(1)(a) Except as provided in subsection (2) of this section, beginning March 31, 2024, a regulated entity or a small business may not collect any consumer health data except:
(i) With consent from the consumer for such collection for a specified purpose; or
(ii) To the extent necessary to provide a product or service that the consumer to whom such consumer health data relates has requested from such regulated entity or small business.
(b) A regulated entity or a small business may not share any consumer health data except:
(i) With consent from the consumer for such sharing that is separate and distinct from the consent obtained to collect consumer health data; or
(ii) To the extent necessary to provide a product or service that the consumer to whom such consumer health data relates has requested from such regulated entity or small business.
(c) Consent required under this section must be obtained prior to the collection or sharing, as applicable, of any consumer health data, and the request for consent must clearly and conspicuously disclose: (i) The categories of consumer health data collected or shared; (ii) the purpose of the collection or sharing of the consumer health data, including the specific ways in which it will be used; (iii) the categories of entities with whom the consumer health data is shared; and (iv) how the consumer can withdraw consent from future collection or sharing of the consumer's health data.
(d) A regulated entity or a small business may not unlawfully discriminate against a consumer for exercising any rights included in this chapter.
(2) A small business must comply with this section beginning June 30, 2024.