On July 12, 2024, District of Colimbia’s Attorney General Brian L. Schwalb introduced the Consumer Health Information Privacy Protection Act of 2024 (CHIPPA), a new law aimed at enhancing privacy protections for District residents' health data.
The new legislation covers entities that are not already covered by HIPAA, such as tech companies who develop fitness apps or patient and support groups, and imposes strict privacy measures for the collection, use, and sharing of consumer health information.
In the official press release, AG Schwalb made the following statement:
All Washingtonians should be able to make fully informed healthcare decisions, including regarding how, whether, and where their sensitive health information is shared. When health data is transferred without patients’ knowledge, it can reveal confidential information about their mental health or medication history, or worse, used to identify and prosecute people who are seeking reproductive or gender affirming care. By requiring companies to disclose exactly how and where the data they collect is shared and to obtain informed consent before such data is shared, this bill is a critical step towards protecting District residents’ privacy and safety.
Key points of the CHIPPA:
- Effective Date: The Act takes effect following approval by the Mayor, a 30-day congressional review period, and publication in the District of Columbia Register.
- Applicability: The Act applies to:
- Regulated entities that conduct business in the District or provide products or services targeted to consumers in the District.
- Excludes government agencies, tribal nations, or contracted service providers processing data on behalf of a government agency.
- Obligations of Regulated Entities: Regulated entities must:
- Maintain and publish a consumer health data privacy policy.
- Obtain consumer consent before collecting or sharing health data.
- Limit data collection and sharing to the purposes specified in the consumer's consent.
- Provide consumers with access to their data and the ability to withdraw consent and request deletion of their data.
- Ensure data collection, use, retention, disclosure, and sharing are necessary and proportionate.
- Enter into binding contracts with affiliates, processors, and third parties to ensure compliance with the Act.
- Establish and maintain administrative, technical, and physical data security practices.
- Consumer Rights: Consumers have the right to:
- Confirm whether their data is being collected, shared, or sold.
- Withdraw consent for data collection and sharing.
- Request deletion of their health data.
- Access a list of third parties and affiliates with whom their data has been shared.
- Appeal a regulated entity’s refusal to take action on their request.
- Enforcement Authority: Violations of the Act are considered unfair and deceptive trade practices under D.C. Official Code § 28-3904.
- Penalties: Violations are treated as unfair and deceptive trade practices, subject to penalties of $1,500 per violation.