OLYMPIA – Yesterday, the Washington House of Representatives passed HB 1127 addressing health data privacy on a 76-21 vote. The measure, now in the Senate for further consideration, increases protections and privacy for COVID-19 health data collected by third parties that are not health care facilities, agencies, or providers.
“This bill lives at the complex intersection of privacy and public health. On a policy level it seeks to strike a balance between the use of technology to combat a deadly virus, while still protecting our civil liberties,” said prime sponsor, Rep. Vandana Slatter, D-Bellevue. “On a more basic level, I believe it can save lives as we look, hopefully, to a resolution of this crisis.”
Public health case investigation, testing, and contact tracing tools to control the spread of communicable diseases are routinely used and are subject to laws and policies protecting health information privacy. WA Notify, for example, has privacy-preserving features built in. Slatter’s legislation ensures that any new digital tools to increase the public health system’s capacity to deal with the pandemic will also have protections in place to safeguard privacy.
This legislation exempts health care providers and public health care agencies, but it requires other government agencies, businesses and organizations that collect COVID-19 health data digitally, electronically or through an application to use it solely for a public health purpose.
“This virus has weaponized our very social connections and it has laid bare the inequities in our society. We need to use every single tool available to defeat it,” said Slatter, who holds a PharmD and M.P.A. from the University of Washington. “But our COVID-19 health data should only be used for that purpose and nothing more, which is what this bill requires.”
Under House Bill 1127, individuals must give express consent for usage of their data and they have the ability to withdraw consent at any time. There are also transparency requirements as to who has access to the data and, furthermore, it cannot be disclosed or used for advertising, e-commerce or as a barrier to employment, insurance, housing, finance, educational opportunities, immigration or law enforcement purposes.
Lastly, the bill also requires that all COVID-19 health information be destroyed after 30 days, unless retention of the data is protected or required by state or federal law.
“Every Washingtonian should feel confident that health information collected by digital tools will be used in a private, secure, and legitimate manner and solely to help reduce the spread of COVID-19—and provide the best chance to save lives,” Slatter added.
The provisions in the bill expire in December 2022, which is why Slatter said, in her Floor speech, that more work will need to be done in the future but that, for today, her legislation can protect and help Washington communities and families survive through this crisis.
Watch Rep. Vandana Slatter’s full Floor remarks: