2SHB 1127
As Passed Legislature
Title: An act relating to protecting the privacy and security of COVID-19 health data collected by entities other than public health agencies, health care providers, and health care facilities.
Brief Description: Protecting the privacy and security of COVID-19 health data collected by entities other than public health agencies, health care providers, and health care facilities.
Sponsors: House Committee on Appropriations (originally sponsored by Representatives Slatter, Boehnke, Valdez, Kloba, Graham, Macri and Pollet).
Brief History:
Committee Activity:
Health Care & Wellness: 1/28/21, 2/10/21 [DPS];
Appropriations: 2/19/21, 2/22/21 [DP2S(w/o sub HCW)].
Floor Activity:
Passed House: 3/1/21, 76-21.
Senate Amended.
Passed Senate: 4/10/21, 28-20.
House Concurred.
Passed House: 4/14/21, 83-13.
Passed Legislature.
Brief Summary of Second Substitute Bill
  • Restricts a covered organization's ability to collect, use, or disclose Coronavirus Disease 2019 (COVID-19) health data.
  • Specifies prohibited purposes for collecting, using, or disclosing COVID-19 health data.
  • Exempts COVID-19 health data from disclosure under the Public Records Act.
Majority Report: The substitute bill be substituted therefor and the substitute bill do pass.Signed by 13 members:Representatives Cody, Chair; Bateman, Vice Chair; Caldier, Assistant Ranking Minority Member; Bronoske, Davis, Harris, Macri, Riccelli, Rude, Simmons, Stonier, Tharinger and Ybarra.
Minority Report: Without recommendation.Signed by 2 members:Representatives Schmick, Ranking Minority Member; Maycumber.
Staff: Kim Weidenaar (786-7120).
Majority Report: The second substitute bill be substituted therefor and the second substitute bill do pass and do not pass the substitute bill by Committee on Health Care & Wellness.Signed by 31 members:Representatives Ormsby, Chair; Bergquist, Vice Chair; Gregerson, Vice Chair; Macri, Vice Chair; Stokesbary, Ranking Minority Member; Chambers, Assistant Ranking Minority Member; MacEwen, Assistant Ranking Minority Member; Boehnke, Caldier, Chopp, Cody, Dolan, Dye, Fitzgibbon, Frame, Hansen, Harris, Hoff, Jacobsen, Johnson, J., Lekanoff, Pollet, Rude, Ryu, Schmick, Senn, Springer, Steele, Stonier, Sullivan and Tharinger.
Minority Report: Without recommendation.Signed by 2 members:Representatives Corry, Assistant Ranking Minority Member; Chandler.
Staff: Linda Merelle (786-7092).

Traditional Contact Tracing.
Case investigation and contact tracing are traditional public health strategies used to reduce the spread of communicable diseases, such as Coronavirus Disease 2019 (COVID-19), a novel acute respiratory syndrome coronavirus.  Case investigation is the identification and investigation of individuals with confirmed and probable diagnoses of a disease, which involves working with the individual who has been diagnosed with the disease to identify other people who may have been infected through exposure to the individual.  Contact tracing is the subsequent identification, monitoring, and support of those contacts who have been exposed to, and possibly infected with, the virus.  In Washington, local health departments, with the support of the Department of Health (DOH), are responsible for performing case investigations and contact tracing. 
Use of Digital Technologies in Public Health Response.
A range of digital data sources have been used to enhance and interpret epidemiological data gathered by public-health authorities for COVID-19.  Digital tools have been developed to track symptoms, individual locations, and notify individuals of exposure.  During the COVID-19 pandemic, digital exposure notification applications and other digital health tools have been developed for use in several countries and states.  


In December 2020 the DOH launched an exposure notification technology known as WA Notify.  Google and Apple jointly developed this smartphone technology, which will anonymously notify a user who has been in close contact with another user who tests positive for COVID-19.  The technology does not know or track the identity of an individual or where they go, instead it uses message keys, which are exchanged as random anonymous codes with no identification or global positioning system (GPS) location data.  

Consumer Protection Act.
The Consumer Protection Act (CPA) prohibits unfair methods of competition or unfair or deceptive practices in the conduct of any trade or commerce.  The Attorney General is authorized to investigate and prosecute claims under the CPA on behalf of the state or individuals in the state.  A person injured by a violation of the CPA may bring a civil action for injunctive relief, recovery of actual damages, and reasonable attorneys' fees.  The courts may increase awarded damages up to three times the actual damages sustained.
Uniform Health Care Information Act.
The state Uniform Health Care Information Act (UHCIA) governs the disclosure of health care information by health care providers and their agents or employees.  The UHCIA provides that a health care provider may not disclose health care information about a patient unless there is a statutory exception or written authorization by the patient.
Disclosure of Public Records.
The Public Records Act (PRA) requires state and local agencies to make all public records available for public inspection and copying, unless a record falls within an exemption in the PRA or another statute that exempts or prohibits disclosure of specific information or records.  To the extent required to prevent an unreasonable invasion of personal privacy interests, an agency must delete identifying details when it makes a public record available.   A person's right to privacy is violated only if disclosure would be highly offensive to a reasonable person and is not of legitimate concern to the public.

Summary of Second Substitute Bill:

Limitations on Collection, Use, and Disclosure.
A covered organization must only collect, use, or disclose Coronavirus Disease 2019 (COVID-19) health data that is necessary, proportionate, and limited for a good-faith COVID-19 public health purpose.  A covered organization must limit the collection, use, or disclosure of COVID-19 health data to the minimum level of identifiability.  A covered organization may only disclose COVID-19 health data to a government agency if the disclosure is to a public health agency and for a good-faith COVID-19 public health purpose, unless the information disclosed is protected under a state or federal privacy law that restricts redisclosure.   A covered organization may not collect, use, or disclose an individual's COVID-19 health data unless the individual has given affirmative express consent.  The COVID-19 health data may be collected, used, or disclosed to notify an employee or consumer of a potential exposure to COVID-19 while on a covered organization's premises or through an interaction with an employee or person acting on behalf of a covered organization without affirmative express consent.
Within 30 days of collecting COVID-19 health data, a covered organization  must destroy the data or render it unlinkable in such a manner that is it impossible or demonstrably impracticable to identify any individual from the COVID-19 health data, unless required to retain data longer than 30 days by state or federal law.  If data is retained longer than 30 days, it must be maintained in a confidential and secure manner and may not be redisclosed except as required by state or federal law.
A covered organization must also take reasonable measures to ensure the accuracy of COVID-19 health data and provide an easily accessible mechanism for an individual to correct the data within 30 days of receiving a request.
A covered organization may not collect, use, or disclose COVID-19 health data for any unauthorized purpose, including:

  • commercial advertising or recommendation for electronic commerce;
  • soliciting, selling, leasing, advertising, licensing, marketing, or otherwise commercially contracting for employment, finance, credit, insurance, housing, or education opportunities in a way that discriminates or makes opportunities unavailable on the basis of COVID-19 health data;
  • segregating, discriminating, or otherwise making unavailable goods, services, facilities, privileges, or accommodations of any place of accommodation, except as authorized by a local, state, or federal government for a COVID-19 public health purpose; and
  • disclosing COVID-19 health data to any law enforcement or federal immigration authority or using COVID-19 health data for any law enforcement or immigration purpose.


Other than the Department of Social and Health Services and the Medicaid Fraud Division of the Attorney General's Office, general authority and limited authority Washington law enforcement agencies and federal immigration authorities may not collect, use, or disclose COVID-19 health data for the purpose of enforcing criminal or civil law.


A covered organization or service provider must establish and implement reasonable data security policies, practices, and procedures to protect the security and confidentiality of COVID-19 health data.  A covered organization may not disclose identifiable COVID-19 health data to a service provider or a third party unless the service provider or third party is contractually bound to the same data privacy and security obligations as the covered organization.
Privacy Policy.
A covered organization must provide an individual a privacy policy that describes:

  • the covered organization's data retention and security policies and practices;
  • how and for what purposes the covered organization collects, uses, and discloses COVID-19 health data;
  • recipients of COVID-19 health data and the purpose of the disclosure for each recipient; and
  • how an individual may exercise their rights under the act.

The privacy policy must be disclosed to the individual before collecting COVID-19 health data and in a clear and conspicuous manner that is in the language in which the individual typically interacts with the covered organization.
Affirmative consent must be as easy to withdraw as it is to give.  After an individual revokes consent, the covered organization must:

  • stop collecting, using, or disclosing the individual's COVID-19 health data no later than seven days after receiving the revocation of consent;
  • destroy or render unlinkable the individual's COVID-19 health data; and
  • notify the individual if and for what purposes the covered organization collected, used, or disclosed the individual's COVID-19 health data before honoring the individual's revocation of consent.

A covered organization that collects, uses, or discloses COVID-19 health data of at least 30,000 individuals over 60 days must issue a public report at least once every 90 days.  The report must be provided to the Department of Health (DOH), who must publish the report on the DOH's website.  The report must:

  • list the number of individuals whose COVID-19 health data was collected, used, or disclosed;
  • describe the categories of COVID-19 data collected, used, and disclosed and the purpose for each category;
  • describe the categories of recipients of the data and specific recipients; and
  • not include any information that is linked or reasonably linked to a specific individual or device.


"Covered organization" means any natural or legal person, or any legal, commercial, or governmental entity that:

  • collects, uses, or discloses COVID-19 health data of Washington residents electronically or through communication by wire or radio for a COVID-19 public health purpose; or
  • develops or operates a website, web application, mobile application, mobile operating system feature, or smart device application for the purpose of tracking, screening, monitoring, contact tracing, mitigating, or otherwise responding to COVID-19 or the related public health response.


A "covered organization" does not include:  a health care provider or facility; a public health agency; the Department of Labor and Industries (L&I) and an employer that is self-insured under Title 51 RCW, if the L&I or employer is collecting confidential claims files and records; the L&I for purposes of administering the Washington Industrial Safety and Health Act; the Long-Term Care Ombuds program; a "covered entity" or "business associate," for purposes of the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996 or person or entity acting in a similar capacity under the state's Uniform Health Care Information Act; a service provider; a person acting in their individual or household capacity; or person or entity that provides to a public health agency a mobile application or mobile operating system feature that transmits deidentified proximity data solely for the purpose of digitally notifying an individual who may have become exposed to COVID-19.
"COVID-19 health data" means data that is collected, used, or disclosed in connection with COVID-19 or the related public health response and that is linked to an individual or device and includes:

  • information that reveals the past, present, or future physical or behavioral health or condition of, or provision of health care to, an individual;
  • data derived from the testing or examination of a body or bodily substance, or a request for such testing;
  • information as to whether or not an individual has contracted or been tested for, or an estimate of the likelihood that a particular individual may contract, a disease or disorder;
  • genetic data, biological samples, and biometric data;
  • geolocation data and proximity data; and
  • demographic data and contact information for identifiable individuals or a history of the individual's contacts over a period of time.

"COVID-19 health data" does not include:

  • identifiable personal data collected and used for the purposes of human subjects research conducted in accordance with:  the federal policy for the protection of human subjects; the good clinical practice guidelines issued by the International Council for Harmonization; or the federal regulations on the protection of human subjects;
  • data that is deidentified in accordance with federal HIPAA deidentification requirements and that is derived from protected health information data; or
  • information used only for public health activities and purposes as defined by federal HIPAA rules.

"COVID-19 public health purpose" means a purpose that seeks to support or evaluate public health activities related to COVID-19 including:  preventing, detecting, and responding to COVID-19; creating emergency response plans; identifying population health trends; health surveillance; health assessments; implementing educational programs; program evaluation; developing and implementing policies; and determining needs for access to services and administering services.
A new chapter is created in Title 70 RCW.  A violation of the chapter is considered an unfair or deceptive act in trade or commerce and an unfair method of competition for purposes of the Consumer Protection Act, for which the Attorney General's has sole enforcement authority.  The COVID-19 health data is exempt from public disclosure. 
The act does not limit or prohibit:  a public health agency from administering contact tracing programs or activities; public health or scientific research conducted for a COVID-19 public health purpose; research, development, manufacture, or distribution of a drug, biological product, or vaccine associated with COVID-19; a good faith response to a valid subpoena, court order, or other legal process; or the Medicaid Fraud Division of the Attorney General's Office from collecting, using, or disclosing COVID-19 health data for the enforcement of criminal and civil law. 
The act expires on December 31, 2022.

Appropriation: None.
Fiscal Note: Available.
Effective Date: The bill contains an emergency clause and takes effect immediately.
Staff Summary of Public Testimony (Health Care & Wellness):

(In support) This bill is about saving lives by building trust so that we can use all tools to combat this virus.  This bill is not intended to be a precedent-setting privacy bill.  Throughout the process, many different groups have been consulted as this bill was written.  The COVID-19 virus thrives on social connection and digital tools can help us recognize when we have been exposed so that we can isolate ourselves and stop the spread. 
The protections included in the WA Notify application have been built into this bill as other digital tools may not include these protections.  One of the biggest barriers to people using these digital tools is a lack of trust in government and big tech and without this trust the tools will not be used.  If this bill can offer reassurance to one person that their data is protected and will not be used for other purposes, then this bill has the power to save lives.  This is a time when we need to be extra vigilant.  This bill tries to strike a balance between encouraging the use of all tools while also protecting civil liberties.  This bill is narrowly targeted and ends in 2022.  There have been some amendment requests for those that are already covered by a privacy law.
We are all in this together to try to stop this virus and save lives.  Bringing in parties of all sides when it comes to privacy regulation is very important and the sponsor has done that on this bill.  This bill is will build trust and ensure that individuals' information will not continue to be tracked.  An individual can limit what information they want to share, but it also allows information to be tracked and shared with those that can quickly respond to the outbreak.
This is a common-sense privacy bill that gives consumers confidence that their data will be kept private.  However, the Long-Term Care Ombuds program requests a small amendment.  Long-term care has significant COVID-19 health data because it has been hit particularly hard by COVID-19.  The Long-Term Care Ombuds program is not a state agency, but is already governed by stricter state and federal privacy laws and so requests that it be exempted from the provisions of this bill.


(Opposed) None.


(Other) The sponsor reached out to the business community early on this bill, which is appreciated.  This bill attempts to strike a balance between innovative tools and public safety.  However, it creates a unique problem for employers.  If an employee is exposed to COVID-19 the employer will want to notify the employee of the exposure.  However, requiring affirmative consent is burdensome and if consent is not given the employer likely cannot remove the person from the workplace, which creates an unsafe workplace.  This also creates a problem when dealing with customers.  Oregon has a similar contact tracing bill that recognizes the idea that employers are in a different situation with consent and that it makes sense to provide workplaces an exemption so that employees and consumers may be notified of any exposure.  Accordingly, the business community would like an exemption for employer and customer safety.
This bill also excludes public health authorities who are the primary holders of this data.

Staff Summary of Public Testimony (Appropriations):

(In support) This is not a data privacy bill, but it provides another tool in the tool box to help with exposure and contact tracing.  Similar legislation has been enacted in other states.


(Opposed) None.

Persons Testifying (Health Care & Wellness): (In support) Representative Slatter, prime sponsor; Representative Boehnke; and Melanie Smith, Washington State Long-Term Care Ombuds Program.
(Other) Robert Battles, Association of Washington Business; and Andrew Kingman, State Privacy and Security Coalition.
Persons Testifying (Appropriations): Representative Boehnke.
Persons Signed In To Testify But Not Testifying (Health Care & Wellness): None.
Persons Signed In To Testify But Not Testifying (Appropriations): None.