HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Bipartisan Bill Introduced to Protect Privacy of COVID-19 Contact Tracing and Exposure Notification Apps

A bipartisan group of Senators have introduced a bill that aims to regulate contact tracing and exposure notification apps that will be used to control the spread of COVID-19.

The Exposure Notification Privacy Act is one of three bills that aim to regulate contact tracing apps to protect the privacy of Americans. The other two bills failed to gather enough support. It is hoped a bipartisan bill will have a greater chance of being passed.

Contact tracing and exposure notification technologies are currently being explored as a way of controlling the spread of COVID-19. Google and Apple have both developed the technology to support contact tracing via mobile phones using low energy Bluetooth. When a user downloads a contact tracing app it will log encounters with other individuals who have also downloaded the app. When someone is diagnosed with COVID-19, the encounter data in the app is used to notify all individuals who may have been infected by that person.

Contact tracing and exposure notification apps have been used in other countries and have helped reduce the spread of COVID-19, but there are privacy risks associated with the apps that the new bill aims to address.

Please see the HIPAA Journal Privacy Policy

The Exposure Notification Privacy Act was introduced by Sens. Maria Cantwell (D-Washington) and Bill Cassidy (R-Louisiana) and has been co-sponsored by Amy Klobuchar (D-Minnesota). The bill aims to give Americans control over their personal data and “will place public health officials in the driving seat of exposure notification development.”

The bill requires the use of contact tracing and exposure notification apps to be voluntary and for developers of the apps to implement measures that give consumers strong controls over their personal data. The bill limits the types of data that the apps can collect and places a time limit on how long personal data can be used.

In order for the apps to achieve their purpose, they will need to be downloaded by large numbers of people. For that to happen, Americans will need to be confident that their privacy is protected and their personal data will not be misused.

“Public health needs to be in charge of any notification system so we protect people’s privacy and help them know when there is a warning that they might have been exposed to COVID-19,” said Senator Cantwell. “This bill defends privacy when someone voluntarily joins with others to stop the spread of Covid-19.”

The bill requires exposure notification systems to only allow medically authorized diagnoses to ensure that false reports are avoided. The bill requires personal data collected through the apps to only be used for the purpose of controlling the spread of COVID-19 and personal data is prohibited from being used for commercial purposes. In addition to participation being voluntary, the bill will give Americans the right to opt out and have their personal data deleted at any time.

Strong security controls must be put in place to protect personal data collected through the apps and in the event of a data breach, the bill calls for all affected individuals to be notified. There will also be strict enforcement measures to ensure consumer rights are protected. Federal and state authorities will be given the right to impose financial penalties in cases of noncompliance.

“As we continue to confront the coronavirus pandemic, Americans should not have to worry about the privacy and security of their personal health data,” said Senator Klobuchar. “While contact tracing can play a critical role in helping prevent the spread of the coronavirus, this crucial innovation cannot come at the expense of consumers’ privacy.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.