STATE OF NEW JERSEY
220th LEGISLATURE
PRE-FILED FOR INTRODUCTION IN THE 2022 SESSION
Sponsored by:
Assemblyman DANIEL R. BENSON
District 14 (Mercer and Middlesex)
Assemblywoman SHAVONDA E. SUMTER
District 35 (Bergen and Passaic)
Assemblyman CLINTON CALABRESE
District 36 (Bergen and Passaic)
Co-Sponsored by:
Assemblyman Scharfenberger, Assemblywomen Chaparro, Lopez, Assemblyman Danielsen, Assemblywoman Timberlake, Assemblymen Verrelli, Freiman and Assemblywoman Jimenez
SYNOPSIS
Restricts use of certain data collected for purposes of contact tracing related to COVID-19 pandemic.
CURRENT VERSION OF TEXT
Introduced Pending Technical Review by Legislative Counsel.
An Act concerning data privacy related to certain health information and supplementing Title 26 of the Revised Statutes.
Be It Enacted by the Senate and General Assembly of the State of New Jersey:
1. a. To the extent that any public health entity or a third party entity contracted by the public health entity to conduct contact tracing on the public health entity’s behalf collects data regarding an individual for the purposes of contact tracing related to the coronavirus disease 2019 (COVID-19) pandemic, including digital data from Bluetooth devices or global positioning systems, such health and location data shall only be used by the public health entity or third party entity for the purposes of completing contact tracing or for research or other purposes authorized under subsection d. of this section, and the public health entity or third party entity shall ensure that any individually identifiable or private health data is de-identified or deleted from the entity’s records no later than 90 days after the date the data is received by the entity.
b. If a public health entity enters into a contract with a third party entity to engage in contact tracing on the public health entity’s behalf and, pursuant to that contract, shares data collected for the purposes of contact tracing related to the COVID-19 pandemic with the third party entity or allows the third party entity to independently collect the data on behalf of the public health entity, the public health entity shall:
(1) publish the name of the third party entity on its Internet website or on the Internet website of the Department of Health;
(2) require that the third party entity only use the data for the purposes of completing contact tracing related to the COVID-19 pandemic or for research or other purposes authorized under subsection d. of this section; and
(3) require that the third party entity delete or de-identify any individually identifiable or private health data by the date on which the public health entity is required to delete or de-identify the data.
c. The Commissioner of Health shall require that systems using health and location data for contact tracing purposes automatically delete or de-identify any individually identifiable or private health data no later than 90 days after the data is entered into the system.
d. Nothing in this section shall be construed to prohibit public health entities or other appropriate entities from acquiring, retaining, or using de-identified contact tracing data collected in relation to the COVID-19 pandemic for research purposes or for other purposes related to the State’s response to the COVID-19 pandemic. The de-identified contact tracing data that may be acquired, retained, and used pursuant to this subsection shall include information and statistics concerning: age; gender; race and ethnicity; location; COVID-19 infection status; COVID-19 exposure information, including the type and nature of the exposure, the setting in which the exposure occurred, the relationship of the individual with the source of the exposure, the date of exposure, and the duration of the exposure; the date of onset of COVID-19; and any other statistical information authorized by the Commissioner of Health for acquisition, retention, or use under this subsection. Any entity in possession of de-identified contact tracing data as authorized under this subsection shall attest to the Commissioner of Health that the entity will not attempt to re-identify the data.
e. A third party entity that misuses or unlawfully discloses individually identifiable or private health data collected by or shared with the entity for the purposes of conducting COVID-19 contact tracing, or that retains the individually identifiable or private health data beyond the date on which the data is required to be deleted or de-identified, shall be liable to a civil penalty of up to $10,000, which shall be collected by and in the name of the Commissioner of Health in a summary proceeding before a court of competent jurisdiction pursuant to the “Penalty Enforcement Law of 1999,” P.L.1999, c.274 (C.2A:58-10 et seq.).
f. As used in this section:
“Contact tracing” means the process of identifying individuals who were in contact with a person who has tested positive for COVID-19 or who was likely exposed to COVID-19, as well as providing support services to the individual. Contact tracing may include: verbal interviews with individuals and those they may have had contact with, as well as any other individual who may have knowledge of potential exposure situations; to the extent authorized by applicable State and federal laws, accessing an individual’s digital data from a Bluetooth or global positioning system to identify potential exposures; and any other means utilized by a public health entity to track potential exposures to, and the potential spread of, COVID-19 among individuals and population groups within the State.
“De-identified data” means information that cannot be linked to an individual without additional information that is kept separately, or information that has been modified to a degree that the risk of re-identification is small.
“Individually identifiable data” means information that can be linked to an individual without the need for additional information, or information that can be linked to an individual using other information that is readily available to or accessible by the public.
“Private health data” means health data that is subject to the federal "Health Insurance Portability and Accountability Act of 1996," Pub.L.104-191, and any regulations promulgated thereunder by the Secretary of the U.S. Department of Health and Human Services. “Public health entity” means the Department of Health and any county or local board of health.
2. The Commissioner of Health shall adopt rules and regulations, pursuant to the “Administrative Procedure Act,” P.L.1968, c.410 (C.52:14B-1 et seq.), establishing rules and restrictions concerning the ways in which public health entities and third party entities may use data collected for contact tracing related to the COVID-19 pandemic, and how those entities will be required to ensure the security and confidentiality of that data, including any specific internal audit requirements those entities will be required to implement to guard against misuse or unauthorized disclosure of the data. Nothing in this section shall be construed to prohibit or delay the implementation of section 1 of this act immediately upon the effective date of this act.
3. This act shall take effect immediately.
STATEMENT
This bill provides that a public health entity performing contact tracing related to the coronavirus disease 2019 (COVID-19), including the Department of Health and any county or local board of health, as well as any third party entity contracted by the public health entity to conduct contact tracing on behalf of the public health entity, may only use the data for the purposes of completing contact tracing and for certain authorized research purposes.
Contact tracing is the process of identifying, and providing support services to, individuals who may have been exposed to COVID-19 through contact with a person who has tested positive for COVID-19 or who has had a serious risk exposure. Contact tracing may include both verbal interviews with individuals and the use of digital data, such as Bluetooth data and data from global positioning systems, to conduct proximity investigations and identify when individuals may have been in close contact with others.
The bill requires public health entities and contracted third parties to ensure that health and location data collected for contact tracing is de-identified or deleted from the entity’s records no later than 90 days after the date the data is received by the entity. If the public health entity contracts with a third party entity to perform contact tracing on the entity’s behalf, the public health entity will be required to publish the name of third party entity on the public health entity’s Internet website or on the Internet website of the Department of Health and require that the third party only use contact tracing data for contact tracing or authorized research. The third party entity will be subject to the same restrictions on the use of the data as apply to public health entities, and will be required to de-identify or delete the data by the date on which the public health entity is required to de-identify or delete the data. To this end, the Commissioner of Health is to require that systems using health and location data for contact tracing automatically de-identify or delete any individually identifiable or private health data no later than 90 days after the data is entered into the system.
The bill defines de-identified health data to mean information that cannot be linked to an individual without additional information that is kept separately, or information that has been modified to a degree that the risk of re-identification is small. Individually identifiable data is defined as information that can be linked to an individual without the need for additional information, or information that can be linked to an individual using other information that is readily available to or accessible by the public.
The bill expressly authorizes de-identified contact tracing data to be used by public health entities and other appropriate entities for research purposes or for other purposes related to the State’s COVID-19 response. The specific data that may be acquired, retained, and used for the purposes of research and the State’s COVID-19 response will include information and statistics concerning: age; gender; race and ethnicity; location; COVID-19 infection status; COVID-19 exposure information, including the type and nature of the exposure, the setting in which the exposure occurred, the relationship of the individual with the source of the exposure, the date of exposure, and the duration of the exposure; the date of onset of COVID-19; and any other statistical information as is authorized by the Commissioner of Health.
Any entity in possession of de-identified contact tracing data will be required to attest to the Commissioner of Health that the entity will not attempt to re-identify the data.
A third party entity that misuses or unlawfully discloses individually identifiable or private health data collected for contact tracing, or that retains the data beyond the date on which the data is required to be de-identified or deleted, will be liable to a civil penalty of up to $10,000, which will be collected by and in the name of the Commissioner of Health in a summary proceeding before a court of competent jurisdiction.
The bill requires the Commissioner of Health adopt rules and regulations concerning how public health entities and third party entities may use data collected for contact tracing related to the COVID-19 pandemic, and how those entities will be required to ensure the security and confidentiality of that data, including any specific internal audit requirements those entities will be required to implement to guard against misuse or unauthorized disclosure of the data. The rulemaking process will not prohibit or delay the implementation of the remaining provisions of the bill restricting the use of COVID-19 contact tracing data, which requirements will take effect immediately upon enactment.