– A group of Democratic Senators and Congressional membersproposed legislation meant to tackle the privacy and security issues tied to technologies used for the COVID-19 response, including contact tracing apps, digital monitoring tools, and vaccine appointment scheduling apps.
The Public Health Emergency Privacy Act was introduced late Thursday, January 28, by Sens. Mark Warner, D-Virginia and Richard Blumenthal, D-Connecticut, aside Reps. Anna Eshoo, D-California, Jan Schakowsky, D-Illinois, and Suzan DelBene, D-Washington.
The bill is designed to tackle a key issue posed by many of these third-party apps: the majority do not fall under HIPAA. The Office for Civil Rights also recently applied enforcement discretion for web scheduling apps not covered by HIPAA, to expedite adoption and support the vaccine rollout.
The concern is that the number of cyberattacks on healthcare web apps has increased by 51 percent since the start of vaccine distribution. And the majority of COVID-19 sites are plagued with third-party tracking, which poses massive privacy risks.
The proposed legislation aims to tackle these privacy and security concerns through strong and enforceable privacy and data security rights for health information. As previously reported, many consumers are reluctant to use the tech necessary to stymie the spread of the COVID-19—although its use is crucial to an effective response.
READ MORE: HHS Proposes HIPAA Privacy Rule Changes, Improving Right of Access
The bill would safeguard the civil liberties of individuals leveraging COVID-19-related tech, which Congressional members said will help strengthen public trust and thus expand use of the needed tech.
It would also help healthcare leadership in leveraging these technologies and relevant health data to support the national response.
To Blumenthal, the legislation’s commitment to safeguarding consumer privacy is an investment in the country’s public health.
“Legal safeguards protecting consumer privacy failed to keep pace with technology, and that lapse is costing us in the fight against COVID-19,” Blumenthal said in a statement. “This measure sets strict and straightforward privacy protections and promises: Your information will be used to stop the spread of this disease, and no more.”
“Technology has become one of our greatest tools in responding to the COVID-19 pandemic but we need to build trust with the broader public if we are going to reach its full potential,” DelBene said in a statement.Americans need to be certain their sensitive personal information will be protected when using tracing apps and other COVID-19 response technology and this pandemic-specific privacy legislation will help build that trust.”
READ MORE: CDT, eHI Unveil Draft Consumer Health Data Privacy Framework
If passed, the bill would ensure data collected for public health purposes is limited to that specific use case and explicitly prohibits the use of public health data for discriminatory, unrelated, or intrusive purposes, such as advertising, e-commerce, or efforts to bar access to educational or financial opportunities, among others.
The legislation also seeks to prevent the potential misuse of health data by government agencies with no role in public health, while requiring meaningful data security and integrity protections, like data minimization and accuracy.
Tech firms tasked with COVID-19 data purposes would also be mandated to delete all data at the conclusion of the public health emergency.
The bill also prevents conditioning the right to vote based on a medical condition or use of contact tracing apps. It also establishes a mandate requiring regular reports detailing the impact the digital collection tools have upon civil rights.
Under the legislation, the public would gain control over their participation in COVID-19-related efforts through “meaningful transparency” and with required opt-in consent from individuals.
READ MORE: Report: COVID-19 Telehealth Risks and Best Practice Privacy, Security
Lastly, the bill provides thorough public and private enforcement, including rulemaking from an “expert agency,” while maintaining state legislation and enforcement.
However, the Congressional members stressed that in no means would the bill tackle the need for privacy reform in the US to combat challenges posed by third-party health apps. Congress has spent several years attempting to create bipartisan legislation that would empower the FTC and protect health data that falls outside of HIPAA regulation.
The legislation has already received support from Access Now, Electronic Privacy and Information Center (EPIC), the Center of Digital Democracy, Color of Change, Common Sense Media, Public Knowledge, and New America’s Open Technology Institute.
“Strong privacy protections for COVID health data will only be more vital as we move forward with vaccination efforts and companies begin experimenting with things like ‘immunity passports’ to gate access to facilities and services,” Warner said in a statement.
“Absent a clear commitment from policymakers to improving our health privacy laws, as this important legislation seeks to accomplish, I fear that creeping privacy violations and discriminatory uses of health data could become the new status quo in health care and public health,” he added.
This is the third Congressional effort to tackle COVID-19 contract tracing apps since the start of the national crisis. A fourth effort was tied to two COVID-19 relief bills from July.
However, those efforts did not pass, at the time. Under the Biden administration and a Democratic majority, the bill faces better odds of heading to the Senate floor.