skip to main content

H.R. 778: Secure Data and Privacy for Contact Tracing Act of 2021


The text of the bill below is as of Feb 3, 2021 (Introduced).


I

117th CONGRESS

1st Session

H. R. 778

IN THE HOUSE OF REPRESENTATIVES

February 3, 2021

(for herself, Ms. DeGette, Mrs. Dingell, Mr. Carson, Mr. Jones, Mr. Lynch, Mr. Raskin, and Mr. Takano) introduced the following bill; which was referred to the Committee on Energy and Commerce

A BILL

To authorize the Director of the Centers for Disease Control and Prevention to award grants to eligible State, Tribal, and territorial public health agencies to develop and administer a program for digital contact tracing for COVID–19, and for other purposes.

1.

Short title

This Act may be cited as the Secure Data and Privacy for Contact Tracing Act of 2021.

2.

Grant program for digital contact tracing for COVID–19

(a)

In general

The Director of the Centers for Disease Control and Prevention shall award grants to eligible State, Tribal, and territorial public health agencies to—

(1)

establish a contact tracing program that implements traditional contact tracing protocols with the assistance of digital contact-tracing technology to track and prevent the spread of COVID–19;

(2)

incorporate digital contact-tracing technology into a contact tracing program that implements traditional contact tracing protocols to track and prevent the spread of COVID–19; and

(3)

expand or maintain an existing program as described in paragraph (1).

(b)

Use of funds

(1)

In general

Funds received through a grant under this section may be used for—

(A)

the development, maintenance, or staffing of digital contact tracing programs;

(B)

associated outreach and marketing; or

(C)

other activities identified by the State, Tribal, or territorial public health agency receiving the grant as advancing the effectiveness and reach of digital contact-tracing technologies.

(2)

Education and outreach

Of the funds received by a State, Tribal, or territorial public health agency through a grant under this section, the agency may use not more than 10 percent of such funds to integrate education and outreach related to vaccines for COVID–19 into digital contact-tracing programs.

(c)

Funding disqualification

If a State, Tribal, or territorial public health agency develops or procures any digital contact-tracing technology with respect to COVID–19 that does not meet each of the requirements listed in subsection (d), such State, Tribal, or territorial public health agency shall be ineligible to receive or continue to receive—

(1)

any funds through a grant under this section; and

(2)

any other Federal funds, including under the CARES Act (Public Law 116–136), for any digital contact-tracing technology with respect to COVID–19.

(d)

Digital contact-Tracing requirements

A State, Tribal, or territorial public health agency may use a grant under this section for digital contact-tracing technology, as described in subsections (a) and (b), only if the technology meets each of the following requirements:

(1)

The technology shall be voluntary for the user and provide to the user complete and clear information on the intended use and processing of data collected by the technology. To be voluntary for the user, the technology shall meet requirements including each of the following:

(A)

Use of the technology and of contact-tracing data collected using the technology shall be predicated on the user’s affirmative express consent.

(B)

Use of the technology shall not be a condition for the reception of government benefits.

(C)

Use of the technology shall not be made a condition of employment or employment status.

(2)

The technology shall limit the collection of data by the technology to only the data that is necessary to meet contact tracing objectives, including—

(A)

the status of any person as an infected or potentially infected person; and

(B)

the proximity of a person to someone who is symptomatic or has tested positive.

(3)

The technology—

(A)

shall delete or de-identify any contact-tracing data that is individually identifiable information not later than the date that is 30 days after the end of the COVID–19 emergency declaration; and

(B)

shall include notifications to prompt users to disable or completely remove any digital contact-tracing technology where practical.

(4)

The technology shall have robust contact detection specifications, including for distance and time, that allow for detection consistent with guidance of the Centers for Disease Control and Prevention on COVID–19.

(5)

The technology shall ensure that the storing of proximity and any contact-tracing data is encrypted to the maximum extent possible.

(e)

Plan for interoperability

As a condition on receipt of a grant under this section, a State, Tribal, or territorial public health agency shall—

(1)

develop and make publicly available a plan for how the digital contact-tracing technology of the agency with respect to COVID–19 augments—

(A)

traditional contact tracing efforts, if applicable; and

(B)

statewide efforts to prevent, prepare for, and respond to COVID–19; and

(2)

include in such plan a description of the agency’s efforts to ensure that the digital contact-tracing technologies of the agency with respect to COVID–19 are interoperable with the digital contact-tracing technology and public health agency databases of other jurisdictions with respect to COVID–19; and

(3)

ensure that data collected by the digital contact-tracing technology of the agency—

(A)

is accessed and processed only by public health authorities (or their designees); and

(B)

is not shared with any person, or accessed or used by any person, for any purpose other than diagnosis, containment, treatment, or reduction of, or research into, COVID–19.

(f)

Independent security assessments

(1)

In general

As a condition on receipt of a grant under this section, a State, Tribal, or territorial public health agency shall—

(A)

establish procedures for completing or obtaining independent security assessments of digital contact tracing infrastructure to ensure that physical and network security is resilient and secure; and

(B)

develop a process to address the mitigation or remediation of the security vulnerabilities discovered during such independent security assessments.

(2)

Source code

A State, Tribal, or territorial public health agency should consider making public the source code of the digital contact-tracing technology used by the agency.

(g)

Application

To seek a grant under this section, an eligible State, Tribal, or territorial public health agency shall submit an application in such form, in such manner, and containing such information and assurances as the Director may require.

(h)

Securing digital contact-Tracing data

(1)

In general

The provisions of the HIPAA privacy and security law (as defined in section 3009(a)(2) of the Public Health Service Act (42 U.S.C. 300jj–19(a)(2))) shall apply to a State, Tribal, or territorial public health agency receiving a grant under subsection (a) with respect to individually identifiable health information (as defined in section 1171(a)(6) of the Social Security Act (42 U.S.C. 1320d(a)(6))) received by, maintained on, or transmitted through a contact tracing program described in such subsection (a) in the same manner as such provisions apply with respect to such information and a covered entity (as defined in section 13400(3) of the HITECH Act (42 U.S.C. 17921(3))).

(2)

Business associates

(A)

In general

Any entity with a contract in effect with an agency described in paragraph (1) for the development, maintenance, or operation of a program described in such paragraph shall be deemed to be a business associate of such agency for purposes of subtitle D of the HITECH Act (42 U.S.C. 17921 et seq.).

(B)

Revision of sample agreement

Not later than 180 days after the date of the enactment of this Act, the Secretary of Health and Human Services shall revise the sample business associate agreement provisions published on January 25, 2013, to take account of the provisions of this subsection.

(C)

Effective date

The provisions of subparagraph (A) shall apply beginning on the day after the Secretary of Health and Human Services revises the provisions described in subparagraph (B).

(i)

Limitation on use of data

Data generated in connection with the operation of digital contact-tracing technology funded pursuant to this section may not be used for any punitive purpose, including law enforcement, immigration enforcement, or criminal prosecution. Such data and any information derived from it, whether in whole or in part, may not be received as evidence in any trial, hearing, or other proceeding in or before any court, grand jury, department, officer, agency, regulatory body, legislative committee, or other authority of the United States, a State, or a political subdivision thereof.

(j)

Report to Congress

Not later than 24 months after the date of enactment of this Act, the Comptroller General of the United States shall—

(1)

evaluate the outcome of the grants awarded under this section, including an assessment of the impact of the implementation of digital contact tracing programs funded through such grants on the spread of COVID–19; and

(2)

submit to the Congress a report on the results of such evaluation.

(k)

Definitions

In this section:

(1)

Affirmative express consent

The term affirmative express consent means an affirmative act by an individual that clearly and conspicuously communicates the individual’s authorization for an act or practice, in response to a specific request that—

(A)

is provided to the individual in a clear and conspicuous disclosure that is separate from other options or acceptance of general terms;

(B)

includes a description of each act or practice for which the individual’s consent is sought and—

(i)

is written clearly and unmistakably stated; and

(ii)

includes a prominent heading that would enable a reasonable individual to identify and understand the act or practice; and

(C)

cannot be inferred from inaction.

(2)

Contact-tracing data

The term contact-tracing data means information linked or reasonably linkable to a user or device, that—

(A)

concerns the COVID–19 pandemic; and

(B)

is gathered, processed, or transferred by digital contact-tracing technology.

(3)

COVID–19 emergency declaration

The term COVID–19 emergency declaration has the meaning given to such term in section 1135(g)(1)(B) of the Social Security Act (42 U.S.C. 1320b–5).

(4)

De-identify

The term de-identify means to ensure that information cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular individual.

(5)

Designee

The term designee

(A)

subject to subparagraph (B), means any person or entity, other than a public health agency, that collects, processes, or transfers contact-tracing data in the course of performing a service or function on behalf of, for the benefit of, under instruction of, and under contractual agreement with a public health authority; and

(B)

excludes any Federal, State, Tribal, territorial, or local law (including immigration law) enforcement personnel or entity.

(6)

Digital contact-tracing technology

(A)

In general

The term digital contact-tracing technology means a website, online application, mobile application, mobile operating system feature, or smart device application that is designed, in part or in full, for the purpose of—

(i)

determining that a contact incident has occurred relating to the COVID–19 pandemic; and

(ii)

taking consequent steps such as reporting the incident to a public health authority or user, or providing guidance or instructions to the user of the mobile device or the user’s household.

(B)

Limitations

Such term does not include any technology to assist individuals to evaluate whether they are experiencing COVID–19 symptoms to the extent the technology is not used as described in subparagraph (A).

(7)

Director

The term Director means the Director of the Centers for Disease Control and Prevention.

(8)

Mobile Application

The term mobile application means a software program that runs on the operating system of a mobile device.

(9)

Mobile device

The term mobile device means a smartphone, tablet computer, or similar portable computing device that transmits data over a wireless connection.

(10)

Source code

The term source code is the programming instruction for a computer program in its original form and saved in a file.

(11)

Traditional contact tracing

The term traditional contact tracing means contact tracing by traditional means prior to contemporary digital contact tracing.

(12)

User

The term user means a member of the public who utilizes the software or hardware product.

(l)

Authorization of appropriations

To carry out this section, there are authorized to be appropriated $75,000,000, to remain available until expended.