Governance & Risk Management

Democrats Introduce COVID-19 Data Privacy Bill

Similar Measures Failed to Win Congressional Approval Last Year
Democrats Introduce COVID-19 Data Privacy Bill
Congressional Democrats have reintroduced a privacy bill to help consumers avoid being in the dark about how their COVID-19 data can be used.

Congressional Democrats have again introduced legislation designed to help safeguard the privacy of COVID-19 health data collected for public health purposes.

See Also: OnDemand | Practical Strategies for Accelerating AI Adoption in Cybersecurity

Similar proposals were introduced by Democratic lawmakers last year as part of a coronavirus relief package, but those provisions did not win Congressional approval.

The Democratic senators and representatives who introduced this year’s legislation say the Public Health Emergency Privacy Act sets “strong and enforceable privacy and data security rights for health information” as technology companies and public health agencies deploy “new tools to fight the spread of COVID-19, including contact tracing apps, digital monitoring, home tests and vaccine appointment bookings.”

The sponsors of the privacy legislation include senators Mark Warner, D-Va., and Richard Blumenthal, D-Conn. and representatives Anna Eshoo, D-Calif., Jan Schakowsky, D-Ill., and Suzan DelBene, D-Wash.

“After decades of data misuse, breaches and privacy intrusions, Americans are reluctant to trust tech firms to protect their sensitive health information,” the sponsors said in a statement.

The Bill’s Main Provisions

The Public Health Emergency Privacy Act proposes to:

  • Ensure that data collected for public health is strictly limited for use in public health;
  • Explicitly prohibit the use of health data for discriminatory, unrelated or intrusive purposes, including commercial advertising, e-commerce, or efforts to gate access to employment, finance, insurance, housing or education opportunities;
  • Prevent the potential misuse of health data by government agencies with no role in public health;
  • Require data security and data integrity protections – including data minimization – and mandate data deletion by tech firms after the public health emergency;
  • Protect voting rights by prohibiting conditioning the right to vote based on a medical condition or use of contact tracing apps;
  • Require regular reports on the impact of digital collection tools on civil rights;
  • Give the public control over their participation in these efforts by mandating transparency and requiring opt-in consent;
  • Provide for robust private and public enforcement at the federal level while recognizing the continuing role of states in legislation and enforcement.

Protecting Privacy

The proposed legislation would “prohibit privacy invasions by preventing misuse of pandemic-related data for unrelated purposes, like marketing, prohibiting the data from being used in discriminatory ways, and requiring data security and integrity measures,” Eshoo said in a statement. “The legislation will give the American people confidence to use technologies and systems that can aid our efforts to combat the pandemic.”

The bill would require that organizations and service providers that collect, use or disclose emergency health data “shall establish and implement reasonable data security policies, practices and procedures to protect the security and confidentiality of emergency health data.”

The legislation would not supersede any requirements or authorizations under the Privacy Act of 1974, HIPAA, or federal or state medical records retention and health privacy laws or regulations.

Restarting Discussions

The latest legislation is an effort to restart discussions on a COVID-19 privacy bill, says privacy attorney Kirk Nahra of the law firm WilmerHale. “This issue had some momentum last spring, but then died, somewhat unexpectedly,” he says.

The proposal raises some important issues, Nahra says.

“First, will any of the ideas in this bill carry over to the broader debate on national privacy legislation? This is very much an emergency-focused bill, but we may see some carryover,” he says.

“Second - and this is a long shot but a very intriguing possibility - it is possible that a broad agreement on this proposal could then incorporate some broader privacy legislation at this point, short-circuiting the otherwise slow legislative debate.”

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.