ASSEMBLY APPROPRIATIONS COMMITTEE

 

STATEMENT TO

 

[First Reprint]

ASSEMBLY, No. 4170

 

with committee amendments

 

STATE OF NEW JERSEY

 

DATED:  JULY 27, 2020

 

      The Assembly Appropriations Committee reports favorably Assembly Bill No. 4170 (1R), with committee amendments.

      As amended by the committee, this bill provides that a public health entity performing contact tracing related to the coronavirus disease 2019 (COVID-19), including the Department of Health and any county or local board of health, as well as any third party entity contracted by the public health entity to conduct contact tracing on behalf of the public health entity, may only use the data for the purposes of completing contact tracing and for certain authorized research purposes.

      Contact tracing is the process of identifying, and providing support services to, individuals who may have been exposed to COVID-19 through contact with a person who has tested positive for COVID-19 or who has had a serious risk exposure.  Contact tracing may include both verbal interviews with individuals and the use of digital data, such as Bluetooth data and data from global positioning systems, to conduct proximity investigations and identify when individuals may have been in close contact with others.

      As amended, the bill requires public health entities and contracted third parties to ensure that health and location data collected for contact tracing is de-identified or deleted from the entity’s records no later than 90 days after the date the data is received by the entity.  If the public health entity contracts with a third party entity to perform contact tracing on the entity’s behalf, the public health entity will be required to publish the name of third party entity on the public health entity’s Internet website or on the Internet website of the Department of Health and require that the third party only use contact tracing data for contact tracing or authorized research.  The third party entity will be subject to the same restrictions on the use of the data as apply to public health entities, and will be required to de-identify or delete the data by the date on which the public health entity is required to de-identify or delete the data.  To this end, the Commissioner of Health is to require that systems using health and location data for contact tracing automatically de-identify or delete any individually identifiable or private health data no later than 90 days after the data is entered into the system.

      As amended, the bill defines de-identified health data to mean information that cannot be linked to an individual without additional information that is kept separately, or information that has been modified to a degree that the risk of re-identification is small.  Individually identifiable data is defined as information that can be linked to an individual without the need for additional information, or information that can be linked to an individual using other information that is readily available to or accessible by the public.

      As amended, the bill expressly authorizes de-identified contact tracing data to be used by public health entities and other appropriate entities for research purposes or for other purposes related to the State’s COVID-19 response.  The specific data that may be acquired, retained, and used for the purposes of research and the State’s COVID-19 response will include information and statistics concerning:  age; gender; race and ethnicity; location; COVID-19 infection status; COVID-19 exposure information, including the type and nature of the exposure, the setting in which the exposure occurred, the relationship of the individual with the source of the exposure, the date of exposure, and the duration of the exposure; the date of onset of COVID-19; and any other statistical information as is authorized by the Commissioner of Health. 

      Any entity in possession of de-identified contact tracing data will be required to attest to the Commissioner of Health that the entity will not attempt to re-identify the data.

      A third party entity that misuses or unlawfully discloses individually identifiable or private health data collected for contact tracing, or that retains the data beyond the date on which the data is required to be de-identified or deleted, will be liable to a civil penalty of up to $10,000, which will be collected by and in the name of the Commissioner of Health in a summary proceeding before a court of competent jurisdiction.

      As amended, the bill requires the Commissioner of Health adopt rules and regulations concerning how public health entities and third party entities may use data collected for contact tracing related to the COVID-19 pandemic, and how those entities will be required to ensure the security and confidentiality of that data, including any specific internal audit requirements those entities will be required to implement to guard against misuse or unauthorized disclosure of the data.  The rulemaking process will not prohibit or delay the implementation of the remaining provisions of the bill restricting the use of COVID-19 contact tracing data, which requirements will take effect immediately upon enactment.

COMMITTEE AMENDMENTS:

      The committee amendments revise the bill to clarify that it applies to public health entities and to third party entities with which a public health entity contracts to conduct contact tracing on the public entity’s behalf, and to clarify that those third party entities may be authorized to directly engage in contact tracing and collect contact tracing data.

      The committee amendments clarify that contact tracing data may be retained for 90 days, rather than 30 days, and allow for de-identification of contact tracing data as an alternative to deleting the data.  

      The committee amendments provide that certain de-identified contact tracing data may be acquired, retained, and used by public health and other entities for research purposes and for other purposes related to the State’s coronavirus disease 2019 (COVID-19) response.  Entities in possession of de-identified contact tracing data will be required to attest to the Commissioner of Health that the entity will not attempt to re-identify the data.

      The amendments replace a requirement for the Department of Health to establish guidance, with public input, concerning restrictions on the use of COVID-19 contact tracing data, security and confidentiality requirements for contact tracing data, and internal auditing requirements for entities in possession of contact tracing data, to instead require the department to establish these requirements and restrictions using the formal rulemaking process set forth in the “Administrative Procedure Act.”

 

FISCAL IMPACT:

      The Office of Legislative Services finds that the provisions of this bill, as amended, would increase costs for the Department of Health (DOH) to adopt regulations concerning the use of, and privacy protections for, individually identifiable and private health data collected pursuant to public health contact tracing for the novel coronavirus 2019 (COVID-19).  However, State costs should be minimized to the extent that the DOH can modify existing State regulations concerning contact tracing for individuals diagnosed with other communicable diseases, such as tuberculosis and the human immunodeficiency virus (HIV).

      The DOH, as well as county and local public health departments, may also realize minimal increased costs associated with publicly publishing on its website the name of any third-party entities with which the DOH, or any county or local board of health, shared individually identifiable or private health data as part of a contract for COVID-19 contact tracing services.  Additional, albeit marginal, costs would result from the bill’s requirement that the DOH and other public health departments either de-identify or delete, within 90 days of acquisition, any individually identifiable or private health data collected as part of the department’s own COVID-19 contact tracing activities.  The bill also directs the DOH and any county or local board of health to ensure that third-party entities contracted to conduct COVID-19 contact tracing also delete or de-identify, within 90 days of acquisition, all individually identifiable or private health data gathered as part of these contracted activities. 

      State revenues could potentially increase as a result of a provision in the bill that imposes a $10,000 penalty on any third-party entity that misuses or unlawfully discloses individually identifiable or private health data collected or shared as part of the entity’s contact tracing contract.  This penalty would also be levied if the third-party entity does not delete or de-identify individually identifiable or private health data within 90 days of acquisition.  Any penalties collected pursuant to the bill would be collected in the name of the Commissioner of Health.  However, absent information on the number of monetary penalties that the DOH might impose, the OLS cannot estimate the amount of revenue that might be collected pursuant to this provision.