GOVERNMENT OF THE DISTRICT OF COLUMBIA
OFFICE OF THE ATTORNEY GENERAL
ATTORNEY GENERAL
BRIAN L. SCHWALB
July 12, 2024
The Honorable Phil Mendelson
Chairman, Council of the District of Columbia
John A. Wilson Building
1350 Pennsylvania Avenue, N.W.
Washington, D.C. 20004
Dear Chairman Mendelson:
I write to transmit the “Consumer Health Information Privacy Protection (CHIPPA) Act of 2024,” for
consideration and enactment by the Council of the District of Columbia.
Personal health data that is uploaded to online platforms like company websites, search engines, apps, and
even social media is being collected, shared, and sold to third parties without the consumer’s consent or
knowledge. While most people believe that the federal Health Insurance Portability and Accountability
Act of 1996 (“HIPAA”) protects all personal health data from being shared without consent or knowledge,
it only applies to data collected by a “covered entity,” such as health insurers, hospitals, and healthcare
providers. It does not extend to personal health information shared by non-covered entities. For example,
health devices, apps, Apple Watch, and patient support groups fall outside of HIPAA regulation.
This legislation will ensure regulated entities that obtain, collect, share, and sell consumer personal health
data are responsible, transparent, and held accountable to the consumer. CHIPPA will do the following:
1. Require regulated entities to establish and make publicly available a consumer health data privacy
policy governing the collection, use, sharing, and sale of consumer health data.
2. Require that regulated entities obtain the consumer’s informed consent before collecting and
sharing their personal health data.
3. Establish a consumer’s right to access and choose whether and how their personal health data is
used by a regulated entity.
4. Establish additional protections and consumer authorizations for the sale of personal health data.
5. Require regulated entities to only collect health data that is necessary for the purposes disclosed to
the consumers and to only use, share, and retain the consumer health data for that purpose.
6. Prohibit the establishment of geofences around places where health services are delivered under
specified circumstances.
7. Make violations unfair and deceptive trade practices.
I ask that the Council enact this legislation to ensure that everyone, regardless of whether they are a patient
seeking health care services, a consumer signing-up for a fitness app, or purchasing an item online, knows
why, how, and to whom their personal health data is being used, shared, and sold. If you have any
400 Sixth Street, N.W., Washington, DC 20001, (202) 727-3400, Fax (202) 730-0484
questions, please contact me or Deputy Attorney General for Policy and Legislative Affairs Candyce
Phoenix at (202) 788-2066 or Candyce.Phoenix@dc.gov.
Sincerely,
Brian L. Schwalb
Attorney General for the District of Columbia
2
 2
3 ~
:Iiz ~//4----
n Phil Mendelson
4 at the request of the Attorney General
5
6
7
8 A BILL
9
IO
11
12 IN THE COUNCIL OF THE DISTRICT OF COLUMBIA
13
14
15
16
17 To require regulated entities that collect consumer health data to have a consumer health data
18 privacy policy containing specific information about its collection, use and sharing of
19 consumer health data and post it on the home page of their website, to prohibit regulated
20 entities from contracting with processors, affiliates, or third parties to process consumer
21 health data in a manner inconsistent with the policy, to require regulated entities to obtain
22 consumer consent before collecting consumer health data after providing the consumer
23 with requests for consent containing specified information, to limit a regulated entity's
24 collection and sharing of consumer health data to the purposes contained in the
25 consumer's consent, to establish a consumer's right to obtain information about consumer
26 health infonnation collected and shared, to withdraw consent for collection and sharing,
27 and to obtain deletion of info1mation collected and shared, to require a valid consumer
28 authorization before consumer health data may be sold, to prohibit the establishment of
29 geofences around places where health services are delivered under specified
30 circumstances, to make violations of this act unfair and deceptive trade practices, and to
3I exclude certain types of data collection and data sharing from the operation of the act.
32
33 BE IT ENACTED BY THE COUNCIL OF THE DISTRICT OF COLUMBIA, That this
34 act may be cited as the "Consumer Health Information Privacy Protection (CHIPP A) Act of
35 2024".
36 Sec. 2. Definitions
37
38 For the purposes of this act, the term:
39
40 ( 1) "Abortion" means the termination of a pregnancy for purposes other than producing a
41 live birth.
42 (2) “Affiliate” means a legal entity that shares common branding with another legal entity
43 and controls, is controlled by, or is under common control with another legal entity. For purposes
44 of this definition, “control” or “controlled” means:
45 (A) Ownership of, or the power to vote, more than 50 percent of the outstanding
46 shares of any class of voting security of a company;
47 (B) Control in any manner over the election of a majority of the directors or of
48 individuals exercising similar functions; or
49 (C) The power to exercise controlling influence over the management of a
50 company.
51 (3) “Authenticate” means to use reasonable means to determine that a request to exercise
52 any of the rights afforded in this act is being made by, or on behalf of, the consumer who is
53 entitled to exercise such consumer rights with respect to the consumer health data at issue.
54 (4) “Biometric data” means data that is generated from the measurement or technological
55 processing of an individual’s physiological, biological, or behavioral characteristics and that
56 identifies a consumer, whether individually or in combination with other data. Biometric data
57 includes:
58 (A) Imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and
59 voice recordings, from which an identifier template can be extracted; and
60 (B) Keystroke patterns or rhythms and gait patterns or rhythms that contain
61 identifying information.
62 (5) “Clear and conspicuous” means a disclosure that is easily noticeable and easily
63 understandable by the consumer and does not contain any statements that are inconsistent with,
64 or in mitigation of any other statements or disclosures provided by the regulated entity.
2
65 “Clear and conspicuous” requires the information to be reasonably accessible to
66 consumers with disabilities, taking into account industry standards for online disclosures.
67 (6) “Collect” means to buy, rent, access, retain, receive, acquire, infer, derive, or
68 otherwise process consumer health data in any manner.
69 (7) “Consent” means a clear affirmative act that signifies a consumer’s freely given,
70 specific, informed, opt-in, voluntary, and unambiguous agreement, following a clear and
71 conspicuous disclosure to the individual, which shall consist of written consent or consent
72 provided by electronic means. For the purposes of this act “consent” shall not include:
73 (A) A consumer’s acceptance of a general or broad terms-of-use agreement or a
74 similar document that contains descriptions of personal data processing along with other
75 unrelated information;
76 (B) A consumer’s hovering over, muting, pausing, or closing a given piece of
77 electronic content; or
78 (C) A consumer’s agreement obtained through the use of deceptive designs.
79 (8) “Consumer” means a natural person acting in an individual or household capacity,
80 however identified, including by any unique identifier, who is a District of Columbia (“District”)
81 resident or whose consumer health data is collected in the District. “Consumer” does not include
82 an individual acting in the course of their employment.
83 (9) “Consumer health data” means personal information that is linked or can reasonably
84 be linked to a consumer and that identifies the consumer’s past, present, or future physical or
85 mental health status. “Consumer health data” does not include personal information that is used
86 to engage in public or peer-reviewed scientific, historical, or statistical research in the public
87 interest that adheres to all other applicable ethics and privacy laws and is approved, monitored,
3
 88 and governed by an institutional review board, human subjects research ethics review board, or a
89 similar independent oversight entity that determines that the regulated entity or the small
90 business has implemented reasonable safeguards to mitigate privacy risks associated with
91 research, including any risks associated with reidentification.
92 (10) “Deceptive design” means a user interface designed or manipulated with the effect
93 of subverting or impairing user autonomy, decision making, or choice. “Any practice that the
94 Federal Trade Commission refers to as a “dark pattern” is presumed a deceptive design.
95 (11) “Deidentified data” means data that cannot reasonably be used to infer information
96 about, or otherwise be linked to, an identified or identifiable consumer, or a device linked to such
97 a consumer. “Deidentified data” includes consumer health data in the possession of a regulated
98 entity where the regulated entity:
99 (A) Takes reasonable measures to ensure that such data cannot be associated with
100 a consumer;
101 (B) Publicly commits to maintain and process the data in a deidentified fashion
102 and to not attempt to reidentify the data, except that the regulated entity may attempt to
103 reidentify the information solely for the purpose of determining whether its deidentification
104 processes satisfy the requirements of this paragraph; and
105 (C) Contractually obligates any recipients of such data to maintain the data in a
106 deidentified fashion.
107 (12) “Gender-affirming care information” means personal information relating to seeking
108 or obtaining past, present, or future gender-affirming care services. “Gender-affirming care
109 information” includes:
4
110 (A) Precise location information that could reasonably indicate a consumer’s
111 attempt to acquire or receive gender-affirming care services;
112 (B) Efforts to research or obtain gender-affirming care services; or
113 (C) Any information related to seeking or obtaining past, present, or future
114 gender-affirming care services that is derived, extrapolated, or inferred, including from non-
115 health information, such as proxy, derivative, inferred, emergent, or algorithmic data.
116 (13) “Gender-affirming care services” means health services or products that support and
117 affirm an individual’s gender identity, including social, psychological, behavioral, cosmetic,
118 medical, or surgical interventions. “Gender-affirming care services” includes treatments for
119 gender dysphoria, gender-affirming hormone therapy, and gender-affirming surgical procedures.
120 (14) “Genetic data” or “genetic information” means any data, regardless of its format,
121 that concerns a consumer’s genetic characteristics. “Genetic data” or “genetic information”
122 includes:
123 (A) Raw sequence data that result from the sequencing of a consumer's complete
124 extracted deoxyribonucleic acid (“DNA”) or a portion of the extracted DNA;
125 (B) Genotypic and phenotypic information that results from analyzing the raw
126 sequence data; and
127 (C) Self-reported health data that a consumer submits to a regulated entity and
128 that is analyzed in connection with consumer's raw sequence data.
129 (15) “Geofence” means technology that uses global positioning coordinates, cell tower
130 connectivity, cellular data, radio frequency identification, Wi-fi data, or any other form of spatial
131 or location detection to establish a virtual boundary around a specific physical location, or to
5
132 locate a consumer within a virtual boundary. For purposes of this definition, “geofence” means a
133 virtual boundary that is 2,000 feet or less from the perimeter of the physical location.
134 (16) “Health care services” means any service provided to a person to assess, measure,
135 improve, or learn about a person's mental or physical health, including:
136 (A) Individual health conditions, status, diseases, or diagnoses;
137 (B) Social, psychological, behavioral, and medical interventions;
138 (C) Health-related surgeries or procedures;
139 (D) Use or purchase of medication;
140 (E) Bodily functions, vital signs, symptoms, or measurements of the information
141 described in this paragraph;
142 (F) Diagnoses or diagnostic testing, treatment, or medication;
143 (G) Reproductive health care services; or
144 (H) Gender-affirming care services.
145 (17) “Homepage” means the introductory page of an internet website and any internet
146 webpage where personal information is collected. In the case of an online service, such as a
147 mobile application, homepage means the application's platform page or download page, and a
148 link within the application, such as from the application configuration, “about,” “information,” or
149 settings page.
150 (18) “Person” means an individual, firm, corporation, partnership, cooperative,
151 association, or any other organization, legal entity, or group of individuals however organized,
152 including agents thereof. The term “person” includes a regulated entity, third party, affiliate, or
153 processor. The term “person or entity” shall not include the government of the United States, the
6
154 District of Columbia government, or any of the agencies or instrumentalities of either
155 government.
156 (19) “Personal information” means information that identifies or is reasonably capable of
157 being associated or linked, directly or indirectly, to a particular consumer. “Personal
158 information” includes data associated with a persistent unique identifier, such as a cookie ID, an
159 IP address, a device identifier, an advertising ID, or any other form of persistent unique
160 identifier. “Personal information” does not include publicly available information or deidentified
161 data.
162 (20) “Physical or mental health status” includes:
163 (A) Individual health conditions, treatment, diseases, or diagnoses;
164 (B) Social, psychological, behavioral, and medical interventions;
165 (C) Health-related surgeries or procedures;
166 (D) Use or purchase of prescribed medications;
167 (E) Bodily functions, vital signs, symptoms, or measurements of the information
168 described in this paragraph;
169 (F) Diagnoses or diagnostic testing, treatment, or medication;
170 (G) Gender-affirming care information;
171 (H) Reproductive or sexual health information;
172 (I) Biometric data;
173 (J) Genetic data;
174 (K) Precise location information that could reasonably indicate a consumer's
175 attempt to acquire or receive health services or supplies;
176 (L) Data that identifies a consumer seeking health care services; or
7
177 (M) Any information that a regulated entity, or their processor, processes to
178 associate or identify a consumer with the data described in this paragraph that is derived or
179 extrapolated from non-health information (such as proxy, derivative, inferred, or emergent data
180 by any means, including algorithms or machine learning).
181 (21) “Precise location information” means information derived from technology and that
182 is used or intended to be used to locate a consumer within a radius of 1,750 feet.
183 (22) “Process” or “processing” means any operation or set of operations performed on
184 consumer health data.
185 (23) “Processor” means a person that processes consumer health data on behalf of a
186 regulated entity.
187 (24) “Publicly available information” means information about a consumer that a
188 regulated entity has reasonable cause to believe the consumer has lawfully made available to the
189 general public through federal, state, or municipal government records or widely distributed
190 media. “Publicly available information” does not include any biometric data collected about a
191 consumer by a business without the consumer’s consent.
192 (25) “Regulated entity” means any legal entity, including its agents, that conducts
193 business in the District or produces or provides products or services that are targeted to
194 consumers in the District and that alone or jointly with others, determines the purpose and means
195 of collecting, processing, sharing, or selling consumer health data. “Regulated entity” does not
196 include government agencies, tribal nations, or contracted service providers when processing
197 consumer health data on behalf of a government agency.
8
198 (26) “Reproductive or sexual health information” means personal information relating to
199 seeking or obtaining past, present, or future reproductive or sexual health services.
200 “Reproductive or sexual health information” includes:
201 (A) Precise location information that could reasonably indicate a consumer's
202 attempt to acquire or receive reproductive or sexual health services;
203 (B) Efforts to research or obtain reproductive or sexual health services; or
204 (C) Any reproductive or sexual health information that is derived, extrapolated, or
205 inferred, including from non-health information (such as proxy, derivative, inferred, emergent, or
206 algorithmic data).
207 (27) “Reproductive or sexual health services” means health services or products that
208 support or relate to a consumer's reproductive system or sexual well-being including:
209 (A)