Signed by Governor Kate Brown

Vote Smart's Synopsis:

Vote to pass a bill that prohibits a covered organization from collecting, using or disclosing personal health data about a resident individual who has not given affirmative express consent.

Highlights:

• Defines “affirmative express consent” as an affirmative act by a resident individual that clearly and conspicuously communicates the resident individual’s authorization for a covered organization to perform an act or practice (Sec. 1.a.A).

• Specifies “affirmative express consent” does not include a resident individual’s acceptance of general or broad terms of use document, or similar document, that contains descriptions of personal health data collection along with other unrelated information (Sec. 1.a.B).

• Prohibits a covered organization from collecting, using or disclosing personal health data about a resident individual who has not given affirmative express consent to the covered organization’s collection, use, or disclosure of the resident individual’s personal health data. In obtaining affirmative express consent from a resident individual, a covered organization may not (Sec. 1-2.a):

• Use a method that is designed with the purpose of, or that has the substantial effect of, subverting or impairing a resident individual’s decision-making or choice; and

• Infer consent from a resident individual’s inaction.

• Authorizes a resident individual to give affirmative express consent to a collection, use or disclosure of personal health data on behalf of another resident individual who is younger than 14 years of age if the resident individual is a parent or legal guardian of the other resident individual (Sec. 1-3).

• Authorizes a covered organization to use and need not destroy, delete or render inaccessible personal health data if (Sec. 1-4.b):

• The personal health data consists of aggregations, statistical analyses, compilations or interpretations; and

• The covered organization deidentifies the personal health data in effect on the effective date of this 2021 Act.

• Specifies this law does not limit or prohibit the following (Sec. 1-7):

• A university or other institution of higher education or a nonprofit corporation from conducting scientific research or a public health program or from developing vaccinations, medications, or treatments related to COVID-19 that are otherwise authorized by law;

• A covered organization from complying with a federal or state law, a court order, subpoena, or another legal process that requires the covered organization or a service provider to disclose personal health data; or

• A covered organization from maintaining, retaining, or storing other information in compliance with federal or state law.

• Prohibits a covered organization that collected, used, or disclosed personal health data before the effective date of this 2021 Act from storing, retaining, or making use of personal health data later than, and it must destroy or render the personal health data inaccessible not later than, 65 days after the effective date of this 2021 Act (Sec. 4-2).

Full Bill Text