CERTIFICATION OF ENROLLMENT
SECOND SUBSTITUTE HOUSE BILL 1127
67th Legislature
2021 Regular Session
Passed by the House April 14, 2021 CERTIFICATE
Yeas 83 Nays 13
I, Bernard Dean, Chief Clerk of the
House of Representatives of the
State of Washington, do hereby
certify that the attached is SECOND
Speaker of the House of SUBSTITUTE HOUSE BILL 1127 as
Representatives passed by the House of
Representatives and the Senate on
the dates hereon set forth.
Passed by the Senate April 10, 2021
Yeas 28 Nays 20
Chief Clerk
President of the Senate
Approved FILED
Secretary of State
State of Washington
Governor of the State of Washington
 SECOND SUBSTITUTE HOUSE BILL 1127
AS AMENDED BY THE SENATE
Passed Legislature - 2021 Regular Session
State of Washington 67th Legislature 2021 Regular Session
By House Appropriations (originally sponsored by Representatives
Slatter, Boehnke, Valdez, Kloba, Graham, Macri, and Pollet)
READ FIRST TIME 02/22/21.
1 AN ACT Relating to protecting the privacy and security of
2 COVID-19 health data collected by entities other than public health
3 agencies, health care providers, and health care facilities; amending
4 RCW 42.56.360; adding a new chapter to Title 70 RCW; providing an
5 expiration date; and declaring an emergency.
6 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:
7 NEW SECTION. Sec. 1. (1) The legislature finds that the public
8 health system must use all available and effective tools to prevent
9 the spread of the novel coronavirus COVID-19 and save lives in
10 Washington. Public health case investigation, testing, and contact
11 tracing are traditional, trusted public health tools used to control
12 the spread of communicable diseases and are subject to laws and
13 policies protecting health information privacy. As the economy
14 reopens, the staggering number of COVID-19 cases continue to test
15 capacity of the public health system's ability to control COVID-19.
16 In an effort to increase the system's capacity, academic institutions
17 and technology companies have recently developed digital tools,
18 including web and mobile applications, to assist local and state
19 public health agencies with contact tracing efforts.
20 (2) The legislature finds that it is imperative to strike a
21 balance between supporting innovative tools that increase the public
p. 1 2SHB 1127.PL
 1 health system's capacity while also providing equitable protections
2 for the privacy and security of individual's COVID-19 health data and
3 assuring individuals that collected data will not be used for law
4 enforcement or immigration purposes. Achieving this balance is
5 critical to reassure every Washingtonian, that any data collected by
6 digital tools will be used in a private, secure, and legitimate
7 manner and to support the use of all available tools to reduce the
8 spread of COVID-19, particularly among vulnerable populations, and
9 save lives in Washington.
10 (3) Therefore, the legislature intends to establish privacy and
11 security standards for these digital tools to provide protections for
12 all Washingtonian's COVID-19 health data.
13 NEW SECTION. Sec. 2. The definitions in this section apply
14 throughout this chapter unless the context clearly requires
15 otherwise.
16 (1)(a) "Affirmative express consent" means an affirmative act by
17 an individual that clearly and conspicuously communicates the
18 individual's authorization of an act or practice and is:
19 (i) Made in the absence of any mechanism in the user interface
20 that has the purpose or substantial effect of obscuring, subverting,
21 or impairing decision making or choice to obtain consent; and
22 (ii) Taken after the individual has been presented with a clear
23 and conspicuous disclosure that is separate from other options or
24 acceptance of general terms and that includes a concise and easy-to-
25 understand description of each act or practice for which the
26 individual's consent is sought.
27 (b) For purposes of (a) of this subsection, affirmative express
28 consent may not be inferred from the inaction of an individual or the
29 individual's continued use of a service or product.
30 (c) Affirmative express consent must be freely given and
31 nonconditioned.
32 (2)(a) "Biometric data" means any information, regardless of how
33 it is captured, converted, or stored, that is:
34 (i) Based on an individual's unique biological characteristics,
35 such as a retina or iris scan, fingerprint, voiceprint, a scan of
36 hand or face geometry, or other unique biological patterns or
37 characteristics; and
38 (ii) Used to identify a specific individual.
39 (b) "Biometric data" does not include:
p. 2 2SHB 1127.PL
 1 (i) Writing samples, written signatures, photographs, human
2 biological samples used for valid scientific testing or screening,
3 demographic data, tattoo descriptions, thermal images, or physical
4 descriptions such as height, weight, hair color, or eye color;
5 (ii) Donated organ tissues or parts, or blood or serum stored on
6 behalf of recipients or potential recipients of living or cadaveric
7 transplants and obtained or stored by a federally designated organ
8 procurement agency;
9 (iii) Information captured from a patient in a health care
10 setting or information collected, used, or stored for health care
11 treatment, payment, or operations under the federal health insurance
12 portability and accountability act of 1996; or
13 (iv) X-ray, roentgen process, computed tomography, magnetic
14 resonance imaging, positron emission tomography scan, mammography, or
15 other image or film of the human anatomy used to diagnose, develop a
16 prognosis for, or treat an illness or other medical condition or to
17 further validate scientific testing or screening.
18 (3) "Collect" means buying, renting, gathering, obtaining,
19 receiving, accessing, or otherwise acquiring COVID-19 health data in
20 any manner by a covered organization, including by passively or
21 actively observing the behavior of an individual.
22 (4)(a) "Covered organization" means any person, including a
23 government entity, that:
24 (i) Collects, uses, or discloses COVID-19 health data of
25 Washington residents electronically or through communication by wire
26 or radio for a COVID-19 public health purpose; or
27 (ii) Develops or operates a website, web application, mobile
28 application, mobile operating system feature, or smart device
29 application for the purpose of tracking, screening, monitoring,
30 contact tracing, mitigating, or otherwise responding to COVID-19 or
31 the related public health response.
32 (b) "Covered organization" does not include:
33 (i) A health care provider;
34 (ii) A health care facility;
35 (iii) A public health agency;
36 (iv) The department of labor and industries and an employer that
37 is self-insured under Title 51 RCW, if the department of labor and
38 industries or employer is collecting data protected by RCW 51.28.070;
39 (v) The department of labor and industries for purposes of
40 administering chapter 49.17 RCW;
p. 3 2SHB 1127.PL
 1 (vi) The state long-term care ombuds program;
2 (vii) A person or entity acting as a "covered entity" or
3 "business associate," as those terms are defined in Title 45 C.F.R.,
4 established pursuant to the federal health insurance portability and
5 accountability act of 1996 or a person or entity acting in a similar
6 capacity under chapter 70.02 RCW;
7 (viii) A service provider;
8 (ix) A person acting in their individual or household capacity;
9 or
10 (x) A person or entity that provides to a public health agency a
11 mobile application or mobile operating system feature that transmits
12 deidentified proximity data solely for the purpose of digitally
13 notifying an individual who may have become exposed to COVID-19. A
14 person or entity that provides such mobile application or mobile
15 operating system feature to any person or entity other than a public
16 health agency is a covered organization. A person or entity that
17 transmits or uses deidentified proximity data for any purpose other
18 than COVID-19 exposure notification is a covered organization.
19 (5) "COVID-19" means a respiratory disease caused by the severe
20 acute respiratory syndrome coronavirus 2 (SARS-CoV-2).
21 (6)(a) "COVID-19 health data" means data that is collected, used,
22 or disclosed in connection with COVID-19 or the related public health
23 response and that is linked to an individual or device.
24 (b) "COVID-19 health data" includes, but is not limited to:
25 (i) Information that reveals the past, present, or future
26 physical or behavioral health or condition of, or provision of health
27 care to, an individual;
28 (ii) Data derived from the testing or examination of a body or
29 bodily substance, or a request for such testing;
30 (iii) Information as to whether or not an individual has
31 contracted or been tested for, or an estimate of the likelihood that
32 a particular individual may contract, a disease or disorder;
33 (iv) Genetic data and biological samples;
34 (v) Biometric data;
35 (vi) Geolocation data;
36 (vii) Proximity data;
37 (viii) Demographic data; and
38 (ix) Contact information for identifiable individuals or a
39 history of the individual's contacts over a period of time, such as
40 an address book or call log.
p. 4 2SHB 1127.PL
 1 (c) "COVID-19 health data" does not include:
2 (i) Identifiable personal data collected and used for the
3 purposes of human subjects research conducted in accordance with: The
4 federal policy for the protection of human subjects, 45 C.F.R. Part
5 46; the good clinical practice guidelines issued by the international
6 council for harmonization; or the federal regulations on the
7 protection of human subjects under 21 C.F.R. Parts 50 and 56;
8 (ii) Data that is deidentified in accordance with the
9 deidentification requirements set forth in 45 C.F.R. Sec. 164.514 and
10 that is derived from protected health information data subject to one
11 of the standards set forth in (c)(i) of this subsection; or
12 (iii) Information used only for public health activities and
13 purposes as described in 45 C.F.R. Sec. 164.512.
14 (7) "COVID-19 public health purpose" means a purpose that seeks
15 to support or evaluate public health activities related to COVID-19
16 including, but not limited to, preventing, detecting, and responding
17 to COVID-19; creating emergency response plans; identifying
18 population health trends; health surveillance; health assessments;
19 implementing educational programs; program evaluation; developing and
20 implementing policies; and determining needs for access to services
21 and administering services.
22 (8) "Demographic data" means information relating to the actual
23 or perceived race, color, ethnicity, national origin, religion, sex,
24 gender, gender identity, sexual orientation, age, tribal affiliation,
25 disability, domicile, employment status, familial status, immigration
26 status, or veteran status of an individual or group of individuals.
27 (9) "Device" means any electronic equipment that is primarily
28 designed for or marketed to consumers.
29 (10) "Disclose" or "disclosure" means the releasing,
30 transferring, selling, providing access to, licensing, or divulging
31 in any manner of COVID-19 health data by a covered organization to a
32 third party.
33 (11) "Federal immigration authority" means any officer, employee,
34 or person otherwise paid by or acting as an agent of the United
35 States department of homeland security, including but not limited to
36 its subagencies, immigration and customs enforcement and customs and
37 border protection, and any present or future divisions thereof,
38 charged with immigration enforcement.
39 (12) "Geolocation data" means data capable of determining the
40 past or present precise physical location of an individual at a
p. 5 2SHB 1127.PL
 1 specific point in time, taking account of population densities,
2 including cell site location information, triangulation data derived
3 from nearby wireless or radio frequency networks, and global
4 positioning system data.
5 (13) "Health care facility" means a hospital, clinic, nursing
6 home, psychiatric hospital, ambulatory surgical center, pharmacy,
7 laboratory, testing site including a temporary or community-based
8 site and locations where related samples are collected, office, or
9 similar place where a health care provider provides health care to
10 patients.
11 (14) "Health care provider" means a person who is licensed,
12 certified, registered, or otherwise authorized by state law to
13 provide health care in the ordinary course of business or practice of
14 a profession.
15 (15) "Individual" means a natural person who is a Washington
16 resident.
17 (16) "Law enforcement officer" means a law enforcement officer as
18 defined in RCW 9.41.010 or a federal peace officer as defined in RCW
19 10.93.020.
20 (17) "Person" means a natural or legal person, or any legal,
21 commercial, or governmental entity of any kind or nature.
22 (18) "Proximity data" means information that identifies or
23 estimates the past or present physical proximity of one individual or
24 device to another, including information derived from Bluetooth,
25 audio signatures, nearby wireless networks, and near-field
26 communications.
27 (19) "Public health agency" means an agency or authority of the
28 state, political subdivision of the state, or an Indian tribe that is
29 responsible for public health matters as part of its official
30 mandate, or a person or entity acting under a grant of authority from
31 or contract with such public agency. "Public health agency" includes
32 the department of health, the state board of health, local health
33 departments, local boards of health, health districts, and sovereign
34 tribal nations.
35 (20)(a) "Service provider" means a person that collects, uses, or
36 discloses COVID-19 health data for the purpose of performing a
37 service or function on behalf of, for the benefit of, under
38 instruction of, and under contractual agreement with a covered
39 organization, but only to the extent that the collection, use, or
40 disclosure relates to the performance of such service or function.
p. 6 2SHB 1127.PL
 1 (b) "Service provider" excludes a person that develops or
2 operates a website, web application, mobile application, or smart
3 device application for the purpose of tracking, screening,
4 monitoring, contact tracing, mitigating, or otherwise responding to
5 COVID-19.
6 (21)(a) "Third party" means a person to whom a covered
7 organization discloses COVID-19 health data, or a corporate affiliate
8 or a related party of a covered organization that does not have a
9 direct relationship with an individual with whom the COVID-19 health
10 data is linked or is reasonably linkable.
11 (b) "Third party" excludes a public health agency, the state
12 long-term care ombuds program, or a service provider of a covered
13 organization.
14 (22) "Use" means the processing, employment, application,
15 utilization, examination, or analysis of COVID-19 health data by a
16 covered organization.
17 NEW SECTION. Sec. 3. (1)(a) A covered organization shall
18 provide to an individual a privacy policy that describes, at a
19 minimum:
20 (i) The covered organization's data retention and data security
21 policies and practices for COVID-19 health data;
22 (ii) How and for what purposes the covered organization collects,
23 uses, and discloses COVID-19 health data;
24 (iii) The recipients to whom the covered organization discloses
25 COVID-19 health data and the purpose of disclosure for each
26 recipient; and
27 (iv) How an individual may exercise their rights under this
28 chapter.
29 (b) A privacy policy required under (a) of this subsection must
30 be disclosed to an individual in a clear and conspicuous manner, in
31 the language in which the individual typically interacts with the
32 covered organization, and prior to or at the point of the collection
33 of COVID-19 health data.
34 (2)(a) A covered organization may not collect, use, or disclose
35 COVID-19 health data unless the individual to whom the data pertains
36 has given affirmative express consent to the coll