N.M. Health Privacy Bill Advances Amid Abortion Access Concerns
New Mexico lawmakers are weighing whether to join states like Washington and New York in passing health data privacy bills. The New Mexico House Health Committee voted 5-4, with Republicans voting no, to narrowly advance HB-430 at a livestreamed hearing Monday. Increased urgency in some states to protect reproductive health data privacy since President Donald Trump returned to the White House has driven interest in such legislation (see 2502210015).
Sign up for a free preview to unlock the rest of this article
“Yes, this is about protecting things like abortion [and] gender-affirming care,” said Rep. Marianna Anaya, one of the bill’s four Democratic sponsors. “It's also about protecting things like mental health data.”
While some information is covered by the Health Insurance Portability and Accountability Act (HIPAA), co-sponsor Debra Sariñana said that "there is still a vast ocean of health data that is unprotected." For example, HIPAA "does not cover apps, websites or data brokers,” she said. Anaya mentioned uncertainty about the fate of HIPAA privacy protections at the federal level.
Rep. Jenifer Jones (R) asked why the health data privacy bill is needed in New Mexico, where abortion remains legal. Anaya responded that abortion-restrictive states could try to track citizens that travel to New Mexico for procedures, adding that the Texas attorney general has posted $10,000 “bounties.” The Texas anti-abortion law allows allows residents to sue clinics, doctors and others for that amount. But Jones said the sponsor’s concern sounds like an issue for the judiciary, not the legislature.
Anaya’s claim about Texas bounties gained the attention of Rep. Alan Martinez (R). Such bounties, if accurate, sound “criminal,” he said. However, the Republican still opposed HB-430, calling it “the biggest government overreach bill I’ve seen.”
The New Mexico health privacy bill, which would take effect July 1, includes a private right of action and attorney general or district attorney enforcement. A fiscal analysis Friday noted similar health privacy laws in Washington state, Nevada and Connecticut, and a recently passed New York bill (see 2501280023).
“Given the limitations of HIPAA, there are many entities that collect health information that are not subject to its provisions, such as health app companies, wearable devices such as fitness trackers, and apps and devices that track heart patterns, menstrual cycles, respiratory conditions, sleep patterns, etc.,” said the analysis: HB-430 “seeks to address the gap at the state level.”
Industry groups opposed the bill during the hearing. HB-430 has an "overly broad scope and highly restrictive requirements,” said Renzo Soto, TechNet southeast executive director. The bill "currently captures any data point that has even a theoretical relationship with someone's health,” which could lead to a "ban of a wide range of goods and services in New Mexico,” he said.
Soto suggested that New Mexico instead pursue a comprehensive data privacy bill that aligns with laws in about 20 other states. Andrew Kingman, counsel for the State Privacy and Security Coalition, said the bill is also missing key definitions for consent and target advertising. Kingman added that the various industries his group represents oppose including a private right of action.
However, the bill received support from the American Civil Liberties Union and advocates, including for the LGBTQ+ community, indigenous people and victims of sexual assault.
HB-430 would generally stop regulated entities from processing an individual’s health information unless they get opt-in consent for a specified purpose. An entity may process health information if it’s “strictly necessary for the regulated entity to provide the product, service or feature requested,” but only for a limited time. It may also process the data if it’s “strictly necessary to provide a communication” that’s not an ad “to an individual that reasonably anticipates the communication within the context of the relationship between the regulated entity and the individual.”
Also, an entity may not “process any precise geolocation information of an individual that could reasonably indicate the individual's attempt to acquire or receive health services or supplies unless it is strictly necessary to provide the product, service or feature requested,” the bill says. “Consensual geolocation information sharing among users shall not constitute consent to additional processing of geolocation information by the regulated entity unless the additional processing is specifically authorized.”
In addition, regulated entities may not process health information for targeted or first-party advertising, or for data brokering without consent, the bill says. And they may not “obtain consent to process regulated health information using any mechanism that has the purpose or substantial effect of obscuring, subverting or impairing an individual's decision-making abilities regarding providing consent to authorize processing of the individual's regulated health information.”
HB-430 adds, “The request for consent to process an individual's regulated health information shall be obtained prior to and separately from the processing and shall clearly and conspicuously disclose” categories of health information to be collected or shared and the purposes for processing it, with whom it will be shared, and how individuals can withdraw consent.