D.C. committee hears wide support — and implementation concerns — for personal health data bill

The D.C. Council Committee on Health on March 23 heard competing views about B26‑0525, the Personal Health Data Security Amendment Act of 2025, a bill that would regulate collection, sale and use of personal health data in the District.

Chair Christina Henderson outlined the bill as granting residents the right to confirm whether personal health data is collected and to request deletion, banning geofencing around health‑care locations and requiring controllers to publish clear privacy policies and obtain consent before collecting or sharing data.

Privacy and civil‑liberties groups told the committee the bill is a necessary step. "Prohibiting geofencing will prevent further tracking and targeting of individuals based on their location alone," Melissa Wasser, senior policy counsel at ACLU‑DC, said, urging the committee to shorten the bill's deletion timeline from 183 days to 45 days to match other states. Sarah Gagan of the Electronic Privacy Information Center argued the bill should keep a broad definition of personal health data and move away from a notice‑and‑choice framework toward data‑minimization and purpose limits.

The Office of the Attorney General, represented by Assistant Attorney General Lindsay Marks, supported the bill's goals but urged several technical changes to improve enforceability and clarity. OAG recommended replacing some notice‑and‑consent provisions with explicit permissible‑processing rules, defining terms such as "consent" and "clear and conspicuous," requiring controllers to report summaries of deletion requests to OAG on a regular basis, and making violations per se violations of the District's Consumer Protection Procedures Act so that private suits and public enforcement could proceed. "We stand ready to work with the Committee to further enhance the bill," Marks told members.

Industry witnesses said the bill’s goals are sound but warned of operational problems if definitions and exemptions are not tightened. "We support the intent but request language clarifying that HIPAA covered entities and their business associates are exempt," Justin Palmer of the District of Columbia Hospital Association said, stressing that hospitals and business associates currently operate under HIPAA and related federal frameworks. Trade associations—including TechNet and the Consumer Data Industry Association—asked the committee to align definitions and exemptions with other states and federal laws (including FCRA and GLBA) to avoid compliance conflicts and unintended consequences for credit reporting and financial data flows.

Committee members repeatedly asked about consent fatigue and cross‑jurisdictional application in the D.C. region, where many daily commuters live in Maryland or Virginia. Witnesses acknowledged the regional complexity and advised the committee to consider residency‑based rules or shield‑law approaches for out‑of‑state enforcement requests.

On the deletion timeline, OAG and several witnesses recommended shortening the period for honoring verified deletion requests to 45 days, aligning D.C. with neighboring states. The committee heard technical concerns about geofencing enforcement and asked OAG about investigatory capacity; OAG said it can enforce but may need technical experts for complex investigations.

The hearing produced several specific requests for amendments: clear HIPAA‑tailored exemptions that apply to protected health information rather than entire entities, a defined deletion timeline consistent with peer states, restrictions on using privacy policies as the sole basis for compliance, and enhanced reporting to OAG for oversight. The record on all three bills remains open until 5 p.m. on April 6.

Next steps: the committee will review submitted written testimony and consider technical changes during markup before any vote.