Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 116th Congress · S. 3749 (Introduced in Senate) — To protect the privacy of health information during a national health emergency. · Sec. 3

Sec. 3. Protecting the privacy and security of emergency health data

1,314 words·~6 min read·/bill/116/s/3749/is/section-3

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

A covered organization that collects emergency health data shall— only collect, use, or disclose such data that is necessary, proportionate, and limited for a good faith public health purpose, including a service or feature to support such a purpose; take reasonable measures, where possible, to ensure the accuracy of emergency health data and provide an effective mechanism for an individual to correct inaccurate information; adopt reasonable safeguards to prevent unlawful discrimination on the basis of emergency health data; and only disclose such data to a government entity when the disclosure— is to a public health authority; and is made in solely for good faith public health purposes and in direct response to exigent circumstances.
A covered organization or service provider that collects, uses, or discloses emergency health data shall establish and implement reasonable data security policies, practices, and procedures to protect the security and confidentiality of emergency health data. A covered organization shall not collect, use, or disclose emergency health data for any purpose not authorized under this section, including— commercial advertising, recommendation for e-commerce, or the training of machine-learning algorithms related to, or subsequently for use in, commercial advertising and e-commerce; soliciting, offering, selling, leasing, licensing, renting, advertising, marketing, or otherwise commercially contracting for employment, finance, credit, insurance, housing, or education opportunities in a manner that discriminates or otherwise makes opportunities unavailable on the basis of emergency health data; and segregating, discriminating in, or otherwise making unavailable the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation (as such term is defined in section 301 of the Americans With Disabilities Act of 1990 ( 42 U.S.C. 12181 )), except as authorized by a State or Federal Government entity for a public health purpose notwithstanding subsection (g).
It shall be unlawful for a covered organization to collect, use, or disclose emergency health data, unless— the individual to whom the data pertains has given affirmative express consent to such collection, use, or disclosure; such collection, use, or disclosure is necessary and for the sole purpose of— protecting against malicious, deceptive, fraudulent, or illegal activity; or detecting, responding to, or preventing information security incidents or threats; or the covered organization is compelled to do so by a legal obligation.
A covered organization shall provide an effective mechanism for an individual to revoke consent after it is given. After an individual revokes consent, the covered organization shall cease collecting, using, or disclosing the individual’s emergency health data as soon as practicable, but in no case later than 15 days after the receipt of the individual’s revocation of consent. Not later than 30 days after the receipt of an individual’s revocation of consent, a covered organization shall destroy or render not linkable that individuals emergency health data under the same procedures in subsection (f).
A covered organization that collects, uses, or discloses emergency health data shall provide to an individual a privacy policy that— is disclosed in a clear and conspicuous manner, in the language in which the individual typically interacts with the covered organization, prior to or at the point of the collection of emergency health data; describes how and for what purposes the covered organization collects, uses, and discloses emergency health data, including the categories of recipients to whom it discloses data and the purpose of disclosure for each category; describes the covered organization’s data retention and data security policies and practices for emergency health data; and describes how an individual may exercise the rights under this Act and how to contact the Commission to file a complaint.
A covered organization that collects, uses, or discloses emergency health data of at least 100,000 individuals shall, at least once every 90 days, issue a public report— stating in aggregate terms the number of individuals whose emergency health data the covered organization collected, used, or disclosed to the extent practicable; and describing the categories of emergency health data collected, used, or disclosed, the purposes for which each such category of emergency health data was collected, used, or disclosed, and the categories of third parties to whom it was disclosed.
Nothing in this subsection shall be construed to require a covered organization to— take an action that would convert data that is not emergency health data into emergency health data; collect or maintain emergency health data that the covered organization would otherwise not maintain; or maintain emergency health data longer than the covered organization would otherwise maintain such data. A covered organization may not use or maintain emergency health data of an individual after the later of— the date that is 60 days after the termination of the public health emergency declared by the Secretary on January 31, 2020, pertaining to Coronavirus Disease 2019 (COVID–19) under section 319 of the Public Health Service Act ( 42 U.S.C. 247d ) and any renewals thereof; the date that is 60 days after the termination of a public health emergency declared by a governor or chief executive of a State pertaining to Coronavirus Disease 2019 (COVID–19) in which the individual resides; or 60 days after collection.
For the requirements under paragraph (1), data shall be destroyed or rendered not linkable in such a manner that it is impossible or demonstrably impracticable to identify any individual from the data. The provisions of this subsection shall not supersede any requirements or authorizations under— the Privacy Act of 1974 ( Public Law 93–79 ); the HIPPA regulations; or Federal or State medical records retention and health privacy laws or regulations, or other applicable Federal or State laws.
Not later than 7 days after the date of enactment of this Act, the Commission shall initiate a public rulemaking to promulgate regulations to ensure a covered organization that has collected, used, or disclosed emergency health data before the date of enactment of this Act is in compliance with this Act, to the degree practicable. The Commission shall complete the rulemaking within 45 days after the date of enactment of this Act. Nothing in this Act shall be construed to limit or prohibit a public health authority from administering programs or activities to identify individuals who have contracted, or may have been exposed to, COVID–19 through interviews, outreach, case investigation, and other recognized investigatory measures by a public health authority or their designated agent by a public health authority or their designated agent intended to monitor and mitigate the transmission of a disease or disorder.
This section shall not be construed to prohibit— public health or scientific research associated with the COVID–19 public health emergency by— a public health authority; a nonprofit organization, as described in section 501(c)(3) of the Internal Revenue Code of 1986; or an institution of higher education, as such term is defined in section 101 of the Higher Education Act of 1965 ( 20 U.S.C. 1001 ); or research, development, manufacture, or distribution of a drug, biological product, or vaccine that relates to a disease or disorder that is associated or potentially associated with a public health emergency.
Notwithstanding subsection (a)(5), nothing in this Act shall be construed to prohibit a good faith response to, or compliance with, otherwise valid subpoenas, court orders, or other legal processes, or to prohibit storage or providing information as otherwise required by law. This Act does not apply to a covered entity or a person acting as a business associate under the HIPAA regulations (to the extent that such entities or associates are acting in such capacity) or any health care provider.
Not later than 30 days after the date of enactment of this Act, the Secretary shall promulgate guidance on the applicability of requirements, similar to those in this section to covered entities and persons acting as business associates under the HIPAA regulations. In promulgating such guidance, the Secretary shall reduce duplication of requirements and may exclude a requirement of this section if such requirement is already a requirement of the HIPAA regulations.
Connectionstraces to 3
1 reference not yet in our index
  • Pub. L. 93-79
Citation graph
cites case law
Sec. 3
Protecting the privacy and security of emergency health data
U.S.C.§ 12181
U.S.C.§ 247d
U.S.C.§ 1001
Pub. L.Pub. L. 93-79
Cites 4Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.