EPIC Testifies in Support of D.C.’s Proposed Personal Health Data Security Amendment Act

EPIC Senior Counsel Sara Geoghegan testified on March 23 before the D.C. City Council’s Committee on Health in support of the Personal Health Data Security Amendment Act of 2025. 

The bill, which was introduced in December, is designed to provide privacy protections for District residents’ sensitive health data. It would prohibit geofencing around facilities that provide health services, require the entities that handle personal health data to publish clear privacy policies, mandate consent before the collection or disclosure of any personal health data, and create a right to deletion.   

EPIC commended the bill’s sponsors while also urging the Council to remove the notice-and-choice provisions in the bill that tie limitations on data collection and use to language contained in privacy policies.  

“Unfortunately, the notice-and-choice approach to privacy regulation simply does not work,” Geoghegan said. “The focus on notice has led to longer and more complicated privacy policies that users do not read and could not change even if they did.” 

Instead, EPIC recommends that businesses’ obligations should be tied to the purpose for which data is collected—not what companies allow in their own privacy policies.  

Transitioning away from the failed notice-and-choice framework and toward data minimization also takes the burden off individual people to protect their personal data, instead requiring companies to be responsible stewards of the data they collect.   

EPIC submitted written testimony in support of the bill and again encouraged the Council to include robust data minimization requirements to best protect consumers’ health data. The full hearing is available to watch here.