Bill > B26-0525

This bill amends the District of Columbia's personal health data protection laws to establish comprehensive safeguards for individuals' health information. The legislation prohibits the use of geofencing technology within 2,000 feet of health care facilities to prevent tracking, data collection, or targeted advertising related to health services. Controllers (organizations determining how personal health data is processed) must maintain a publicly available privacy policy that clearly explains data collection practices, obtain explicit consent before processing personal health data, and establish a secure process for data subjects to request deletion of their information. The bill grants individuals the right to confirm what personal health data is being processed, withdraw consent at any time, and request complete deletion of their data from a controller's systems and any third parties with whom the data has been shared. Controllers are forbidden from selling personal health data without affirmative consent, retaliating against individuals who exercise their data rights, or processing data inconsistently with their published privacy policy. Processors must promptly notify sub-processors of deletion requests and confirm deletion in writing. The Office of the Attorney General is granted exclusive enforcement authority, with the ability to investigate violations, issue subpoenas, and impose civil penalties of up to $10,000 per violation. The act aims to provide District of Columbia residents with greater control and transparency regarding the use of their personal health information.

Health and Social Services

https://lims.dccouncil.gov/Legislation/B26-0525