DC
District Of Columbia Council Bill B25-0930

District Of Columbia 2023-2024 Regular Session

District Of Columbia Council Bill B25-0930 Compare Versions

Only one version of the bill is available at this time.
OldNewDifferences
11 GOVERNMENT OF THE DISTRICT OF COLUMBIA
22 OFFICE OF THE ATTORNEY GENERAL
33
44
55
66 ATTORNEY GENERAL
77 BRIAN L. SCHWALB
88 400 Sixth Street, N .W., Washington, DC 20001, (202) 727- 3400, Fax (202) 730-0484
99
1010
1111
1212
1313
1414 July 12, 2024
1515
1616 The Honorable Phil Mendelson
1717 Chairman, Council of the District of Columbia
1818 John A. Wilson Building
1919 1350 Pennsylvania Avenue, N.W.
2020 Washington, D.C. 20004
2121
2222 Dear Chairman Mendelson:
2323
2424 I write to transmit the “Consumer Health Information Privacy Protection (CHIPPA) Act of 2024,” for
2525 consideration and enactment by the Council of the District of Columbia.
2626
2727 Personal health data that is uploaded to online platforms like company websites, search engines, apps, and
2828 even social media is being collected, shared, and sold to third parties without the consumer’s consent or
2929 knowledge. While most people believe that the federal Health Insurance Portability and Accountability
3030 Act of 1996 (“HIPAA”) protects all personal health data from being shared without consent or knowledge,
3131 it only applies to data collected by a “covered entity,” such as health insurers, hospitals, and healthcare
3232 providers. It does not extend to personal health information shared by non-covered entities. For example,
3333 health devices, apps, Apple Watch, and patient support groups fall outside of HIPAA regulation.
3434
3535 This legislation will ensure regulated entities that obtain, collect, share, and sell consumer personal health
3636 data are responsible, transparent, and held accountable to the consumer. CHIPPA will do the following:
3737
3838 1. Require regulated entities to establish and make publicly available a consumer health data privacy
3939 policy governing the collection, use, sharing, and sale of consumer health data.
4040 2. Require that regulated entities obtain the consumer’s informed consent before collecting and
4141 sharing their personal health data.
4242 3. Establish a consumer’s right to access and choose whether and how their personal health data is
4343 used by a regulated entity.
4444 4. Establish additional protections and consumer authorizations for the sale of personal health data.
4545 5. Require regulated entities to only collect health data that is necessary for the purposes disclosed to
4646 the consumers and to only use, share, and retain the consumer health data for that purpose.
4747 6. Prohibit the establishment of geofences around places where health services are delivered under
4848 specified circumstances.
4949 7. Make violations unfair and deceptive trade practices.
5050
5151 I ask that the Council enact this legislation to ensure that everyone, regardless of whether they are a patient
5252 seeking health care services, a consumer signing- up for a fitness app, or purchasing an item online, know s
5353 why, how, and to whom their personal health data is being used, shared, and sold. If you have any 2
5454
5555 questions, please contact me or Deputy Attorney General for Policy and Legislative Affairs Candyce
5656 Phoenix at (202) 788- 2066 or Candyce.Phoenix@dc.gov.
5757
5858 Sincerely,
5959
6060
6161 Brian L. Schwalb
6262 Attorney General for the District of Columbia
6363 2
6464 3
6565 4
6666 5
6767 6
6868 7
6969 8
7070 9
7171 IO
7272 11
7373 12
7474 13
7575 14
7676 15
7777 16
7878 :Iiz ~//4----
7979 ~ n Phil Mendelson
8080 at the request
8181 of the Attorney General
8282 A BILL
8383 IN THE COUNCIL OF THE DISTRICT OF COLUMBIA
8484 17 To require regulated entities that collect consumer health data to have a consumer health data
8585 18 privacy policy containing specific information about its collection, use and sharing of
8686 19 consumer health data and post it on the home page of their website, to prohibit regulated
8787 20 entities from contracting with processors, affiliates, or third parties to process consumer
8888 21 health data in a manner inconsistent with the policy, to require regulated entities to obtain
8989 22 consumer consent before collecting consumer health data after providing the consumer
9090 23 with requests for consent containing specified information, to limit a regulated entity's
9191 24 collection and sharing of consumer health data to the purposes contained in the
9292 25 consumer's consent, to establish a consumer's right to obtain information about consumer
9393 26 health infonnation collected and shared, to withdraw consent for collection and sharing,
9494 27 and to obtain deletion of info1mation collected and shared, to require a valid consumer
9595 28 authorization before consumer health data may be sold, to prohibit the establishment of
9696 29 geofences around places where health services are delivered under specified
9797 30 circumstances, to make violations of this act unfair and deceptive trade practices, and to
9898 3 I exclude certain types of data collection and data sharing from the operation of the act.
9999 32
100100 33
101101 BE IT ENACTED BY THE COUNCIL OF THE DISTRICT OF COLUMBIA, That this
102102 34 act may be cited as the "Consumer Health Information Privacy Protection (CHIPP A) Act of
103103 35 2024".
104104 36 Sec. 2. Definitions
105105 37
106106 38 For the purposes of this act, the term:
107107 39
108108 40 ( 1) "Abortion" means the termination of a pregnancy for purposes other than producing a
109109 41 live birth. 2
110110 42 (2) “Affiliate” means a legal entity that shares common branding with another legal entity
111111
112112 43 and controls, is controlled by, or is under common control with another legal entity. For purposes
113113
114114 44 of this definition, “control” or “controlled” means:
115115
116116 45 (A) Ownership of, or the power to vote, more than 50 percent of the outstanding
117117
118118 46 shares of any class of voting security of a company;
119119
120120 47 (B) Control in any manner over the election of a majority of the directors or of
121121
122122 48 individuals exercising similar functions; or
123123
124124 49 (C) The power to exercise controlling influence over the management of a
125125
126126 50 company.
127127
128128 51 (3) “Authenticate” means to use reasonable means to determine that a request to exercise
129129
130130 52 any of the rights afforded in this act is being made by, or on behalf of, the consumer who is
131131 53 entitled to exercise such consumer rights with respect to the consumer health data at issue.
132132 54 (4) “Biometric data” means data that is generated from the measurement or technological
133133 55 processing of an individual’s physiological, biological, or behavioral characteristics and that
134134
135135 56 identifies a consumer, whether individually or in combination with other data. Biometric data
136136
137137 57 includes:
138138
139139 58 (A) Imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and
140140 59 voice recordings, from which an identifier template can be extracted; and
141141 60 (B) Keystroke patterns or rhythms and gait patterns or rhythms that contain
142142 61 identifying information.
143143 62 (5) “Clear and conspicuous” means a disclosure that is easily noticeable and easily
144144 63 understandable by the consumer and does not contain any statements that are inconsistent with,
145145 64 or in mitigation of any other statements or disclosures provided by the regulated entity. 3
146146 65 “Clear and conspicuous” requires the information to be reasonably accessible to
147147
148148 66 consumers with disabilities, taking into account industry standards for online disclosures.
149149
150150 67 (6) “Collect” means to buy, rent, access, retain, receive, acquire, infer, derive, or
151151
152152 68 otherwise process consumer health data in any manner.
153153
154154 69 (7) “Consent” means a clear affirmative act that signifies a consumer’s freely given,
155155
156156 70 specific, informed, opt-in, voluntary, and unambiguous agreement, following a clear and
157157
158158 71 conspicuous disclosure to the individual, which shall consist of written consent or consent
159159
160160 72 provided by electronic means. For the purposes of this act “consent” shall not include:
161161
162162 73 (A) A consumer’s acceptance of a general or broad terms-of-use agreement or a
163163
164164 74 similar document that contains descriptions of personal data processing along with other
165165
166166 75 unrelated information;
167167 76 (B) A consumer’s hovering over, muting, pausing, or closing a given piece of
168168 77 electronic content; or
169169 78 (C) A consumer’s agreement obtained through the use of deceptive designs.
170170
171171 79 (8) “Consumer” means a natural person acting in an individual or household capacity,
172172
173173 80 however identified, including by any unique identifier, who is a District of Columbia (“District”)
174174
175175 81 resident or whose consumer health data is collected in the District. “Consumer” does not include
176176 82 an individual acting in the course of their employment.
177177 83 (9) “Consumer health data” means personal information that is linked or can reasonably
178178 84 be linked to a consumer and that identifies the consumer’s past, present, or future physical or
179179 85 mental health status. “Consumer health data” does not include personal information that is used
180180 86 to engage in public or peer-reviewed scientific, historical, or statistical research in the public
181181 87 interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, 4
182182 88 and governed by an institutional review board, human subjects research ethics review board, or a
183183
184184 89 similar independent oversight entity that determines that the regulated entity or the small
185185
186186 90 business has implemented reasonable safeguards to mitigate privacy risks associated with
187187
188188 91 research, including any risks associated with reidentification.
189189
190190 92 (10) “Deceptive design” means a user interface designed or manipulated with the effect
191191
192192 93 of subverting or impairing user autonomy, decision making, or choice. “Any practice that the
193193
194194 94 Federal Trade Commission refers to as a “dark pattern” is presumed a deceptive design.
195195
196196 95 (11) “Deidentified data” means data that cannot reasonably be used to infer information
197197
198198 96 about, or otherwise be linked to, an identified or identifiable consumer, or a device linked to such
199199
200200 97 a consumer. “Deidentified data” includes consumer health data in the possession of a regulated
201201
202202 98 entity where the regulated entity:
203203 99 (A) Takes reasonable measures to ensure that such data cannot be associated with
204204 100 a consumer;
205205 101 (B) Publicly commits to maintain and process the data in a deidentified fashion
206206
207207 102 and to not attempt to reidentify the data, except that the regulated entity may attempt to
208208
209209 103 reidentify the information solely for the purpose of determining whether its deidentification
210210
211211 104 processes satisfy the requirements of this paragraph; and
212212 105 (C) Contractually obligates any recipients of such data to maintain the data in a
213213 106 deidentified fashion.
214214 107 (12) “Gender-affirming care information” means personal information relating to seeking
215215 108 or obtaining past, present, or future gender-affirming care services. “Gender-affirming care
216216 109 information” includes: 5
217217 110 (A) Precise location information that could reasonably indicate a consumer’s
218218
219219 111 attempt to acquire or receive gender-affirming care services;
220220
221221 112 (B) Efforts to research or obtain gender-affirming care services; or
222222
223223 113 (C) Any information related to seeking or obtaining past, present, or future
224224
225225 114 gender-affirming care services that is derived, extrapolated, or inferred, including from non-
226226
227227 115 health information, such as proxy, derivative, inferred, emergent, or algorithmic data.
228228
229229 116 (13) “Gender-affirming care services” means health services or products that support and
230230
231231 117 affirm an individual’s gender identity, including social, psychological, behavioral, cosmetic,
232232
233233 118 medical, or surgical interventions. “Gender-affirming care services” includes treatments for
234234
235235 119 gender dysphoria, gender-affirming hormone therapy, and gender-affirming surgical procedures.
236236
237237 120 (14) “Genetic data” or “genetic information” means any data, regardless of its format,
238238 121 that concerns a consumer’s genetic characteristics. “Genetic data” or “genetic information”
239239 122 includes:
240240 123 (A) Raw sequence data that result from the sequencing of a consumer's complete
241241
242242 124 extracted deoxyribonucleic acid (“DNA”) or a portion of the extracted DNA;
243243
244244 125 (B) Genotypic and phenotypic information that results from analyzing the raw
245245
246246 126 sequence data; and
247247 127 (C) Self-reported health data that a consumer submits to a regulated entity and
248248 128 that is analyzed in connection with consumer's raw sequence data.
249249 129 (15) “Geofence” means technology that uses global positioning coordinates, cell tower
250250 130 connectivity, cellular data, radio frequency identification, Wi-fi data, or any other form of spatial
251251 131 or location detection to establish a virtual boundary around a specific physical location, or to 6
252252 132 locate a consumer within a virtual boundary. For purposes of this definition, “geofence” means a
253253
254254 133 virtual boundary that is 2,000 feet or less from the perimeter of the physical location.
255255
256256 134 (16) “Health care services” means any service provided to a person to assess, measure,
257257
258258 135 improve, or learn about a person's mental or physical health, including:
259259
260260 136 (A) Individual health conditions, status, diseases, or diagnoses;
261261
262262 137 (B) Social, psychological, behavioral, and medical interventions;
263263
264264 138 (C) Health-related surgeries or procedures;
265265
266266 139 (D) Use or purchase of medication;
267267
268268 140 (E) Bodily functions, vital signs, symptoms, or measurements of the information
269269
270270 141 described in this paragraph;
271271
272272 142 (F) Diagnoses or diagnostic testing, treatment, or medication;
273273 143 (G) Reproductive health care services; or
274274 144 (H) Gender-affirming care services.
275275 145 (17) “Homepage” means the introductory page of an internet website and any internet
276276
277277 146 webpage where personal information is collected. In the case of an online service, such as a
278278
279279 147 mobile application, homepage means the application's platform page or download page, and a
280280
281281 148 link within the application, such as from the application configuration, “about,” “information,” or
282282 149 settings page.
283283 150 (18) “Person” means an individual, firm, corporation, partnership, cooperative,
284284 151 association, or any other organization, legal entity, or group of individuals however organized,
285285 152 including agents thereof. The term “person” includes a regulated entity, third party, affiliate, or
286286 153 processor. The term “person or entity” shall not include the government of the United States, the 7
287287 154 District of Columbia government, or any of the agencies or instrumentalities of either
288288
289289 155 government.
290290
291291 156 (19) “Personal information” means information that identifies or is reasonably capable of
292292
293293 157 being associated or linked, directly or indirectly, to a particular consumer. “Personal
294294
295295 158 information” includes data associated with a persistent unique identifier, such as a cookie ID, an
296296
297297 159 IP address, a device identifier, an advertising ID, or any other form of persistent unique
298298
299299 160 identifier. “Personal information” does not include publicly available information or deidentified
300300
301301 161 data.
302302
303303 162 (20) “Physical or mental health status” includes:
304304
305305 163 (A) Individual health conditions, treatment, diseases, or diagnoses;
306306
307307 164 (B) Social, psychological, behavioral, and medical interventions;
308308 165 (C) Health-related surgeries or procedures;
309309 166 (D) Use or purchase of prescribed medications;
310310 167 (E) Bodily functions, vital signs, symptoms, or measurements of the information
311311
312312 168 described in this paragraph;
313313
314314 169 (F) Diagnoses or diagnostic testing, treatment, or medication;
315315
316316 170 (G) Gender-affirming care information;
317317 171 (H) Reproductive or sexual health information;
318318 172 (I) Biometric data;
319319 173 (J) Genetic data;
320320 174 (K) Precise location information that could reasonably indicate a consumer's
321321 175 attempt to acquire or receive health services or supplies;
322322 176 (L) Data that identifies a consumer seeking health care services; or 8
323323 177 (M) Any information that a regulated entity, or their processor, processes to
324324
325325 178 associate or identify a consumer with the data described in this paragraph that is derived or
326326
327327 179 extrapolated from non-health information (such as proxy, derivative, inferred, or emergent data
328328
329329 180 by any means, including algorithms or machine learning).
330330
331331 181 (21) “Precise location information” means information derived from technology and that
332332
333333 182 is used or intended to be used to locate a consumer within a radius of 1,750 feet.
334334
335335 183 (22) “Process” or “processing” means any operation or set of operations performed on
336336
337337 184 consumer health data.
338338
339339 185 (23) “Processor” means a person that processes consumer health data on behalf of a
340340
341341 186 regulated entity.
342342
343343 187 (24) “Publicly available information” means information about a consumer that a
344344 188 regulated entity has reasonable cause to believe the consumer has lawfully made available to the
345345 189 general public through federal, state, or municipal government records or widely distributed
346346 190 media. “Publicly available information” does not include any biometric data collected about a
347347
348348 191 consumer by a business without the consumer’s consent.
349349
350350 192 (25) “Regulated entity” means any legal entity, including its agents, that conducts
351351
352352 193 business in the District or produces or provides products or services that are targeted to
353353 194 consumers in the District and that alone or jointly with others, determines the purpose and means
354354 195 of collecting, processing, sharing, or selling consumer health data. “Regulated entity” does not
355355 196 include government agencies, tribal nations, or contracted service providers when processing
356356 197 consumer health data on behalf of a government agency. 9
357357 198 (26) “Reproductive or sexual health information” means personal information relating to
358358
359359 199 seeking or obtaining past, present, or future reproductive or sexual health services.
360360
361361 200 “Reproductive or sexual health information” includes:
362362
363363 201 (A) Precise location information that could reasonably indicate a consumer's
364364
365365 202 attempt to acquire or receive reproductive or sexual health services;
366366
367367 203 (B) Efforts to research or obtain reproductive or sexual health services; or
368368
369369 204 (C) Any reproductive or sexual health information that is derived, extrapolated, or
370370
371371 205 inferred, including from non-health information (such as proxy, derivative, inferred, emergent, or
372372
373373 206 algorithmic data).
374374
375375 207 (27) “Reproductive or sexual health services” means health services or products that
376376
377377 208 support or relate to a consumer's reproductive system or sexual well-being including:
378378 209 (A) Individual health conditions, status, diseases, or diagnoses;
379379 210 (B) Social, psychological, behavioral, and medical interventions;
380380 211 (C) Health-related surgeries or procedures including abortions;
381381
382382 212 (D) Use or purchase of medication including medications for the purposes of
383383
384384 213 abortion;
385385
386386 214 (E) Bodily functions, vital signs, symptoms, or measurements of the information
387387 215 described in this paragraph;
388388 216 (F) Diagnoses or diagnostic testing, treatment, or medication; and
389389 217 (G) Medical or nonmedical services related to and provided in conjunction with
390390 218 an abortion, including associated diagnostics, counseling, supplies, and follow-up services.
391391 219 (28) “Sell” or “sale” means the exchange of consumer health data for monetary or other
392392 220 valuable consideration. “Sell” or “sale” does not include the exchange of consumer health data 10
393393 221 for monetary or other valuable consideration to a third party as an asset that is part of a merger,
394394
395395 222 acquisition, bankruptcy, or other transaction in which the third party assumes control of all or
396396
397397 223 part of the regulated entity's assets and that complies with the requirements and obligations of a
398398
399399 224 regulated entity in this act.
400400
401401 225 (29) “Share” or “sharing” means to release, disclose, disseminate, divulge, make
402402
403403 226 available, provide access to, license, or otherwise communicate orally, in writing, or by
404404
405405 227 electronic or other means, consumer health data to a third party or affiliate. The term “share” or
406406
407407 228 “sharing” does not include:
408408
409409 229 (A) The disclosure of consumer health data by a regulated entity to a processor
410410
411411 230 when such sharing is to provide goods or services in a manner consistent with the purpose for
412412
413413 231 which the consumer health data was collected and is disclosed pursuant to a binding contract
414414 232 between the regulated entity and the processor;
415415 233 (B) The disclosure of consumer health data to a third party with whom the
416416 234 consumer has a direct relationship when:
417417
418418 235 (i) The consumer has requested the disclosure for purpose of obtaining a
419419
420420 236 product or service from the third party;
421421
422422 237 (ii) The regulated entity maintains control and ownership of the data; and
423423 238 (iii) The third party uses the consumer health data only at the direction of
424424 239 the regulated entity and in a manner consistent with the purpose for which the consumer
425425 240 provided the data and consented to its release; or
426426 241 (C) The disclosure or transfer of personal data to a third party as an asset that is
427427 242 part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes 11
428428 243 control of all or part of the regulated entity's assets and complies with the requirements and
429429
430430 244 obligations of a regulated entity in this act.
431431
432432 245 (30) “Third party” means an entity other than a consumer, regulated entity, processor, or
433433
434434 246 affiliate of the regulated entity. “Third party” includes a person who purchases consumer health
435435
436436 247 data.
437437
438438 248 Sec. 3. (a) A regulated entity shall maintain a consumer health data privacy policy that
439439
440440 249 clearly and conspicuously discloses:
441441
442442 250 (1) The categories of consumer health data collected;
443443
444444 251 (2) The purposes for which the consumer health data is collected, including how
445445
446446 252 the data will be used;
447447
448448 253 (3) The categories of sources from which the consumer health data is collected;
449449
450450 254 (4) The categories of consumer health data that are shared;
451451
452452 255 (5) A list of the categories of third parties and the specific affiliates with whom
453453
454454 256 the regulated entity shares the consumer health data, whether actively or passively, and the
455455
456456 257 purposes for such sharing;
457457
458458 258 (6) The length of time the regulated entity intends to retain each category of
459459
460460 259 consumer health data, or if that is not possible, the criteria used to determine that period;
461461
462462 260 provided that a regulated entity shall not retain a consumer’s consumer health data for each
463463
464464 261 disclosed purpose for which the personal information was collected for longer than is reasonably
465465
466466 262 necessary for that disclosed purpose; and
467467 263 (7) How a consumer can exercise the rights provided in section 5 of this act.
468468 264 (b) A regulated entity shall prominently publish a link to its consumer health data
469469 265 privacy policy on its homepage. 12
470470 266 (c) It is a violation of this act for a regulated entity to contract with a processor, affiliate,
471471
472472 267 or third party to process consumer health data in a manner or for a purpose that is inconsistent
473473
474474 268 with the regulated entity's consumer health data privacy policy.
475475
476476 269 Sec. 4. (a) A regulated entity shall not collect any consumer health data unless it first
477477
478478 270 obtains consent from the consumer for such collection for a specified purpose. The request for
479479
480480 271 consent shall clearly and conspicuously disclose:
481481
482482 272 (1) The categories of consumer health data collected;
483483
484484 273 (2) The purpose of the collection of the consumer health data, including the
485485
486486 274 specific ways in which it will be used;
487487
488488 275 (3) The length of time the regulated entity intends to retain each category of
489489
490490 276 consumer health data, or if that is not possible, the criteria used to determine that period provided
491491 277 that a regulated entity shall not retain a consumer’s consumer health data for each disclosed
492492 278 purpose for which the personal information was collected for longer than is reasonably necessary
493493 279 for that disclosed purpose; and
494494
495495 280 (4) How the consumer can withdraw consent from future collection of the
496496
497497 281 consumer's health data.
498498
499499 282 (b) A regulated entity shall not share any consumer health data unless it first obtains
500500 283 consent from the consumer for such sharing for a specified purpose. This consent for sharing
501501 284 shall be separate and distinct from the consent obtained to collect consumer health data. The
502502 285 request for consent shall clearly and conspicuously disclose:
503503 286 (1) The categories of consumer health data shared;
504504 287 (2) The purpose of the sharing of the consumer health data, including the specific
505505 288 ways in which it will be used; 13
506506 289 (3) The categories of entities with whom the consumer health data is shared; and
507507
508508 290 (4) How the consumer can withdraw consent from future sharing of the
509509
510510 291 consumer's health data.
511511
512512 292 (d) A regulated entity shall not collect, use, or share additional categories of consumer
513513
514514 293 health data not disclosed in the consumer health data privacy policy without first disclosing the
515515
516516 294 additional categories and obtaining the consumer's consent prior to the collection, use, or sharing
517517
518518 295 of such consumer health data.
519519
520520 296 (e) A regulated entity shall not collect, use, or share consumer health data for additional
521521
522522 297 purposes not disclosed in the consumer health data privacy policy without first disclosing the
523523
524524 298 additional purposes and obtaining the consumer's consent prior to the collection, use, or sharing
525525
526526 299 of such consumer health data.
527527 300 (f) A regulated entity’s collection, use, retention, disclosure, and sharing of a consumer’s
528528 301 consumer health data shall be reasonably necessary and proportionate to achieve the purposes for
529529 302 which the consumer health data was collected or processed, or for another disclosed purpose that
530530
531531 303 is compatible with the context in which the consumer health data was collected, and not further
532532
533533 304 processed in a manner that is incompatible with those purposes.
534534
535535 305 (g) A regulated entity that shares or otherwise discloses consumer health data with an
536536 306 affiliate, processor, or third party shall enter into a binding contract with the affiliate, processor,
537537 307 or third party that specifies how the processor, affiliate, or third party may receive, use, manage,
538538 308 and store the consumer health data it receives from regulated entity and contractually obligates
539539 309 the affiliate, processor, or third party to comply with the requirements and obligations in this act. 14
540540 310 (h) It is a violation of this act for a regulated entity to contract with a processor to process
541541
542542 311 consumer health data in a manner or for a purpose that is inconsistent with the consent a
543543
544544 312 consumer has given for the collection, use, or sharing of data.
545545
546546 313 (i) A regulated entity shall not unlawfully discriminate against a consumer for exercising
547547
548548 314 any rights included in this act.
549549
550550 315 Sec. 5. (a) A consumer has the right to confirm whether a regulated entity is collecting,
551551
552552 316 sharing, or selling consumer health data concerning the consumer. The regulated entity shall
553553
554554 317 provide the consumer with access to such data as expeditiously as possible and without
555555
556556 318 unreasonable delay. This information shall include a list of all third parties and affiliates with
557557
558558 319 whom the regulated entity has shared or sold the consumer health data, and an active email
559559
560560 320 address or other online mechanism that the consumer may use to contact these third parties.
561561 321 (b) A consumer has the right to withdraw consent from the regulated entity's collection
562562 322 and sharing of consumer health data related to the consumer.
563563 323 (c) A consumer has the right to have consumer health data related to the consumer
564564
565565 324 deleted from the database of the regulated entity and any other entity to which the regulated
566566
567567 325 entity has shared or sold the consumer health data. The consumer may exercise this right by
568568
569569 326 requesting the deletion pursuant to subsection (g) of this section.
570570 327 (d) A regulated entity that receives a consumer's request to delete any consumer health
571571 328 data concerning the consumer shall:
572572 329 (1) Delete the consumer health data from its records, including all parts of the
573573 330 regulated entity's network, including archived or backup systems; and
574574 331 (2) Notify all affiliates, processors, and third parties with whom the regulated
575575 332 entity has shared or sold consumer health data of the deletion request. 15
576576 333 (e) Each affiliate, processor, and third party that receives notice of a consumer's deletion
577577
578578 334 request shall honor the consumer's deletion request and delete the consumer health data from its
579579
580580 335 records according to the same requirements applicable to a regulated entity.
581581
582582 336 (f) If consumer health data that a consumer requests to be deleted is stored on archived or
583583
584584 337 backup systems, the request for deletion may be delayed for up to 6 months from the
585585
586586 338 authentication of the deletion request to enable restoration of the archived or backup systems.
587587
588588 339 (g) A consumer may exercise the rights set forth in this section by submitting a request, at
589589
590590 340 any time, to a regulated entity. Such a request may be made by a secure and reliable means
591591
592592 341 established by the regulated entity and clearly and conspicuously described in its consumer
593593
594594 342 health data privacy policy. The method shall take into account the ways in which consumers
595595
596596 343 normally interact with the regulated entity, the need for secure and reliable communication of
597597 344 such requests, and the ability of the regulated entity to authenticate the identity of the consumer
598598 345 making the request. A regulated entity shall not require a consumer to create a new account to
599599 346 exercise consumer rights under this section but may require a consumer to use an existing
600600
601601 347 account.
602602
603603 348 (h) If a regulated entity is unable to authenticate the request using commercially
604604
605605 349 reasonable efforts, the regulated entity is not required to comply with a deletion request under
606606 350 this section and may request that the consumer provide additional information reasonably
607607 351 necessary to authenticate the consumer and the consumer's request.
608608 352 (i) The regulated entity shall provide information in response to a consumer request at
609609 353 least twice during any 12-month period upon request of the consumer and without charge to the
610610 354 consumer. If requests from a consumer are manifestly unfounded, excessive, or repetitive, the
611611 355 regulated entity may charge the consumer a reasonable fee to cover the administrative costs of 16
612612 356 complying with the request or decline to act on the request. The regulated entity shall bear the
613613
614614 357 burden of demonstrating the manifestly unfounded, excessive, or repetitive nature of the request.
615615
616616 358 (j) A regulated entity shall comply with a deletion request without undue delay, and in all
617617
618618 359 cases within 45 days of receipt of the request. A regulated entity shall promptly take steps to
619619
620620 360 authenticate a consumer request, but these steps shall not extend the regulated entity's duty to
621621
622622 361 comply with the consumer's request within 45 days of receipt. The regulated entity may extend
623623
624624 362 the response period once for 45 additional days when reasonably necessary, taking into account
625625
626626 363 the complexity and number of the consumer's requests, if the regulated entity informs the
627627
628628 364 consumer of any such extension within the initial 45-day response period, together with the
629629
630630 365 reason for the extension.
631631
632632 366 (k) A regulated entity shall establish a process for a consumer to appeal the regulated
633633 367 entity's refusal to take action on a request within a reasonable period of time after the consumer's
634634 368 receipt of the decision. The availability of the appeal process shall be clearly and conspicuously
635635 369 included in the regulated entity’s consumer health data privacy policy. Within 45 days of receipt
636636
637637 370 of an appeal, a regulated entity shall inform the consumer in writing of any action taken or not
638638
639639 371 taken in response to the appeal, including a written explanation of the reasons for the decisions.
640640
641641 372 If the appeal is denied, the regulated entity shall also provide the consumer with an online
642642 373 mechanism, if available, or other method through which the consumer may contact the attorney
643643 374 general to submit a complaint.
644644
645645 375 (l) If a regulated entity dissolves or terminates its operations, the regulated entity shall
646646
647647 376 delete all consumer health data from its records, including any archived or back-up systems and
648648
649649 377 provide each consumer whose data has been shared with or sold to a processor, affiliate, or third 17
650650 378 party with a notice of how the consumer can contact the processors, affiliates, or third parties to
651651
652652 379 request deletion of their information.
653653
654654 380 Sec. 6. A regulated entity shall:
655655
656656 381 (a) Restrict access to consumer health data by the employees, affiliates, processors, and
657657 382 third parties of such regulated entity to only those employees, affiliates, processors, and third
658658 383 parties for which access is necessary to further the purposes for which the consumer provided
659659
660660 384 consent or where necessary to provide a product or service that the consumer to whom such
661661
662662 385 consumer health data relates has requested from such regulated entity; and
663663
664664 386 (b) Establish, implement, and maintain administrative, technical, and physical data
665665
666666 387 security practices that, at a minimum, satisfy reasonable standard of care within the regulated
667667
668668 388 entity's industry to protect the confidentiality, integrity, and accessibility of consumer health data
669669
670670 389 appropriate to the volume and nature of the consumer health data at issue.
671671
672672 390 Sec. 7. (a) A processor, affiliate, or third party may receive, use, or process consumer
673673
674674 391 health data only pursuant to a binding contract with the regulated entity that specifies how the
675675
676676 392 processor, affiliate, or third party may receive, use, manage, and store the consumer health data it
677677
678678 393 receives from regulated entity.
679679
680680 394 (b) A processor, affiliate, or third party shall not further share or sell consumer health
681681 395 data it has received from a regulated entity with any other person or entity.
682682
683683 396 (c) A processor, affiliate, or third party shall assist the regulated entity by appropriate
684684 397 technical and organizational measures, insofar as this is possible, in fulfilling the regulated
685685 398 entity's obligations under this act.
686686
687687 399 (d) If a processor, affiliate or third party fails to adhere to the regulated entity's
688688
689689 400 contractual requirements or receives, uses, manages, or stores consumer health data in a manner 18
690690 401 that is outside the scope of the contract with the regulated entity, the processor, affiliate, or third
691691
692692 402 party shall be considered a regulated entity with regard to such data and shall be subject to all the
693693
694694 403 requirements of this act.
695695
696696 404 Sec. 8. (a) It is unlawful for any person to sell or offer to sell consumer health data
697697
698698 405 related to a consumer without first obtaining valid authorization from the consumer. This
699699
700700 406 authorization shall be separate and distinct from the consent obtained to collect or share
701701
702702 407 consumer health data required under section 4 of this act.
703703
704704 408 (b) A valid authorization to sell consumer health data shall be a written or electronic
705705 409 document consistent with this section. It shall be in plain language and contain the following:
706706
707707 410 (1) The specific consumer health data concerning the consumer that the person
708708
709709 411 intends to sell;
710710
711711 412 (2) The name and contact information of the person selling the consumer health
712712
713713 413 data;
714714
715715 414 (3) The name and contact information of the regulated entity that originally
716716
717717 415 collected the consumer health data;
718718
719719 416 (4) The name and contact information of the person purchasing the consumer
720720 417 health data from the seller identified in paragraph (2) of this subsection;
721721
722722 418 (5) A description of the purpose for the sale, including how the consumer health
723723
724724 419 data will be gathered and how it will be used by the purchaser identified in paragraph (4) of this
725725
726726 420 subsection when sold;
727727
728728 421 (6) A statement that the provision of goods or services may not be conditioned on
729729
730730 422 the consumer signing the valid authorization; 19
731731 423 (7) A statement that the consumer has a right to revoke the valid authorization at
732732
733733 424 any time and a description of how to submit a revocation;
734734
735735 425 (8) An expiration date for the valid authorization that is no later than one year
736736
737737 426 after the date the consumer signs the valid authorization; and
738738
739739 427 (9) The signature or e-signature of the consumer and date.
740740
741741 428 (c) An authorization shall be invalid if it contains any of the following defects:
742742
743743 429 (1) The expiration date has passed;
744744
745745 430 (2) The authorization does not contain all the information required under this
746746
747747 431 section;
748748
749749 432 (3) The consumer has revoked the authorization;
750750
751751 433 (4) The authorization has been combined with other documents to create a
752752 434 compound authorization; or
753753
754754 435 (5) The provision of goods or services is conditioned on the consumer signing the
755755
756756 436 authorization.
757757
758758 437 (d) The seller shall obtain the valid authorization from the consumer and provide copies
759759
760760 438 to the consumer and the purchaser.
761761
762762 439 (e) The seller and purchaser of consumer health data shall retain a copy of all valid
763763
764764 440 authorizations for sale of consumer health data for 6 years from the date of the consumer’s
765765
766766 441 signature or the date when it was last in effect, whichever is later.
767767
768768 442 (f) A person may sell consumer health data only pursuant to a binding contract between
769769 443 the person selling the consumer health data and the person purchasing the consumer health data
770770 444 that identifies the purpose and use of the consumer health data and contractually obligates the 20
771771 445 person purchasing the consumer health data to comply with the applicable requirements and
772772
773773 446 obligations in this act.
774774
775775 447 (g) The person who purchases consumer health data shall only use, retain, and share a
776776
777777 448 consumer’s health data in a manner compatible with purpose and use identified in a valid
778778
779779 449 authorization from a consumer.
780780
781781 450 Sec. 9. It is unlawful for any person to implement a geofence around an entity that
782782
783783 451 provides in-person health care services where the geofence is used to:
784784
785785 452 (a) Identify or track consumers seeking health care services;
786786
787787 453 (b) Collect consumer health data; or
788788
789789 454 (c) Send notifications, messages, or advertisements to consumers related to their
790790
791791 455 consumer health data or health care services.
792792
793793 456 Sec. 10. A violation of this act is an unfair and deceptive trade practice pursuant to D.C.
794794 457 Official Code § 28-3904.
795795
796796 458 Sec. 11. (a) This chapter does not apply to:
797797
798798 459 (1) Information that meets the definition of:
799799
800800 460 (A) Health information protected under the federal Health Insurance
801801
802802 461 Portability and Accountability Act of 1996 (“HIPAA”), approved August 21, 1996 (Pub. L. 104-
803803
804804 462 191; 110 Stat. 1936), and related regulations;
805805
806806 463 (B) Patient identifying information collected, used, or disclosed in
807807
808808 464 accordance with 42 C.F.R. Part 2 and section 131 of the ADAMHA Reorganization Act,
809809 465 approved July 10, 1992 (106 Stat. 368: 42 U.S.C. § 290dd- 2);
810810
811811 466 (C) The following research-related information: 21
812812 467 (i) Identifiable private information under the federal policy for the
813813
814814 468 protection of human subjects pursuant to 45 C.F.R. Part 46;
815815
816816 469 (ii) Identifiable private information that is otherwise information
817817
818818 470 collected as part of human subjects research pursuant to the good clinical practice guidelines
819819
820820 471 issued by the international council for harmonization;
821821
822822 472 (iii) Information made private for the protection of human subjects
823823
824824 473 under 21 C.F.R. Parts 50 and 56; or
825825
826826 474 (iv) Personal data used or shared in research conducted in
827827
828828 475 accordance with one or more of the requirements in this paragraph;
829829
830830 476 (D) Information or documents created for purposes of the federal Health
831831
832832 477 Care Quality Improvement Act of 1986, approved November 14, 1986 (100 Stat. 3784; 42
833833
834834 478 U.S.C. § 11101), and related regulations;
835835
836836 479 (E) Patient safety work product under 42 C.F.R. Part 3 and section 2 of the
837837
838838 480 Patient Safety and Quality Improvement Act of 2005, approved July 29, 2005 (119 Stat. 424; 42
839839
840840 481 U.S.C.§§ 299b-21 - 299b-26);
841841
842842 482 (F) Information that is deidentified in accordance with 45 C.F.R. Part 164,
843843 483 and derived from any of the health care-related information listed in subsection (a)(1) of this
844844 484 section;
845845
846846 485 (2) Information originating from, and intermingled to be indistinguishable with,
847847
848848 486 information under paragraph (1) of this subsection that is maintained by:
849849
850850 487 (A) A covered entity or business associate as defined by HIPAA and
851851
852852 488 related regulations; 22
853853 489 (B) A program or a qualified service organization under 42 C.F.R. Part 2
854854
855855 490 and section 131 of the ADAMHA Reorganization Act, approved July 10, 1992 (106 Stat. 368: 42
856856
857857 491 U.S.C. § 290dd- 2); and
858858
859859 492 (3) Information used only for public health activities and purposes as described in
860860
861861 493 45 C.F.R. §. 164.512 or that is part of a limited data set that is used, disclosed, and maintained in
862862
863863 494 the manner required by 45 C.F.R. § 164.514;
864864
865865 495 (b) Personal information that is governed by and collected, used, or disclosed pursuant to
866866 496 the following regulations, parts, titles, or acts, is exempt from this chapter:
867867
868868 497 (1) The Gramm- Leach-Bliley Act, approved November 12, 1999 (113 Stat. 1338;
869869
870870 498 15 U.S.C. § 6801 et seq..) and implementing regulations;
871871
872872 499 (2) Part C of Title XI of the Social Security Act, approved August 21, 1996 (110
873873
874874 500 Stat. 1936; 42 U.S.C. § 1320d et seq.);
875875
876876 501 (3) The Fair Credit Reporting Act, approved May 29, 1968 (82 Stat. 146; 15
877877
878878 502 U.S.C. § 1681 et seq.);
879879
880880 503 (4) The Family Educational Rights and Privacy Act, approved August 21, 1974
881881
882882 504 (88 Stat. 57; (20 U.S.C. § 1232g) and 34 C.F.R. Part 99.
883883
884884 505 (c) The obligations imposed on regulated entities and processors under this act do not
885885
886886 506 restrict a regulated entity's or processor's ability to collect, use, or disclose consumer health data
887887
888888 507 to prevent, detect, protect against, or respond to security incidents, identity, theft, fraud,
889889
890890 508 harassment, malicious or deceptive activities, or any activity that is illegal under District or
891891
892892 509 federal law; preserve the integrity or security of systems; or investigate,
893893
894894 510 report, or prosecute those responsible for any such action that is illegal under District or federal
895895
896896 511 law. 23
897897 512 (d) If a regulated entity or processor processes consumer health data pursuant to
898898
899899 513 subsection (c) of this section, such entity bears the burden of demonstrating that such processing
900900
901901 514 qualifies for the exemption and complies with the requirements of this section.
902902
903903 515 Sec. 12. D.C. Official Code § 28-3904 is amended as follows:
904904
905905 516 (a) Subsection (kk) is amended by striking the word “or” at the end.
906906
907907 517 (b) Subsection (ll) is amended by striking the period at the end and inserting the phrase “;
908908
909909 518 or” in its place.
910910
911911 519 (c) A new subsection (mm) is added to read as follows:
912912
913913 520 “(mm) violate any provision of the Consumer Health Information Privacy Protection Act
914914
915915 521 of 2024.”.
916916
917917 522 Sec. 13. Fiscal impact statement.
918918
919919 523 The Council adopts the fiscal impact statement in the committee report as the fiscal
920920 524 impact statement required by section 4a of the General Legislative Procedures Act of 1975,
921921 525 approved October 16, 2006 (120 Stat. 2038; D.C. Official Code § 1-301.47a).
922922
923923 526 Sec. 14. Effective date.
924924
925925 527 This act shall take effect following approval by the Mayor (or in the event of a veto by
926926
927927 528 the Mayor, action by the Council to override the veto), a 30-day period of congressional review
928928
929929 529 as provided in section 602(c)(1) of the District of Columbia Home Rule Act, approved December
930930
931931 530 24, 1973 (87 Stat. 813; D.C. Official Code § 1-206.02(c)(1)), and publication in the District of
932932
933933 531 Columbia Register.
934934
935935 532 1350 Pennsylvania Avenue, N.W., Suite 409, Washington, D.C. 20004 Phone: (202) 724-5524 Email: megan.browder@dc.gov
936936
937937 GOVERNMENT OF THE DISTRICT OF COLUMBIA
938938 OFFICE OF THE ATTORNEY GENERAL
939939
940940
941941 BRIAN L. SCHWALB
942942 ATTORNEY GENERAL
943943 Legal Counsel Division
944944
945945
946946
947947 MEMORANDUM
948948
949949 TO:
950950 FROM:
951951
952952 DATE:
953953 Candyce Phoenix
954954 Deputy Attorney General for Policy and Legislative Affairs
955955 Megan D. Browder
956956 Deputy Attorney General
957957 Legal Counsel Division
958958
959959 July 11, 2024
960960
961961 SUBJECT: Legal Sufficiency Review of Draft Bill the "Consumer Health
962962 Information Privacy Protection Act (CHIPPA) of 2024”
963963 (AE-24-294)
964964
965965
966966
967967
968968 This is to Certify that this Office has reviewed the above- referenced
969969 legislation and has found it to be legally sufficient. If you have any questions
970970 regarding this certification, please do not hesitate to contact me at (202) 724-5524.
971971
972972
973973
974974
975975 Megan D. Browder 1350 Pennsylvania Avenue, N.W., Suite 409, Washington, D.C. 20004 Phone (202) 724-5524 Email: megan.browder@dc.gov
976976
977977 GOVERNMENT OF THE DISTRICT OF COLUMBIA
978978 O
979979 FFICE OF THE ATTORNEY GENERAL
980980 Brian L. Schwalb PRIVILEGED AND CONFIDENTIAL
981981 Attorney General ATTORNEY-CLIENT COMMUNICATION
982982
983983 Legal Counsel Division
984984
985985
986986 MEMORANDUM
987987
988988 TO: Candyce Phoenix
989989 Deputy Attorney General for Policy and Legislative Affairs
990990
991991 FROM: Megan D. Browder
992992 Deputy Attorney General
993993 Legal Counsel Division
994994
995995 DATE: July 11, 2024
996996
997997 SUBJECT: Legal Sufficiency Review of Draft Bill the “Consumer Health Information Privacy
998998 Protection Act (CHIPPA) of 2024”
999999 (AE-24-294)
10001000
10011001
10021002 This memorandum responds to your request that the Legal Counsel Division conduct a legal
10031003 sufficiency review of the “Consumer Health Information Privacy Protection Act (CHIPPA) of
10041004 2024 (“bill”).
10051005
10061006 The bill would establish privacy protections for consumer health data provided to entities that are
10071007 not covered by the federal Health Insurance Portability and Accountability Act of 1996
10081008 (“HIPAA”), approved August 21, 1996 (Pub. L. 104-191; 110 Stat. 1936). Among other things, it
10091009 would require regulated entities to establish and make available a consumer health data privacy
10101010 policy governing the collection, use, sharing, and sale of consumer health data. It would also
10111011 require these entities to obtain the consumer’s informed consent to the collection and sharing
10121012 of consumer health data and require additional protections and consumer authorizations for the
10131013 sale of protected data.
10141014
10151015 The Legal Counsel Division worked with OAG’s Office of Consumer Protection to develop and
10161016 draft the bill, and the attached version is legally sufficient.
10171017 1
10181018 I have therefore provided a Certificate
10191019 of Legal Sufficiency, which you should include in your legislative package when you submit it to
10201020 the Council. Please also remember that you must obtain a fiscal impact statement from the
10211021 Chief Financial Officer to accompany the legislation.
10221022
10231023 1
10241024 We have advised further clarity be added to the bill’s section 4(i), which prohibits a regulated entity from
10251025 “unlawfully discriminat[ing] against a consumer for exercising any rights” included in the law. It is unclear what
10261026 unlawful discrimination means in this context. We will continue to work with OCP to draft amending language.
10271027 2
10281028 If you have any questions about this memorandum, please contact Laurie Ensworth, Senior
10291029 Assistant Attorney General, Legal Counsel Division, at (202) 724-5537, or me at (202) 724-5524.
10301030
10311031 MDB/lae