EPIC Testimony to the DC Council Health Committee in support of the Consumer Health Information Privacy Protection Act (CHIPPA)

Chair Christina Henderson

D.C. Council Committee on Health
1350 Pennsylvania Avenue NW

Washington, D.C. 20004

Dear Chair Henderson and Members of the Committee:

Good morning Chair Henderson and members of the Committee. Thank you for the opportunity to testify in support of Bill 25-0930, the Consumer Health Information Privacy Protection Act. My name Suzanne Bernstein and I am Counsel at the Electronic Privacy Information Center, also known as EPIC. EPIC is an independent nonprofit research organization here in Washington, DC, established in 1994 to protect privacy, freedom of expression, and democratic values in the information age.^[1] EPIC has long advocated for comprehensive privacy laws at both the state and federal level.^[2] As we continue advocating for comprehensive privacy protections for all, EPIC strongly supports the DC Council’s critical effort to protect some of the most sensitive consumer data, which is health data.

We commend the sponsors for crafting a bill that provides meaningful privacy protections for Washington residents’ sensitive health data. For more than two decades, powerful tech companies have been allowed to set the terms of our online interactions. Without any meaningful restrictions on their business practices, they have built systems that invade our private lives, surveil our families, and gather the most intimate details about us for profit. But it does not have to be this way, and enacting CHIPPA would be a significant step toward securing privacy for health data.

In my testimony I will discuss why this legislation is so important to pass now, provide an overview of the health data privacy risks that this bill will mitigate, and highlight a few central aspects of CHIPPA like the enforcement, definition and geofencing provisions.

CHIPPA could not have been introduced sooner. To set the stage: Congress has failed to pass comprehensive privacy laws, or a law specifically protecting consumer health data. States are stepping in and passing their own privacy laws, and laws like Washington State’s My Health My Data that provides similar safeguards for consumer health data. By passing CHIPPA, DC has the opportunity remain a leader in consumer protection and set the bar high for Congress down the street.

Consumer health data collection has skyrocketed in recent years. The broad availability and convenience of smartphones and internet access has enabled “Americans to turn to apps and other technologies to track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet and other vital areas[.]”[3] Our understanding of what constitutes health data has grown as data analysts and data brokers have demonstrated their ability to infer health-related insights from a widening range of data sources. For example, location data can become sensitive health data, like GPS data indicating that someone has visited a methadone or abortion clinic.[4] Location data can also reveal healthcare activity and related behavior.[5]

Unbeknownst to many consumers, most of this health data collection is not regulated by HIPAA. Most of the apps, platforms and companies that collect our most sensitive data, like direct-to-consumer genetic testing companies, fall outside of HIPAA’s narrow scope.[6] As a result, there is a tremendous amount of health data in the hands of commercial entities that HIPAA does not regulate.

The current gap in the regulation of commercial health data practices pose significant risks to consumers. The mismanagement or breach of sensitive health data can result in a range of privacy injuries from stigma and humiliation to financial and reputational injuries. What’s more, the largely unregulated data brokerage ecosystem that constantly collects, analyzes and sells health data without consumer knowledge or consent poses stark privacy and security risks to consumers. Data brokers sell health data, including mental health information,[7] to willing buyers including commercial entities, health insurance companies, law enforcement, and nearly any interested individual. While health data collection and sale are one piece of the enormous commercial surveillance ecosystem,[8] they pose unique risks to consumers. For example, health insurance companies can purchase and use information collected by data brokers to determine aspects of healthcare rates.[9] Health, demographic, and “lifestyle” information collected from any online activity—like purchasing plus-sized clothing or posting about feeling anxious or depressed from a recent divorce—can yield inferences for predicting health costs. All of this, from the surveillance and data collection to the sale and use of health data, is largely beyond the control of consumers.

In recent years, the Federal Trade Commission has ramped up its health data privacy enforcement actions,[10] but these apply after a privacy or data security violation. DC has the opportunity to provide our consumers with prophylactic safeguards for their consumer health data, preventing harms and mitigating potential risks before they materialize.

Turning to CHIPPA, I want to highlight three important provisions, among many other aspects of the law that will protect consumers. The inclusion of a private right of action in CHIPPA represents the most important tool the Legislature can give to their constituents to protect their privacy. CHIPPA’s private right of action rightly ties into a violation of DC consumer protection law. As CHIPPA makes clear, a privacy violation should not be treated differently than any other unfair and deceptive trade practices.

Individuals and groups of individuals who use these online services are in the best position to identify privacy issues and bring actions to vindicate their interests. These cases preserve the DC’s resources, and statutory damages ensure that companies will face real consequences if they violate the law. Using the private right of action in Illinois’ Biometric Information Privacy Act, or BIPA, as an example, the ACLU’s suit under BIPA against facial recognition company Clearview AI settled, with Clearview agreeing not to sell its face surveillance system to any private company in the United States.^[11] Private rights of action are extremely effective in ensuring that the rights in privacy laws are meaningful.

In the absence of a private right of action, there is a very real risk that companies will not comply with the law because they think it is unlikely that they would get caught or fined. Private enforcement ensures that data collectors have strong financial incentives to meet their data protection obligations.

Another important aspect of CHIPPA is the definition of consumer health data. The bill defines consumer health data as “personal information that is linked or can reasonably be linked to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.” As I referenced earlier, the expansive scope of health data and health-related inferences that can be drawn from data collection require an appropriately broad definition for CHIPPA’s protections to be effective. This definition is nearly identical to how consumer health data is defined in Washington State’s My Health My Data Act which went into effect in April. DC has the opportunity to create consistency on the state level for a definition that accurately captures health data across the online ecosystem.

Finally, it is important that CHIPPA includes a geofencing provision. Under CHIPPA’s geofence provision, it is unlawful to establish geofences to collect consumer health data around places where healthcare services are delivered. This is an important provision because location histories – collected by many apps or websites on our phones or other devices – collect and retain location information without consumer knowledge. If a person is at a hospital, or a health clinic specializing in certain types of treatment like dialysis, methadone or reproductive care, that location information can immediately become health information. DC consumers should feel safe to seek healthcare without commercial surveillance tracking their every move to and from a health clinic.

Privacy is a fundamental right, and it is time for business practices to reflect that reality. Self-regulation is clearly not working, and since Congress has still been unable to enact comprehensive privacy protections despite years of discussion on the topic, state legislatures must act. DC has an opportunity this session to provide real privacy protections with CHIPPA.

Thank you for the opportunity to speak today. EPIC is happy to be a resource to the Committee on these issues.

[1] EPIC, About EPIC, https://epic.org/about/.

[2] See e.g. Protecting America’s Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security: Hearing before the Subcomm. on Consumer Protection & Comm. of the H. Comm. on Energy & Comm., 117th Cong. (2022) (testimony of Caitriona Fitzgerald, Deputy Director, EPIC), https://epic.org/wp-content/uploads/2022/06/Testimony_Fitzgerald_CPC_2022.06.14.pdf.

[3]https://www.ftc.gov/system/files/documents/public_statements/1596364/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf

[4] https://houstonhealthlaw.scholasticahq.com/article/31471-8th-annual-symposium-redefining-regulating-health-data

[5] https://www.ftc.gov/business-guidance/blog/2022/07/location-health-and-other-sensitive-information-ftc-committed-fully-enforcing-law-against-illegal

[6] https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html

[7] https://techpolicy.sanford.duke.edu/wp-content/uploads/sites/4/2023/02/Kim-2023-Data-Brokers-and-the-Sale-of-Americans-Mental-Health-Data.pdf

[8] https://techpolicy.sanford.duke.edu/wp-content/uploads/sites/4/2023/02/Kim-2023-Data-Brokers-and-the-Sale-of-Americans-Mental-Health-Data.pdf

[9] https://www.propublica.org/article/health-insurers-are-vacuuming-up-details-about-you-and-it-could-raise-your-rates

[10] https://epic.org/data-minimization-bolstering-the-ftcs-health-data-privacy-authority/

[11] Ryan Mac & Kashmir Hill, Clearview AI Settles Suit and Agrees to Limit Sales of Facial Recognition database, N.Y. Times (May 9, 2022), https://www.nytimes.com/2022/05/09/technology/clearview-ai-suit.html.