Support Public Service Journalism

Governor Inslee vetoes bipartisan COVID-19 health data privacy bill

On Tuesday, Governor Jay Inslee vetoed a “first of it’s kind” bill that would have protected COVID-19 health data. This bill would have increased protections and privacy for COVID-19 health data collected by third parties that are not health care facilities, agencies or providers. 

A person familiar with the governor’s thinking said the reason for the veto is because the Governor’s Office has perceived an issue around whether the language of the bill could prevent them from certain promotions to encourage vaccinations. 

In the veto message, Inslee said while he supports the goals of the bill, the language in the bill is too broad.

The intent of the proposal was to address data collected during contact tracing work, however the plain language of the bill is very broad and covers other COVID-related information that was not contemplated at the time of drafting. For example, this bill appears to prohibit efforts by public and private entities to offer incentives to become vaccinated or to make certain opportunities available to those persons who are vaccinated. The current critical need to incentivize every eligible person to become vaccinated is an issue that did not exist, and was not contemplated, at the time this bill was drafted or made its way through the legislative process.”

House Bill 1127 is, according to experts, the first major data privacy bill to pass the Legislature, and has bipartisan support and sponsorship. The bill is sponsored by Representatives Vandana Slatter, Matt Boehnke, Javier Valdez, Shelly Kloba, Jenny Graham, Nicole Macri and Gerry Pollet. 

Slatter, who is the prime sponsor of the bill, said she is disappointed by the Governor’s decision to veto the bill, and called the bill a “tremendous accomplishment.”

At the beginning of the pandemic, HB 1127 set up a framework to reassure Washingtonians that use of contact tracing and exposure notification technologies was voluntary, that COVID-19 health data would be used only for a public health purpose and would be deleted after that use. This bill was a tremendous accomplishment: in the middle of a pandemic and public health crisis, we passed a first-of-its-kind, precedent-setting bill to help secure Washingtonians’ privacy and their health.”

Slatter, who holds a Doctor of Pharmacy and Master of Public of Public Administration from the University of Washington, said the language in the bill was constructed early in the pandemic, and pledged that the work around this issue will continue.

Cyberattacks on health care systems and infrastructure, the widespread sale of data for profit, and historic and ongoing racism in our health care systems have left many Washingtonians distrustful of government and technology companies. Absent laws and regulations that build consumer confidence in the protection, security, and use of personal health data, we lose an important tool to combat current and future public health threats. The COVID-19 virus has weaponized our very social connections and laid bare long-standing inequities in our society. We need to use every single tool available to defeat it. Every Washingtonian should feel confident that their COVID-19 health data will only be used for this purpose.”

Advocates for the bill said the bill “set a precedent for future data privacy efforts.” Slatter said she looks forward to making progress on privacy protections.

I am more committed than ever to making real progress on modern privacy protections next session to deliver innovative solutions to protect Washingtonians’ privacy. I look forward to partnering with the Office of the Governor, state agencies, the private sector, other elected leaders and community advocates to drive these efforts forward.”

Public health case investigation, testing and contact tracing tools to control the spread of communicable diseases are routinely used and are subject to laws and policies protecting health information privacy. WA Notify, for example, has privacy-preserving features built in. This bill would have ensured that any new digital tools to increase the public health system’s capacity to deal with the pandemic will also have protections in place to safeguard privacy.

The bill specifically would have restricted a covered organization to only collecting, using or disclosing COVID-19 health data that is necessary, proportionate and limited for a good-faith COVID-19 public health purpose. The organization would have been required to limit the collection, use or disclosure of COVID-19 health data to the minimum level of identifiability. This health data would have only been disclosable to public health agencies or for a good-faith COVID-19 public health purpose, unless the information disclosed is protected under a state or federal privacy laws.

The data collected by these organizations was required to be destroyed within 30 days. The data could not have been used for any unauthorized purpose. 

The provisions in the bill would have expired on Dec 31, 2022.

This story was cross-posted on our sister site State of Reform.


Your support matters.

Public service journalism is important today as ever. If you get something from our coverage, please consider making a donation to support our work. Thanks for reading our stuff.