H. R. 778
IN THE HOUSE OF REPRESENTATIVES
February 3, 2021
Ms. Speier (for herself, Ms. DeGette, Mrs. Dingell, Mr. Carson, Mr. Jones, Mr. Lynch, Mr. Raskin, and Mr. Takano) introduced the following bill; which was referred to the Committee on Energy and Commerce
To authorize the Director of the Centers for Disease Control and Prevention to award grants to eligible State, Tribal, and territorial public health agencies to develop and administer a program for digital contact tracing for COVID–19, and for other purposes.
This Act may be cited as the
Secure Data and Privacy for Contact Tracing Act of 2021.
Grant program for digital contact tracing for COVID–19
The Director of the Centers for Disease Control and Prevention shall award grants to eligible State, Tribal, and territorial public health agencies to—
establish a contact tracing program that implements traditional contact tracing protocols with the assistance of digital contact-tracing technology to track and prevent the spread of COVID–19;
incorporate digital contact-tracing technology into a contact tracing program that implements traditional contact tracing protocols to track and prevent the spread of COVID–19; and
expand or maintain an existing program as described in paragraph (1).
Use of funds
Funds received through a grant under this section may be used for—
the development, maintenance, or staffing of digital contact tracing programs;
associated outreach and marketing; or
other activities identified by the State, Tribal, or territorial public health agency receiving the grant as advancing the effectiveness and reach of digital contact-tracing technologies.
Education and outreach
Of the funds received by a State, Tribal, or territorial public health agency through a grant under this section, the agency may use not more than 10 percent of such funds to integrate education and outreach related to vaccines for COVID–19 into digital contact-tracing programs.
If a State, Tribal, or territorial public health agency develops or procures any digital contact-tracing technology with respect to COVID–19 that does not meet each of the requirements listed in subsection (d), such State, Tribal, or territorial public health agency shall be ineligible to receive or continue to receive—
any funds through a grant under this section; and
any other Federal funds, including under the CARES Act (Public Law 116–136), for any digital contact-tracing technology with respect to COVID–19.
Digital contact-Tracing requirements
A State, Tribal, or territorial public health agency may use a grant under this section for digital contact-tracing technology, as described in subsections (a) and (b), only if the technology meets each of the following requirements:
The technology shall be voluntary for the user and provide to the user complete and clear information on the intended use and processing of data collected by the technology. To be voluntary for the user, the technology shall meet requirements including each of the following:
Use of the technology and of contact-tracing data collected using the technology shall be predicated on the user’s affirmative express consent.
Use of the technology shall not be a condition for the reception of government benefits.
Use of the technology shall not be made a condition of employment or employment status.
The technology shall limit the collection of data by the technology to only the data that is necessary to meet contact tracing objectives, including—
the status of any person as an infected or potentially infected person; and
the proximity of a person to someone who is symptomatic or has tested positive.
shall delete or de-identify any contact-tracing data that is individually identifiable information not later than the date that is 30 days after the end of the COVID–19 emergency declaration; and
shall include notifications to prompt users to disable or completely remove any digital contact-tracing technology where practical.
The technology shall have robust contact detection specifications, including for distance and time, that allow for detection consistent with guidance of the Centers for Disease Control and Prevention on COVID–19.
The technology shall ensure that the storing of proximity and any contact-tracing data is encrypted to the maximum extent possible.
Plan for interoperability
As a condition on receipt of a grant under this section, a State, Tribal, or territorial public health agency shall—
develop and make publicly available a plan for how the digital contact-tracing technology of the agency with respect to COVID–19 augments—
traditional contact tracing efforts, if applicable; and
statewide efforts to prevent, prepare for, and respond to COVID–19; and
include in such plan a description of the agency’s efforts to ensure that the digital contact-tracing technologies of the agency with respect to COVID–19 are interoperable with the digital contact-tracing technology and public health agency databases of other jurisdictions with respect to COVID–19; and
ensure that data collected by the digital contact-tracing technology of the agency—
is accessed and processed only by public health authorities (or their designees); and
is not shared with any person, or accessed or used by any person, for any purpose other than diagnosis, containment, treatment, or reduction of, or research into, COVID–19.
Independent security assessments
As a condition on receipt of a grant under this section, a State, Tribal, or territorial public health agency shall—
establish procedures for completing or obtaining independent security assessments of digital contact tracing infrastructure to ensure that physical and network security is resilient and secure; and
develop a process to address the mitigation or remediation of the security vulnerabilities discovered during such independent security assessments.
A State, Tribal, or territorial public health agency should consider making public the source code of the digital contact-tracing technology used by the agency.
To seek a grant under this section, an eligible State, Tribal, or territorial public health agency shall submit an application in such form, in such manner, and containing such information and assurances as the Director may require.
Securing digital contact-Tracing data
The provisions of the HIPAA privacy and security law (as defined in section 3009(a)(2) of the Public Health Service Act (42 U.S.C. 300jj–19(a)(2))) shall apply to a State, Tribal, or territorial public health agency receiving a grant under subsection (a) with respect to individually identifiable health information (as defined in section 1171(a)(6) of the Social Security Act (42 U.S.C. 1320d(a)(6))) received by, maintained on, or transmitted through a contact tracing program described in such subsection (a) in the same manner as such provisions apply with respect to such information and a covered entity (as defined in section 13400(3) of the HITECH Act (42 U.S.C. 17921(3))).
Any entity with a contract in effect with an agency described in paragraph (1) for the development, maintenance, or operation of a program described in such paragraph shall be deemed to be a business associate of such agency for purposes of subtitle D of the HITECH Act (42 U.S.C. 17921 et seq.).
Revision of sample agreement
Not later than 180 days after the date of the enactment of this Act, the Secretary of Health and Human Services shall revise the sample business associate agreement provisions published on January 25, 2013, to take account of the provisions of this subsection.
The provisions of subparagraph (A) shall apply beginning on the day after the Secretary of Health and Human Services revises the provisions described in subparagraph (B).
Limitation on use of data
Data generated in connection with the operation of digital contact-tracing technology funded pursuant to this section may not be used for any punitive purpose, including law enforcement, immigration enforcement, or criminal prosecution. Such data and any information derived from it, whether in whole or in part, may not be received as evidence in any trial, hearing, or other proceeding in or before any court, grand jury, department, officer, agency, regulatory body, legislative committee, or other authority of the United States, a State, or a political subdivision thereof.
Report to Congress
Not later than 24 months after the date of enactment of this Act, the Comptroller General of the United States shall—
evaluate the outcome of the grants awarded under this section, including an assessment of the impact of the implementation of digital contact tracing programs funded through such grants on the spread of COVID–19; and
submit to the Congress a report on the results of such evaluation.
In this section:
Affirmative express consent
The term affirmative express consent means an affirmative act by an individual that clearly and conspicuously communicates the individual’s authorization for an act or practice, in response to a specific request that—
is provided to the individual in a clear and conspicuous disclosure that is separate from other options or acceptance of general terms;
includes a description of each act or practice for which the individual’s consent is sought and—
is written clearly and unmistakably stated; and
includes a prominent heading that would enable a reasonable individual to identify and understand the act or practice; and
cannot be inferred from inaction.
The term contact-tracing data means information linked or reasonably linkable to a user or device, that—
concerns the COVID–19 pandemic; and
is gathered, processed, or transferred by digital contact-tracing technology.
COVID–19 emergency declaration
The term COVID–19 emergency declaration has the meaning given to such term in section 1135(g)(1)(B) of the Social Security Act (42 U.S.C. 1320b–5).
The term de-identify means to ensure that information cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular individual.
The term designee—
subject to subparagraph (B), means any person or entity, other than a public health agency, that collects, processes, or transfers contact-tracing data in the course of performing a service or function on behalf of, for the benefit of, under instruction of, and under contractual agreement with a public health authority; and
excludes any Federal, State, Tribal, territorial, or local law (including immigration law) enforcement personnel or entity.
Digital contact-tracing technology
The term digital contact-tracing technology means a website, online application, mobile application, mobile operating system feature, or smart device application that is designed, in part or in full, for the purpose of—
determining that a contact incident has occurred relating to the COVID–19 pandemic; and
taking consequent steps such as reporting the incident to a public health authority or user, or providing guidance or instructions to the user of the mobile device or the user’s household.
Such term does not include any technology to assist individuals to evaluate whether they are experiencing COVID–19 symptoms to the extent the technology is not used as described in subparagraph (A).
The term Director means the Director of the Centers for Disease Control and Prevention.
The term mobile application means a software program that runs on the operating system of a mobile device.
The term mobile device means a smartphone, tablet computer, or similar portable computing device that transmits data over a wireless connection.
The term source code is the programming instruction for a computer program in its original form and saved in a file.
Traditional contact tracing
The term traditional contact tracing means contact tracing by traditional means prior to contemporary digital contact tracing.
The term user means a member of the public who utilizes the software or hardware product.
Authorization of appropriations
To carry out this section, there are authorized to be appropriated $75,000,000, to remain available until expended.