Oregon Attorney General Ellen Rosenblum today praised the Oregon House of Representatives for unanimously passing HB 3284, a bill proposed by the Attorney General to protect personal health data related to COVID-19. This bill applies to any commercial website, private entity, or mobile “contact tracing” or exposure notification app that collects, uses or discloses information about a person’s exposure to or infection by COVID-19. The bill does not apply to healthcare providers, the Oregon Health Authority, or public health agencies who are already covered by separate health information privacy laws.
“Even with the urgency of COVID-19, and our need for successfully locating possible sources of infection, we must make sure we protect our health data,” said Attorney General Rosenblum. “This bill ensures that if you sign up for a contract tracing app, you must explicitly provide consent for your health information to be collected. And, your health data can only be used to provide you with contact tracing services.”
In 2019, Attorney General Rosenblum created the Consumer Privacy Task Force, which was formed to answer the growing call for comprehensive state consumer privacy legislation. HB 3284 is the result of a Task Force subcommittee that convened to address privacy issues related to the pandemic and included privacy and public health experts from Oregon and beyond. The bill is expected to serve as model legislation for the rest of the country. The work of the larger Task Force is still ongoing.
“I want to thank Representative Paul Holvey for sponsoring this bill, and the Oregon House of Representatives for passing this critical privacy bill that protects our sensitive health information from private companies that may have wanted to use our information for other purposes,” continued Attorney General Rosenblum.
About HB 3284
HB 3284 prohibits an organization from collecting, using or disclosing personal health data without affirmative express consent. Specifically, the consent must be clear, and not just acceptance of a broad terms of use document. Consent may not be obtained through “dark patterns”, or a user interface that has been designed to trick users into doing things, like buying or signing up for something they didn’t mean to. A covered entity must provide a way to revoke consent once it has been given, after which personal health data may no longer be collected. Additionally, this information cannot be used for commercial advertising or used for marketing algorithms.
Protecting/Deleting Data
HB 3284 requires personal health data to be deleted 65 days after it has been collected, on a rolling basis. However, data can be retained if it has been deidentified and converted into statistical analyses, compilations, or interpretations (so the data cannot be traced back to an individual).
Additional provisions require covered organizations to:
- Take reasonable measures to ensure the accuracy of the data;
- Provide a method for correcting inaccuracies;
- Establish safeguards to protect the data from a data breach;
- Establish and implement policies that prevent the data from being used for a discriminatory purpose;
- Provide information to the consumer, including information about how to revoke consent, in transparent policies; and
- Maintain recordkeeping about how they have complied with the requirements of this law.
The bill will now advance to the Oregon Senate.