SENATE BILL REPORT
2SHB 1127
As Passed Senate - Amended, April 10, 2021
Title: An act relating to protecting the privacy and security of COVID-19 health data collected by entities other than public health agencies, health care providers, and health care facilities.
Brief Description: Protecting the privacy and security of COVID-19 health data collected by entities other than public health agencies, health care providers, and health care facilities.
Sponsors: House Committee on Appropriations (originally sponsored by Representatives Slatter, Boehnke, Valdez, Kloba, Graham, Macri and Pollet).
Brief History: Passed House: 3/1/21, 76-21.
Committee Activity: Health & Long Term Care: 3/10/21 [w/oRec-ENET].
Environment, Energy & Technology: 3/17/21, 3/25/21 [DPA-WM, DNP, w/oRec].
Ways & Means: 3/31/21, 4/02/21 [DPA, DNP, w/oRec].
Floor Activity: Passed Senate - Amended: 4/10/21, 28-20.
Brief Summary of Amended Bill
  • Specifies privacy and security obligations for the collection, use, and disclosure of COVID-19 health data.
  • Restricts the collection, use, and disclosure of COVID-19 health data for specified purposes.
  • Establishes a reporting requirement for covered organizations that process a specified amount of COVID-19 health data.
SENATE COMMITTEE ON ENVIRONMENT, ENERGY & TECHNOLOGY
Majority Report: Do pass as amended and be referred to Committee on Ways & Means.
Signed by Senators Carlyle, Chair; Lovelett, Vice Chair; Das, Hobbs, Liias, Nguyen, Sheldon, Stanford and Wellman.
Minority Report: Do not pass.
Signed by Senators Ericksen, Ranking Member; Short.
Minority Report: That it be referred without recommendation.
Signed by Senator Brown.
Staff: Angela Kleis (786-7469)
SENATE COMMITTEE ON WAYS & MEANS
Majority Report: Do pass as amended.
Signed by Senators Rolfes, Chair; Frockt, Vice Chair, Capital; Robinson, Vice Chair, Operating & Revenue; Carlyle, Conway, Darneille, Dhingra, Hasegawa, Hunt, Keiser, Liias, Mullet, Pedersen, Van De Wege and Wellman.
Minority Report: Do not pass.
Signed by Senators Wilson, L., Ranking Member; Brown, Assistant Ranking Member, Operating; Honeyford, Assistant Ranking Member, Capital; Schoesler, Assistant Ranking Member, Capital; Wagoner.
Minority Report: That it be referred without recommendation.
Signed by Senators Braun, Gildon, Muzzall, Rivers and Warnick.
Staff: Maria Hovde (786-7474)
Background:

Contact Tracing.  Local health departments, with the support of the Department of Health (DOH) and its partners, perform case investigations and contact tracing to help slow and prevent the spread of infectious diseases like COVID-19.  These practices have been used for decades and entail an interviewer reaching out to persons who have tested positive for infectious disease, asking them pre-approved questions, entering information into secure systems, and connecting people with appropriate resources.  Information collected during these interviews is only used by public health agencies.
 
Washington Exposure Notification Technology.  In December 2020, DOH launched an exposure notification technology known as WA Notify.  This new tool works through smartphones, without sharing any personal information, to notify users if they may have been exposed to COVID-19.  Notifications have a link to information about what to do next to protect themselves and others.  Notifications do not contain any information about who tested positive or where the exposure may have happened.
 
Consumer Protection Act.  The Consumer Protection Act (CPA) prohibits unfair methods of competition or unfair or deceptive practices in the conduct of any trade or commerce.  The statutory maximum civil penalty for a violation of such provisions is $2,000 for each violation.  The attorney general (AG) and consumers are can bring actions to enforce violations of the CPA.  

Summary of Amended Bill:

Scope.  Covered organizations, service providers, and third parties that collect, use, or disclose COVID-19 health data for a good-faith COVID-19 health purpose must meet specified obligations and follow specified restrictions.

 

Certain Definitions Summarized.  Collect means acquiring COVID-19 health data in any manner by a covered organization, including passively or actively observing the behavior of an individual.
 

A covered organization means any person, including a government entity, that:

  • collects, uses, or discloses COVID-19 health data of state residents electronically for a COVID-19 public health purpose; or
  • develops or operates a website, application, or system feature for the purpose of contact tracing or responding to COVID-19 or the related public health response.

 

It does not include specified entities such as a health care provider, a health care facility, and a public health agency.

COVID-19 health data means data that is collected, used, or disclosed in connection with COVID-19 or the related public health response and is linked to an individual or device such as symptom data, biometric data, geolocation data, proximity data, or demographic data.  Exemptions are specified.

 

A service provider means a person that collects, uses, or discloses COVID-19 health data on behalf of a covered organization.

 

A third party is a person to whom the covered organization discloses COVID-19 health data, excluding certain entities such as a public health agency.

 

Use means processing, employment, application, utilization, examination, or analysis of COVID-19 health data by a covered organization.

 

Obligations.  When collecting, using, or disclosing COVID-19 health data for a good-faith COVID-19 health purpose, a covered organization must:

  • provide a privacy notice that meets specified requirements;
  • only collect, use, or disclose data necessary and proportionate for the specified purpose;
  • limit the collection, use, or disclosure of the data to the minimum level of identifiability and the amount of data necessary for the specified purpose;
  • ensure the accuracy of the data, provide a mechanism to correct inaccuracies, and comply with a request to correct within 30 days;
  • adopt safeguards to prevent unlawful discrimination on the basis of the data; and
  • only disclose data to a government entity when disclosure is to a public health agency and is solely for the specified purpose unless the disclosed information is protected under a state or federal privacy law that restricts redisclosure.

 

Security.  A covered organization or service provider must establish and implement procedures to protect the security and confidentiality of the COVID-19 health data.  A covered organization may not disclose identifiable COVID-19 health data to a third party unless the third party is contractually bound to meet the same data security obligations as the covered organization.

 
Data Retention.  Unless retention is required by state or federal law, COVID-19 health data must be destroyed or rendered unlinkable to an individual no later than 30 days after collection.  
 
Contracts.  A covered organization may not disclose identifiable COVID-19 health data to service providers or third parties unless the service provider or third party is contractually bound to meet the same privacy obligations as the covered organization.
 
Restrictions.  Consent.  A covered organization may not collect, use, or disclose COVID-19 health data unless an individual gives affirmative express consent to the collection, use, or disclosure.  This requirement does not apply for notifying an employee or consumer of potential exposure to COVID-19 while on a covered organization's premises, or through an interaction with an employee or person acting on behalf of the covered organization.
 
A covered organization must provide an effective mechanism for an individual to revoke consent.  After an individual revokes consent, a covered organization must comply within seven days, take prescribed steps to destroy the COVID-19 health data, and notify the individual under certain circumstances.

 

Additional Restrictions.  A covered organization may not collect, use, or disclose COVID-19 health data for any purpose not authorized in this act, including:

  • commercial advertising, including related training of machine-learning algorithms;
  • making specified opportunities, such as employment or education, unavailable on the basis of the data;
  • segregating, discriminating in, or otherwise making unavailable goods, services, facilities, privileges, advantages, or public accommodations except as authorized by a federal, state, or local government entity for a COVID-19 public health purpose; and
  • disclosing data to any law enforcement officer or federal immigration authority or using the data for any law enforcement or immigration purpose.

 

A general authority Washington law enforcement agency officer or limited authority Washington law enforcement agency, as defined in current law, or a federal immigration authority may not collect, use, or disclose COVID-19 health data for enforcing criminal or civil law .

 

Exemptions.  Several exemptions are provided for specified purposes such as current public health agency contacting tracing practices, certain scientific and public health research, or complying with legal processes.  COVID-19 health data is exempt from public disclosure.


Report Requirement.  A covered organization that collects, uses, or discloses COVID-19 health data of at least 30,000 individuals over 60 calendar days must issue a public report, including specified information such as aggregate data, at least once every 90 days.  A copy of the report must be provided to DOH.  DOH must publish reports on its public website.
 
Enforcement.  The AG has sole enforcement authority under the CPA.   Nothing in this act prohibits the Medicaid Fraud Division of Washington Attorney General's Office from collecting, using, or disclosing, as legally permitted, COVID-19 health data for the enforcement of criminal and/or civil law.
  
Expiration.  This act expires on December 31, 2022.

Appropriation: None.
Fiscal Note: Available.
Creates Committee/Commission/Task Force that includes Legislative members: No.
Effective Date: The bill contains an emergency clause and takes effect immediately.
Staff Summary of Public Testimony on Second Substitute House Bill (Environment, Energy & Technology): 

The committee recommended a different version of the bill than what was heard.  PRO:  Technology can assist efforts to stop the spread of infectious disease; however, it needs to preserve consumer privacy.  The biggest barrier to the use of these tools is the lack of trust in the government and big technology.  We need to instill trust in these tools to open up the economy.  This bill provides a careful balance between privacy and the use of data for contact tracing purposes.
 
OTHER:  In order to ensure the safety of corrections facilities, we think the bills need to include a narrow exemption for correction officers.  This is consistent with other federal laws.  We hope to bring agreed-upon language to the committee.

Persons Testifying (Environment, Energy & Technology): PRO: Representative Vandana Slatter, Prime Sponsor; Dean Andal, PricewaterhouseCoopers LLP.
OTHER: James McMahan, Washington Association of Sheriffs and Police Chiefs; Marc Stern MPH, U.
Persons Signed In To Testify But Not Testifying (Environment, Energy & Technology): No one.
Staff Summary of Public Testimony on Bill as Amended by Environment, Energy & Technology (Ways & Means):

The committee recommended a different version of the bill than what was heard.  None.

Persons Testifying (Ways & Means): No one.
Persons Signed In To Testify But Not Testifying (Ways & Means): No one.