IN THE SENATE OF THE UNITED STATES
May 14, 2020
Mr. Blumenthal (for himself and Mr. Warner) introduced the following bill; which was read twice and referred to the Committee on Health, Education, Labor, and Pensions
To protect the privacy of health information during a national health emergency.
This Act may be cited as the
Public Health Emergency Privacy Act.
In this Act:
Affirmative express consent
The term affirmative express consent means an affirmative act by an individual that—
clearly and conspicuously communicates the individual’s authorization of an act or practice;
is made in the absence of any mechanism in the user interface that has the purpose or substantial effect of obscuring, subverting, or impairing decision making or choice to obtain consent; and
cannot be inferred from inaction.
The term collect, with respect to emergency health data, means obtaining in any manner by a covered organization.
The term Commission means the Federal Trade Commission.
The term covered organization means any person (including a government entity)—
that collects, uses, or discloses emergency health data electronically or through communication by wire or radio; or
that develops or operates a website, web application, mobile application, mobile operating system feature, or smart device application for the purpose of tracking, screening, monitoring, contact tracing, or mitigation, or otherwise responding to the COVID–19 public health emergency.
The term covered organization does not include—
a health care provider;
a person engaged in a de minimis collection or processing of emergency health data;
a service provider;
a person acting in their individual or household capacity; or
a public health authority.
The term demographic data means information relating to the actual or perceived race, color, ethnicity, national origin, religion, sex, gender, gender identity, sexual orientation, age, Tribal affiliation, disability, domicile, employment status, familial status, immigration status, or veteran status of an individual or group of individuals.
The term device means any electronic equipment that is primarily designed for or marketed to consumers.
The term disclosure, with respect to emergency health data, means the releasing, transferring, selling, providing access to, licensing, or divulging in any manner by a covered organization to a third party.
Emergency health data
The term emergency health data means data linked or reasonably linkable to an individual or device, including data inferred or derived about the individual or device from other collected data provided such data is still linked or reasonably linkable to the individual or device, that concerns the public COVID–19 health emergency. Such data includes—
information that reveals the past, present, or future physical or behavioral health or condition of, or provision of healthcare to, an individual, including—
data derived from the testing or examination of a body part or bodily substance, or a request for such testing;
whether or not an individual has contracted or been tested for, or an estimate of the likelihood that a particular individual may contract, such disease or disorder; and
genetic data, biological samples, and biometrics; and
other data collected in conjunction with other emergency health data or for the purpose of tracking, screening, monitoring, contact tracing, or mitigation, or otherwise responding to the COVID–19 public health emergency, including—
geolocation data, when such term means data capable of determining the past or present precise physical location of an individual at a specific point in time, taking account of population densities, including cell-site location information, triangulation data derived from nearby wireless or radio frequency networks, and global positioning system data;
proximity data, when such term means information that identifies or estimates the past or present physical proximity of one individual or device to another, including information derived from Bluetooth, audio signatures, nearby wireless networks, and near-field communications;
contact information for identifiable individuals or a history of the individual’s contacts over a period of time, such as an address book or call log; and
any other data collected from a personal device.
The term government entity includes a Federal agency, a State, a local government, and other organizations, as such terms are defined in section 3371 of title 5, United States Code.
Health care provider
The term health care provider has the meaning given the term eligible health care provider in title VIII of division B of the CARES Act (Public Law 116–136).
The term HIPAA regulations means parts 160 and 164 of title 45, Code of Federal Regulations.
Public health authority
The term public health authority means an entity that is authorized by law to collect or receive information for the purpose of preventing or controlling disease, injury, or disability including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions, and a person, such as a designated agency or associate, acting under a grant of authority from, or under a contract with, such public entity, including the employees or agents of such entity or its contractors or persons or entities to whom it has granted authority.
COVID–19 Public health emergency
The term COVID–19 public health emergency means the outbreak and public health response pertaining to Coronavirus Disease 2019 (COVID–19), associated with the emergency declared by the Secretary on January 31, 2020, under section 319 of the Public Health Service Act (42 U.S.C. 247d), and any renewals thereof and any subsequent declarations by the Secretary related to the coronavirus.
The term Secretary means the Secretary of Health and Human Services.
The term service provider means a person that collects, uses, or discloses emergency health data for the sole purpose of, and only to the extent that such entity is, conducting business activities on behalf of, for the benefit of, under instruction of, and under contractual agreement with a covered organization.
Limitation of application
Such person shall only be considered a service provider in the course of activities described in subparagraph (A).
service provider excludes a person that develops or operates a website, web application, mobile application, or smart device application for the purpose of tracking, screening, monitoring, contact tracing, or mitigation, or otherwise responding to the COVID–19 public health emergency.
The term State means each State of the United States, the District of Columbia, each commonwealth, territory, or possession of the United States, and each federally recognized Indian Tribe.
The term third party means, with respect to a covered organization—
another person to whom such covered organization disclosed emergency health data; and
a corporate affiliate or a related party of the covered organization that does not have a direct relationship with an individual with whom the emergency health data is linked or is reasonably linkable.
The term third party excludes, with respect to a covered organization—
a service provider of such covered organization; or
a public health authority.
The term use, with respect to emergency health data, means the processing, employment, application, utilization, examination, or analysis of such data by a covered organization that maintains such data.
Protecting the privacy and security of emergency health data
Right to privacy
A covered organization that collects emergency health data shall—
only collect, use, or disclose such data that is necessary, proportionate, and limited for a good faith public health purpose, including a service or feature to support such a purpose;
take reasonable measures, where possible, to ensure the accuracy of emergency health data and provide an effective mechanism for an individual to correct inaccurate information;
adopt reasonable safeguards to prevent unlawful discrimination on the basis of emergency health data; and
only disclose such data to a government entity when the disclosure—
is to a public health authority; and
is made in solely for good faith public health purposes and in direct response to exigent circumstances.
Right to security
A covered organization or service provider that collects, uses, or discloses emergency health data shall establish and implement reasonable data security policies, practices, and procedures to protect the security and confidentiality of emergency health data.
A covered organization shall not collect, use, or disclose emergency health data for any purpose not authorized under this section, including—
commercial advertising, recommendation for e-commerce, or the training of machine-learning algorithms related to, or subsequently for use in, commercial advertising and e-commerce;
soliciting, offering, selling, leasing, licensing, renting, advertising, marketing, or otherwise commercially contracting for employment, finance, credit, insurance, housing, or education opportunities in a manner that discriminates or otherwise makes opportunities unavailable on the basis of emergency health data; and
segregating, discriminating in, or otherwise making unavailable the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation (as such term is defined in section 301 of the Americans With Disabilities Act of 1990 (42 U.S.C. 12181)), except as authorized by a State or Federal Government entity for a public health purpose notwithstanding subsection (g).
It shall be unlawful for a covered organization to collect, use, or disclose emergency health data, unless—
the individual to whom the data pertains has given affirmative express consent to such collection, use, or disclosure;
such collection, use, or disclosure is necessary and for the sole purpose of—
protecting against malicious, deceptive, fraudulent, or illegal activity; or
detecting, responding to, or preventing information security incidents or threats; or
the covered organization is compelled to do so by a legal obligation.
A covered organization shall provide an effective mechanism for an individual to revoke consent after it is given.
After an individual revokes consent, the covered organization shall cease collecting, using, or disclosing the individual’s emergency health data as soon as practicable, but in no case later than 15 days after the receipt of the individual’s revocation of consent.
Not later than 30 days after the receipt of an individual’s revocation of consent, a covered organization shall destroy or render not linkable that individuals emergency health data under the same procedures in subsection (f).
is disclosed in a clear and conspicuous manner, in the language in which the individual typically interacts with the covered organization, prior to or at the point of the collection of emergency health data;
describes how and for what purposes the covered organization collects, uses, and discloses emergency health data, including the categories of recipients to whom it discloses data and the purpose of disclosure for each category;
describes the covered organization’s data retention and data security policies and practices for emergency health data; and
describes how an individual may exercise the rights under this Act and how to contact the Commission to file a complaint.
A covered organization that collects, uses, or discloses emergency health data of at least 100,000 individuals shall, at least once every 90 days, issue a public report—
stating in aggregate terms the number of individuals whose emergency health data the covered organization collected, used, or disclosed to the extent practicable; and
describing the categories of emergency health data collected, used, or disclosed, the purposes for which each such category of emergency health data was collected, used, or disclosed, and the categories of third parties to whom it was disclosed.
Rules of construction
Nothing in this subsection shall be construed to require a covered organization to—
take an action that would convert data that is not emergency health data into emergency health data;
collect or maintain emergency health data that the covered organization would otherwise not maintain; or
maintain emergency health data longer than the covered organization would otherwise maintain such data.
Required data destruction
A covered organization may not use or maintain emergency health data of an individual after the later of—
the date that is 60 days after the termination of the public health emergency declared by the Secretary on January 31, 2020, pertaining to Coronavirus Disease 2019 (COVID–19) under section 319 of the Public Health Service Act (42 U.S.C. 247d) and any renewals thereof;
the date that is 60 days after the termination of a public health emergency declared by a governor or chief executive of a State pertaining to Coronavirus Disease 2019 (COVID–19) in which the individual resides; or
60 days after collection.
For the requirements under paragraph (1), data shall be destroyed or rendered not linkable in such a manner that it is impossible or demonstrably impracticable to identify any individual from the data.
Relation to certain requirements
The provisions of this subsection shall not supersede any requirements or authorizations under—
the Privacy Act of 1974 (Public Law 93–79);
the HIPPA regulations; or
Federal or State medical records retention and health privacy laws or regulations, or other applicable Federal or State laws.
Emergency data collected, used, or disclosed before enactment
Initiating a rulemaking
Not later than 7 days after the date of enactment of this Act, the Commission shall initiate a public rulemaking to promulgate regulations to ensure a covered organization that has collected, used, or disclosed emergency health data before the date of enactment of this Act is in compliance with this Act, to the degree practicable.
Completing a rulemaking
The Commission shall complete the rulemaking within 45 days after the date of enactment of this Act.
Non-Application to manual contact tracing and case investigation
Nothing in this Act shall be construed to limit or prohibit a public health authority from administering programs or activities to identify individuals who have contracted, or may have been exposed to, COVID–19 through interviews, outreach, case investigation, and other recognized investigatory measures by a public health authority or their designated agent by a public health authority or their designated agent intended to monitor and mitigate the transmission of a disease or disorder.
Research and development
This section shall not be construed to prohibit—
public health or scientific research associated with the COVID–19 public health emergency by—
a public health authority;
a nonprofit organization, as described in section 501(c)(3) of the Internal Revenue Code of 1986; or
an institution of higher education, as such term is defined in section 101 of the Higher Education Act of 1965 (20 U.S.C. 1001); or
research, development, manufacture, or distribution of a drug, biological product, or vaccine that relates to a disease or disorder that is associated or potentially associated with a public health emergency.
Notwithstanding subsection (a)(5), nothing in this Act shall be construed to prohibit a good faith response to, or compliance with, otherwise valid subpoenas, court orders, or other legal processes, or to prohibit storage or providing information as otherwise required by law.
Application to HIPAA covered entities
This Act does not apply to a
covered entity or a person acting as a
business associate under the HIPAA regulations (to the extent that such entities or associates are acting in such capacity) or any health care provider.
Guidance for consistency
Not later than 30 days after the date of enactment of this Act, the Secretary shall promulgate guidance on the applicability of requirements, similar to those in this section to
covered entities and persons acting as
business associates under the HIPAA regulations. In promulgating such guidance, the Secretary shall reduce duplication of requirements and may exclude a requirement of this section if such requirement is already a requirement of the HIPAA regulations.
Protecting the right to vote
A government entity may not, and a covered organization may not knowingly facilitate, on the basis of an individual’s emergency health data, medical condition, or participation or non-participation in a program to collect emergency health data—
deny, restrict, or interfere with the right to vote in a Federal, State, or local election;
attempt to deny, restrict, or interfere with the right to vote in a Federal, State, or local election; or
retaliate against an individual for voting in a Federal, State, or local election.
In the case of any violation of subsection (a), an individual may bring a civil action to obtain appropriate relief against a government entity in a Federal district court.
Reports on civil rights impacts
The Secretary, in consultation with the United States Commission on Civil Rights and the Commission, shall prepare and submit to Congress reports that examines the civil rights impact of the collection, use, and disclosure of health information in response to the COVID–19 public health emergency.
Scope of report
Each report required under subsection (a) shall, at a minimum—
evaluate the impact of such practices on civil rights and protections for individuals based on race, color, ethnicity, national origin, religion, sex, gender, gender identity, sexual orientation, age, Tribal affiliation, disability, domicile, employment status, familial status, immigration status, or veteran status;
analyze the impact, risks, costs, legal considerations, disparate impacts, and other implications to civil rights of policies to incentivize or require the adoption of digital tools or apps used for contact tracing, exposure notification, or health monitoring; and
include recommendations on preventing and addressing undue or disparate impact, segregation, discrimination, or infringements of civil rights in the collection and use of health information, including during a national health emergency.
The Secretary shall submit an initial report under subsection (a) not sooner than 9 months, and not later than 12 months after the date of enactment of this Act.
The Secretary shall submit reports annually after the initial report required under paragraph (1) until 1 year after the termination of any public health emergency pertaining to Coronavirus Disease 2019 (COVID–19) under section 319 of the Public Health Service Act (42 U.S.C. 247d).
Federal Trade Commission
Unfair or deceptive acts or practices
A violation of this Act or a regulation promulgated under this Act shall be treated as a violation of a rule defining an unfair or deceptive act or practice under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
Powers of Commission
The Commission shall enforce this Act and the regulations promulgated under this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act. Any person who violates this Act or a regulation promulgated under this Act shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act. Provided, however, that, notwithstanding the requirements of section 16(a) of the Federal Trade Commission Act (15 U.S.C. 56(a)), the Commission shall have the exclusive authority to commence or defend, and supervise the litigation of, any action for a violation of this Act or a regulation promulgated under this Act and any appeal of such action in its own name by any of its attorneys designated by it for such purpose, without first referring the matter to the Attorney General.
The Commission shall have authority under section 553 of title 5, United States Code, to promulgate any regulations necessary to implement this Act.
In promulgating any regulations under this Act, the Commission shall consult with the Secretary.
Common carriers and nonprofit organizations
Notwithstanding section 4, 5(a)(2), or 6 of the Federal Trade Commission Act (15 U.S.C. 44; 45(a)(2); 46) or any jurisdictional limitation of the Commission, the Commission shall also enforce this Act, in the same manner provided in paragraphs (1) and (2) of this paragraph, with respect to—
common carriers subject to the Acts to regulate commerce, air carriers, and foreign air carriers subject to part A of subtitle VII of title 49, and persons, partnerships, or corporations insofar as they are subject to the Packers and Stockyards Act, 1921 (7 U.S.C. 181 et seq.), except as provided in section 406(b) of such Act (7 U.S.C. 227(b)); and
organizations not organized to carry on business for their own profit or that of their members.
Enforcement by States
In any case in which the attorney general of a State has reason to believe that an interest of the residents of the State has been or is threatened or adversely affected by the engagement of any person subject to this Act in a practice that violates such subsection, the attorney general of the State may, as parens patriae, bring a civil action on behalf of the residents of the State in an appropriate district court of the United States to obtain appropriate relief.
Rights of the Federal Trade Commission
Notice to Federal Trade Commission
Except as provided in clause (iii), the attorney general of a State shall notify the Commission in writing that the attorney general intends to bring a civil action under paragraph (1) before initiating the civil action against a person subject to this Act.
The notification required by clause (i) with respect to a civil action shall include a copy of the complaint to be filed to initiate the civil action.
If it is not feasible for the attorney general of a State to provide the notification required by clause (i) before initiating a civil action under paragraph (1), the attorney general shall notify the Commission immediately upon instituting the civil action.
Intervention by the Federal Trade Commission
The Commission may—
intervene in any civil action brought by the attorney general of a State under paragraph (1); and
be heard on all matters arising in the civil action; and
file petitions for appeal of a decision in the civil action.
Nothing in this subsection may be construed to prevent the attorney general of a State from exercising the powers conferred on the attorney general by the laws of the State to conduct investigations, to administer oaths or affirmations, or to compel the attendance of witnesses or the production of documentary or other evidence.
Action by the Federal Trade Commission
If the Commission institutes a civil action with respect to a violation of this Act, the attorney general of a State may not, during the pendency of such action, bring a civil action under paragraph (1) of this subsection against any defendant named in the complaint of the Commission for the violation with respect to which the Commission instituted such action.
Venue; service of process
Any action brought under paragraph (1) may be brought in—
the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code; or
another court of competent jurisdiction.
Service of process
In an action brought under paragraph (1), process may be served in any district in which the defendant—
is an inhabitant; or
may be found.
Actions by other State officials
In addition to civil actions brought by attorneys general under paragraph (1), any other officer of a State who is authorized by the State to do so may bring a civil action under paragraph (1), subject to the same requirements and limitations that apply under this subsection to civil actions brought by attorneys general.
Nothing in this subsection may be construed to prohibit an authorized official of a State from initiating or continuing any proceeding in a court of the State for a violation of any civil or criminal law of the State.
Private right of action
Enforcement by individuals
Any individual alleging a violation of this Act may bring a civil action in any court of competent jurisdiction, State or Federal.
In a civil action brought under paragraph (1) in which the plaintiff prevails, the court may award—
an amount not less than $100 and not greater than $1,000 per violation against any person who negligently violates a provision of this Act;
an amount not less than $500 and not greater than $5,000 per violation against any person who recklessly, willfully, or intentionally violates a provision of this Act;
reasonable attorney’s fees and litigation costs; and
any other relief, including equitable or declaratory relief, that the court determines appropriate.
Injury in fact
A violation of this Act with respect to the emergency health data of an individual constitutes a concrete and particularized injury in fact to that individual.
Invalidity of pre-dispute arbitration agreements and pre-dispute joint action waivers
Notwithstanding any other provision of law, no pre-dispute arbitration agreement or pre-dispute joint action waiver shall be valid or enforceable with respect to a dispute arising under this Act.
Any determination as to whether or how this subsection applies to any dispute shall be made by a court, rather than an arbitrator, without regard to whether such agreement purports to delegate such determination to an arbitrator.
In this subsection:
The term pre-dispute arbitration agreement means any agreement to arbitrate a dispute that has not arisen at the time of making the agreement.
The term pre-dispute joint-action waiver means an agreement, whether or not part of a pre-dispute arbitration agreement, that would prohibit, or waive the right of, one of the parties to the agreement to participate in a joint, class, or collective action in a judicial, arbitral, administration, or other forum, concerning a dispute that has not yet arisen at the time of making the agreement.
The term dispute means any claim related to an alleged violation of this Act and between an individual and a covered organization.
Nothing in this Act shall preempt or supersede, or be interpreted to preempt or supersede, any Federal or State law or regulation, or limit the authority of the Commission or the Secretary under any other provision of law.
This Act shall apply beginning on the date that is 30 days after the date of enactment of this Act.
Authority To promulgate regulations and take certain other actions
Nothing in subsection (a) affects—
the authority of any person to take an action expressly required by a provision of this Act before the effective date described in such subsection; or
the authority of the Commission to promulgate regulations to implement this Act or begin a rulemaking to promulgate such regulations.