Summary:

 House Bill430 (HB430) relating to privacy by enacting the Health Data Privacy Act, providing definitions, proving duties for regulated entities, providing for enforcement, and penalties.  

Legislation Overview:

 House Bill 430 (HB430) enacts the "Health Data Privacy Act". Regulated entities as defined in the Act are subject to regulations imposed in the Act. Such regulations include: 
A.  A regulated entity shall: (1)  publicly provide, in a clear, concise and easily understood manner, the regulated entity's privacy information and shall provide the privacy information separate and distinct from the provision of the regulated entity's terms of service, policies and community standards; (2)  publicly provide prominent, accessible and responsive tools to help an individual exercise the individual's privacy rights and report privacy concerns; and (3)  establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of regulated health information as appropriate to the volume and nature of the regulated health information at issue. 
B.  All communications between a regulated entity and individuals whose regulated health information is in the possession or control of the regulated entity shall be reasonably accessible to individuals with disabilities.  
A regulated entity shall ensure accessibility: (1)  for notices by using digital accessibility tools and complying with generally recognized industry standards, including current standards set by the world wide web consortium or other similar standards-setting bodies as determined appropriate by the attorney general; and (2)  for communications other than notices by providing information about how an individual with a disability may access the communication in an alternative format.
"regulated entity" means an entity, not including a licensed health care provider, that: (1)  controls the processing of regulated health information of an individual who is a New Mexico resident; (2)controls the processing of regulated health information of an individual who is physically present in New Mexico while that individual is in New Mexico; or (3)  is located in New Mexico and controls the processing of regulated health information.  A regulated entity may also be a service provider depending upon the context in which the regulated entity processes or controls the processing of regulated health information.
Also, "service provider" means a person or an entity that processes regulated health information on behalf of a regulated entity.  A service provider may also be a regulated entity depending upon the context in which the service provider processes regulated health.
Certain practices are prohibited in the Act to include, in part and shall not: (1)  process the regulated health information of an individual, except: (a)  with consent from the individual for the processing for a specified purpose; (b)  as is strictly necessary for the regulated entity to provide the product, service or feature requested and only for the limited time that the collection of the information is strictly necessary to provide the product, service or feature; and (c)  as is strictly necessary to provide a communication, that is not an advertisement, by the regulated entity to an individual that reasonably anticipates the communication within the context of the relationship between the regulated entity and the individual. 
Also, to process geolocation information unless its required for services, process information for targeted advertisements, obscuring information that might affect decision making, and rules for consent are provided in the Act.
A consent shall include: (1)  the types of regulated health information authorized to be processed; (2)  the nature of the processing activity; (3)  the specific purposes for the processing; (4)  the names of service providers or third parties to which the regulated entity may disclose the individual's regulated health information and the purposes for the disclosure, including the circumstances under which the regulated entity could disclose regulated health information to law enforcement; (5)  any monetary or other valuable consideration the regulated entity could receive in connection with processing the individual's regulated health information, if applicable; (6)  an acknowledgment that not providing consent will not affect an individual's experience of using the regulated entity's products or services.
Other rules for consent also include: the expiration date for consent, a mechanism for revoking consent, any other material information required for consent, and a signature which may be electronic ,of the individual who is the subject of the regulated health information.
The Act provides a means for deletion of information, and right to access to information to include: Regulated entities shall provide individuals the right to: (1)  access the individual's regulated health information that is processed by the regulated entity or by a service provider; (2)  access information pertaining to the collection and processing of the individual's regulated health information, including: (a)  from where or from whom the covered entity obtained the regulated health information; (b)  the types of third parties to which the regulated entity has disclosed or will disclose the regulated health information; (c)  the purposes of the processing; (d)  the specific types of regulated health information processed; (e)  the names of third parties to which the regulated entity disclosed the regulated health information and a log showing when the disclosure happened.
A readable form must be provided for revocation of the regulated health information. Within thirty days of receiving an access request, the regulated entity shall make available a copy of all regulated health information about the individual that the regulated entity maintains or that service providers maintain on behalf of the regulated entity.  An individual's request to delete or cancel the individual's online account shall be treated as a request to delete the individual's regulated health information, and within thirty days of receiving a deletion request the regulated health information shall be deleted.
A service provider or third party that receives regulated health information from a regulated entity shall enter into a written data processing agreement with the regulated entity providing entity ensuring that the information will continue to be processed consistent with the provisions of the Health Data Privacy Act.
Restrictions for retaliation are provided in the Act and no provision of any contract, agreement or terms of service shall waive, limit or otherwise undermine the rights conferred to individuals under the Health Data Privacy Act or any other applicable data protection laws.
Penalties are provided for violations of the Act and may be enforced by the AttorneyGeneral or District Attorneys. The penalties are of a civil nature and include: (1)  subject to injunctive relief to cease or correct the violation; (2)  liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) per affected individual for each negligent violation; or (3)  liable for a civil penalty of not more than seven thousand five hundred dollars ($7,500) per affected individual for each intentional violation.
Also, an individual who claims to have suffered a deprivation of the rights secured under the Health Data Privacy Act may maintain an action to establish liability and recover damages and equitable or injunctive relief in any New Mexico district court.
Certain limitations under New Mexico and Federal law are listed in the Act for the imposition of liability. A Section on severability is included in the Act. 
The effective date of the Act is July 1, 2025.