WeVote

Bill

Bill

HB 3494

Relating to medical assistance reimbursement of behavioral health services; prescribing an effective date.

2025 Regular Session Introduced by Ed Diehl and 1 co-sponsor

HB 3494 requires opt-in consent to process health data, bans sale without authorization, lets individuals sue for violations, and strengthens Illinois residents' control.

In committee upon adjournment.
0
WeVote Research Nonpartisan
Bill Summary · HB 3494

Summary — HB 3494 (Protect Health Data Privacy Act)

Status: Introduced in the 104th Illinois General Assembly; In committee upon adjournment (6/28/2025). Filed Feb 7, 2025; first reading Feb 18, 2025. Judiciary – Civil reported Do Pass 3/19/2025 (13–7).

Purpose

HB 3494, titled the Protect Health Data Privacy Act, establishes comprehensive privacy requirements for “health data” collected, stored, shared, or sold by covered entities. The bill is intended to strengthen individual control over health-related personal information, limit commercial uses (including sale) of health data without explicit authorization, and create enforcement mechanisms including private suits and Attorney General action.

Key provisions

  • Health data definition: Broadly defined to include information about physical or mental health, diagnoses, treatments, medications, surgeries, behavioral/psychological interventions, vital signs, efforts to obtain health services, precise location data reasonably used to infer attempts to obtain health services, and information derived or extrapolated by algorithms or machine learning.
  • Exemptions: Explicitly excludes deidentified data and certain regulated research (e.g., Common Rule/IRB‑governed research that meets specified safeguards).
  • Consent standard: Requires a clear, affirmative, unambiguous, opt‑in written (including electronic) consent for processing health data. Consent may not be implied, obtained via deceptive design, or through generic terms of use.
  • Sale of health data: Makes it unlawful to sell or offer to sell an individual’s health data without first obtaining a “valid authorization.” A valid authorization must contain specified information; the individual must receive a copy; both seller and purchaser must retain authorizations for 6 years from signature or last in effect.
  • Limits on collection/sharing/storage: A “regulated entity” may only collect, share, or store health data in specified circumstances (the bill enumerates permitted uses; excerpt is partial).
  • Right to withdraw consent: Individuals may withdraw consent to processing of their health data.
  • Non‑discrimination: Prohibits discriminatory practices solely because an individual withheld consent or exercised rights under the Act.
  • Individual rights: Gives individuals the right to (a) confirm whether an entity is collecting/selling/sharing/storing their health data and (b) request deletion of collected health data.
  • Geofencing prohibition: Defines “geofence” (virtual boundary up to 1,750 feet) and contains prohibitions regarding geofencing tied to health data collection.
  • Data security: Imposes requirements and expectations for reasonable safeguards and prohibitions on reidentification of deidentified data.
  • Enforcement: Private right of action in Illinois circuit court (or as a supplemental claim in federal court). Attorney General may enforce violations as unlawful practices under the Consumer Fraud and Deceptive Business Practices Act. The bill makes a conforming change to that Act.

Who is affected

  • “Regulated entities” and their affiliates that collect, process, store, share, or sell health data (the bill defines related terms such as “affiliate,” “collect,” and “deidentified data”).
  • Businesses and data brokers that monetize health‑related information.
  • Health researchers using individually identifiable data are affected only to the extent exemptions and safeguards apply.
  • Individuals in Illinois — give expanded rights to control health data and to sue for violations.

Procedural/timeline notes

  • Introduced and assigned to multiple committees (Behavioral Health & Health Care; Judiciary – Civil; Rules). Judiciary – Civil recommended Do Pass on 3/19/2025.
  • As of 6/28/2025 the bill is “in committee upon adjournment” (not enacted).
  • The bill title indicates it “prescribes an effective date”; the introduced excerpt does not show the specific effective date.

Considerations and likely impacts

  • Would shift default business practices toward opt‑in consent for a broad class of health‑related data, likely affecting digital platforms, data brokers, advertisers, and some health product/service vendors.
  • Could increase compliance costs (consent management, record retention, security safeguards) and legal exposure (private suits and AG enforcement).
  • Raises interplay questions with HIPAA, other state privacy laws, and research exemptions — implementation would require careful mapping of covered activities and entities.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.