharing, or sale without explicit consent, and to provide clear rights and remedies for consumers.

Key provisions and changes

1) Definitions (Chapter 101.1-2)
- Broadly defines terms: affiliate, authenticate, biometric data, consumer health data, gender-affirming care information, reproductive or sexual health information, processor, regulated entity, small business, third party, geofence, and more.
- Distinguishes consumer health data (including gender-affirming care information and reproductive/sexual health information) from publicly available or deidentified data.
- Clarifies exemptions (e.g., HIPAA PHI, certain federal and state health and research data, and public health activities) but retains strong privacy scope for Rhode Island health data.

2) Consumer health data privacy policy (23-101.1-3)
- Regulated entities must publish a clear privacy policy by Jan 1, 2027; small businesses by Apr 1, 2027.
- Policies must disclose data categories collected, sources, shared categories, third parties/affiliates, and how to exercise rights.
- Policies must be accessible via a homepage link; cannot collect or share undisclosed data without affirmative consent.

3) Collection or sharing limits (23-101.1-4)
- Prohibits collection or sharing of consumer health data without consumer consent, except for specified permissible purposes (listed include providing products/services, completing transactions, complying with law, protecting safety/security, and similar purposes).
- Consent must be specific, informed, and revocable, with disclosure of data categories, purposes, and sharing.

4) Consumer rights and requests (23-101.1-5)
- Right to confirm data collection/sharing, access data, know which third parties have data, withdraw consent, and request deletion.
- Deletion must be implemented across records and notified to affiliates/processors; deletion of archived backups may be delayed up to 6 months.
- Requests must be responded to within 45 days, with a possible one 45-day extension for complexity.
- Fees may be charged only for manifestly unfounded/excessive/repetitive requests; otherwise free up to twice annually.

5) Data security (23-101.1-6)
- Requires access restrictions and reasonable administrative/technical/physical security measures.

6) Processors (23-101.1-7)
- Processors must operate under binding contracts that ensure processing complies with the entity’s instructions.
- Processors must assist and, if they exceed their scope, can be treated as a regulated entity with full obligations.

7) Authorized sale of data (23-101.1-8)
- Sales require a valid, separate authorization from the consumer (not tied to general consent).
- Authorization must detail data sold, purchaser, purpose, expiration (one year), revocation rights, and disclosures; copies must be provided to the consumer; records retained for six years.

8) Geofence restrictions (23-101.1-9)
- Prohibits geofencing around providers of reproductive or gender-affirming care to identify/track patients or collect data.

9) Exemptions and safeguards (23-101.1-10)
- Lists statutory/privacy act exemptions (e.g., HIPAA, 42 CFR Part 2, research data under IRBs, deidentified data meeting certain criteria, and public health data under specific conditions).
- Agencies and certain providers retain other privacy/data-use authorities.

10) Penalties and remedies (23-101.1-11)
- Civil action for injunctive relief, damages, and attorneys’ fees; violation also constitutes a deceptive trade practice enabling AG enforcement.

Effective date
- The act takes effect upon passage.

Potential impact
- Strengthens privacy protections for individuals seeking reproductive or gender-affirming care in Rhode Island.
- Increases compliance obligations for regulated entities and small businesses, including policy publishing, consent mechanics, data minimization, and robust rights processing.
- Creates clear enforcement pathways for individuals and the state, including private rights of action and AG oversight.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.