Attorney General Schwalb Introduces Legislation to Protect Personal Health Data of District Consumers and Strengthen Privacy Laws

Bill Requires Entities Not Covered by HIPAA to Implement Privacy Protections for Consumer Health Information


Attorney General Brian L. Schwalb today introduced the Consumer Health Information Privacy Protection Act of 2024 (“CHIPPA”), legislation to protect District consumers’ personal health data by requiring certain entities that fall outside of the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)—such as tech companies that have developed fitness apps or patient support groups—to adhere to strengthened privacy provisions regarding the collection, sharing, use, or sale of consumer health data.

“All Washingtonians should be able to make fully informed healthcare decisions, including regarding how, whether, and where their sensitive health information is shared,” said Attorney General Schwalb. “When health data is transferred without patients’ knowledge, it can reveal confidential information about their mental health or medication history, or worse, used to identify and prosecute people who are seeking reproductive or gender affirming care. By requiring companies to disclose exactly how and where the data they collect is shared and to obtain informed consent before such data is shared, this bill is a critical step towards protecting District residents’ privacy and safety.”

The Consumer Health Information Privacy Protection Act:

  • Requires regulated entities to establish and make publicly available a consumer health data privacy policy governing the collection, use, sharing, and sale of consumer health data. 
     
  • Requires regulated entities to obtain consumers’ informed consent before collecting and sharing their personal health data.
     
  • Establishes consumers’ right to access and choose whether and how personal health data is used by a regulated entity.
     
  • Establishes additional protections and consumer authorizations for the sale of personal health data.
     
  • Requires regulated entities to only collect health data that is necessary for the purposes disclosed to the consumers and to only use, share, and retain the consumer health data for that purpose.

The full text of the legislation is available here.

 

How to Report Unfair Business Practices

OAG protects DC residents from fraud, exploitation, and deceptive business practices by investigating and mediating consumer complaints, educating residents about their rights, and taking legal action against businesses and individuals that harm residents and break the law. Since January 2023, OAG has obtained nearly $50 million through enforcement actions and settlements on behalf of DC consumers.

To report scams, fraud, or unfair business practices, contact OAG’s Office of Consumer Protection: