[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 4738 Introduced in Senate (IS)]
<DOC>
117th CONGRESS
2d Session
S. 4738
To protect the privacy of personally-identifiable health data, and for
other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
August 2, 2022
Ms. Klobuchar (for herself and Mr. Whitehouse) introduced the following
bill; which was read twice and referred to the Committee on Commerce,
Science, and Transportation
_______________________________________________________________________
A BILL
To protect the privacy of personally-identifiable health data, and for
other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Stop Commercial Use of Health Data
Act''.
SEC. 2. PRIVACY OF PERSONALLY-IDENTIFIABLE HEALTH DATA.
(a) Prohibition on the Use of Personally-Identifiable Health Data
in Commercial Advertising.--
(1) In general.--It shall be unlawful for any covered
entity to use the personally-identifiable health data of an
individual that is collected from any source (including data
volunteered by an individual, medical center-derived data, data
from a wearable fitness tracker, data from web browsing
history, or any other source determined appropriate by the
Commission) for commercial advertising.
(2) Exception for public health campaigns.--The prohibition
under paragraph (1) shall not apply to any public health
campaign directed toward individuals or subpopulations of
individuals.
(b) Right of Access and Deletion.--
(1) Right of access.--
(A) In general.--A covered entity shall make
available an easy-to-use mechanism by which an
individual, upon verified request, may access any
personally-identifiable health data relating to such
individual that is retained by such covered entity.
(B) Format.--A covered entity shall make the
information described in subparagraph (A) available in
both a human-readable and a machine-readable format.
(2) Right of deletion.--A covered entity shall make
available an easy-to-use mechanism by which an individual, upon
verified request, may request the deletion of any personally-
identifiable health data relating to such individual that is
retained by such covered entity.
(3) Requirements for access and deletion.--
(A) Timeline for complying with requests.--A
covered entity shall comply with a verified request
received under this subsection without undue delay, but
not later than 45 days after the date on which such
covered entity receives such verified request.
(B) Fees prohibited.--A covered entity may not
charge a fee to an individual for a request made under
this subsection.
(C) Rules of construction.--Nothing in this section
shall be construed--
(i) as supplanting or abrogating any
provision of the Health Insurance Portability
and Accountability Act of 1996 (Public Law 104-
191); or
(ii) to require a covered entity to--
(I) take an action that would
convert information that is not
personally-identifiable health data
into personally-identifiable health
data;
(II) collect or retain personally-
identifiable health data that such
covered entity would not otherwise
collect or retain; or
(III) retain personally-
identifiable health data longer than
such covered entity would otherwise
retain such data.
SEC. 3. ENFORCEMENT.
(a) Enforcement by the Commission.--
(1) Unfair and deceptive acts or practices.--A violation of
section 2 or a regulation promulgated thereunder shall be
treated as an unfair and deceptive act or practice proscribed
under section 5(a) of the Federal Trade Commission Act (15
U.S.C. 45(a)).
(2) Powers of the commission.--
(A) In general.--The Commission shall enforce this
Act in the same manner, by the same means, and with the
same jurisdiction, powers, and duties as though all
applicable terms and provisions of the Federal Trade
Commission Act (15 U.S.C. 41 et seq.) were incorporated
into and made a part of this Act.
(B) Privileges and immunities.--Any person who
violates this Act shall be subject to the penalties and
entitled to the privileges and immunities provided in
the Federal Trade Commission Act (15 U.S.C. 41 et
seq.).
(C) Authority preserved.--Nothing in this Act shall
be construed to limit the authority of the Commission
under any other provision of law.
(3) Rulemaking.--The Commission shall promulgate in
accordance with section 553 of title 5, United States Code,
such rules as may be necessary to carry out this Act.
(b) Enforcement by Individuals.--
(1) In general.--Any individual who suffers an injury
(including the denial of a right established under this Act) as
a result of a violation of this Act or a regulation promulgated
thereunder by a covered entity may bring a civil action against
such covered entity in Federal district court.
(2) Relief.--In a civil action brought under paragraph (1)
in which the plaintiff prevails, the court may award the
plaintiff--
(A) for a--
(i) violation of section 2(a), an amount
equal to the greater of--
(I) $1,000 in statutory damages per
commercial advertisement generated in
violation of such subsection; or
(II) the sum of any actual damages
sustained; or
(ii) violation of section 2(b), an amount
equal to the sum of any actual damages
sustained; and
(B) reasonable attorney's fees and litigation
costs.
SEC. 4. DEFINITIONS.
(a) In General.--In this Act:
(1) Collect.--The term ``collect'' means, with respect to
personally-identifiable health data, to obtain such information
in any manner.
(2) Commercial advertising.--The term ``commercial
advertising'' means communications that promote the sale of or
interest in goods or services, including goods or services that
are published digitally, via video or audio, or in print.
(3) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(4) Covered entity.--The term ``covered entity'' means a
person that--
(A) is subject to the Federal Trade Commission Act
(15 U.S.C. 41 et seq.); and
(B) collects, on an annual basis, the personally-
identifiable health data of not less than 1,000
individuals in the United States.
(b) Rulemaking.--Not later than 180 days after the date of
enactment of this Act, the Commission shall conduct a rulemaking
pursuant to section 553 of title 5, United States Code, to define the
terms ``public health campaign'' and ``personally-identifiable health
data'' for purposes of this Act.
<all>