EPIC Testifies in Support of DC Consumer Health Information Privacy Protection Act

EPIC Counsel Suzanne Bernstein testified before the DC Council Committee on Health on Oct. 17 in support of Bill 25-0930, the Consumer Health Information Privacy Protection Act (CHIPPA). CHIPPA would provide privacy protections for consumer health data and is modeled closely off of Washington State’s My Health My Data Act that went into effect earlier this year. Suzanne’s testimony provided an overview of health data privacy risks that CHIPPA would mitigate and highlighted central provisions of the bill.

CHIPPA would provide much-needed safeguards to protect consumers’ health data in the District. The bill requires regulated entities to disclose categories and purposes for which consumer health data was collected and obtain additional consent prior to collecting or later sharing data with a third party. CHIPPA also establishes a consumer right to access and request to delete data, prohibits geofencing around health provider locations, and contains robust enforcement provisions, including a private right of action.

EPIC also submitted extensive written testimony on October 31 highlighting why this is such a critical moment to protect consumer health data and how CHIPPA can be improved to provide these protections. Consumer health data collection is rampant and broadly unregulated, posing heightened privacy risks for consumers. While the Federal Trade Commission has taken meaningful action against privacy and data security abuses involving health data, their enforcement authority kicks in only after a violation has occurred. With CHIPPA, DC Council can join Washington State, Connecticut, and Nevada in regulating consumer health data privacy to prevent and mitigate consumer harms before they materialize.

EPIC encouraged the Committee to maintain CHIPPA’s strong private right of action and geofencing prohibition. EPIC also recommended that the Committee improve certain definitions like “consumer health data” and “collect,” ground the bill in a data minimization framework to ensure efficacy and minimize consent fatigue, and consider banning the sale of health data. Earlier this year, EPIC commended Maryland for similarly banning the sale of sensitive data, which includes health data, in its newly enacted comprehensive privacy law.

EPIC has long advocated for health privacy safeguards. Recently, EPIC encouraged the FTC to expand the Health Breach Notification Rule and applauded the Department of Health and Human Services for its efforts modify the HIPAA Privacy Rule to strengthen reproductive health privacy.