Upholding Protections for Health and Online Location Data Privacy Act of 2023 or the UPHOLD Privacy Act of 2023
This bill restricts the collection, retention, use, and disclosure of personal health data by certain commercial entities (as well as individuals, nonprofits, and common carriers). The bill does not apply to health providers, insurance plans, or related business associates that are subject to the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Specifically, commercial entities may not collect, retain, use, or disclose personal health data except (1) with the express written consent of the individual to whom such information relates, or (2) as is strictly necessary to provide a requested product or service. Such entities must (1) provide a reasonable means for individuals to access and delete their health data, and (2) maintain and publish a privacy policy disclosing their practices for handling personal health data.
Additionally, the bill prohibits commercial entities from using personal health data for commercial advertising.
The bill also prohibits the sale of location data to or by data brokers, including data volunteered by an individual, data derived from a medical center, data from a wearable fitness tracker, and data from web browsing history.
The bill provides for enforcement by the Federal Trade Commission and by private civil actions.