Consumer Health Information Privacy Protection Act Introduced in DC to Protect Non-HIPAA Health Data
District of Columbia Attorney General Brian L. Schwalb recently introduced the Consumer Health Information Privacy Protection Act of 2024 (CHIPPA) to better protect the personal health data of District residents.
CHIPPA was introduced to improve the protection of health data not covered by the Health Insurance Portability and Accountability Act (HIPAA). HIPAA-regulated entities are already required to implement privacy and security measures to protect health data; however, health data is collected by many companies that are not required by law to implement safeguards, such as tech companies that have developed fitness, health, and wellness apps and patient support groups.
CHIPPA requires those entities to adhere to strengthened privacy provisions regarding the collection, sharing, use, or sale of consumer health data. They must establish a consumer health data privacy policy and make that policy available to the public on the home page of their website. The policy must contain information about the entity’s collection, use, and sharing of consumer health data.
Covered entities are prohibited from contracting with any third parties that process consumer health data in a manner inconsistent with that policy, and consent must be obtained from consumers before their health data is collected. Any health data collected must be limited to the data the consumer has consented to being collected and the data may only be used for purposes detailed in that consent.
Consumers are given the right to obtain information about their health information that has been collected and shared and can withdraw their consent at any time and request that any collected health information be deleted. Additional consent is required before any consumer health data can be sold, and covered entities are prohibited from establishing geofences around places where healthcare services are delivered. Violations of CHIPPA will be considered deceptive trading practices under D.C. 456 Official Code § 28-3904.
CHIPPA does not apply to health information that is protected under HIPAA, patient identifying information that is collected, used, or disclosed in accordance with 42 C.F.R. Part 2 and section 131 of the ADAMHA Reorganization Act, research-related information, information or documents created for purposes of the federal Health Care Quality Improvement Act, patient safety work product under 42 C.F.R. Part 3 and section 2 of the Patient Safety and Quality Improvement Act of 2005, or deidentified health data that has had identifying information removed in accordance with 45 C.F.R. Part 164. CHIPPA will take effect following approval from the Mayor, a 30-day period of congressional review, and publication in the District of Columbia Register.
