chevron-down Created with Sketch Beta.
October 11, 2020

Digital Contact Tracing in the European Union - Best Practices for United States Legislators and Regulators?

By Ashley Thomas, Esq., CIPP/US, CIPP/E, Morris, Manning & Martin LLP, Washington, D.C. and Matthew Buchbinder, Esq., CIPP/US, North, Pursell & Ramos, PLC, Nashville, TN

Countries across the globe have been grappling with the COVID-19 pandemic and how to mitigate its spread. Digital contact tracing has emerged as one solution for managing the pandemic. With digital contact tracing, however, comes significant privacy challenges, in large part because of the sheer scope of sensitive data that is collected through digital contact tracing. The lack of a comprehensive federal privacy in the United States and its sectorial approach to privacy would leave potential digital contact tracing solutions largely unregulated. The European Union (E.U.), however, has been very active in issuing guidance related to digital contact tracing solutions, and how to achieve compliance with the E.U.’s comprehensive privacy regulation, the General Data Protection Regulation (GDPR). E.U. guidance could be instructive for U.S. legislators and regulators working on the privacy implications of digital contact tracing. 

This article will describe the privacy challenges associated with digital contact tracing, examine existing and proposed legislation and regulations in the United States that apply to digital contact tracing, investigate the E.U.’s approach to digital contact tracing, and extract some best practices from the European approach that should be considered by businesses and employers as the United States works on addressing these issues.

Privacy Challenges Associated with Digital Contact Tracing

The coronavirus disease 2019 (COVID-19) is “a rapidly spreading infectious disease caused by severe acute respiratory syndrome–coronavirus 2 (SARS-CoV-2), betacoronavirus” first identified in Wuhan, China.1 On February 11, 2020, the World Health Organization (WHO) announced that the official name for the disease would be “coronavirus disease 2019” and, on March 11, 2020, the WHO declared COVID-19 a global pandemic.2 During the press conference, the WHO Director-General noted that the WHO is “deeply concerned both by the alarming levels of spread and severity and by the alarming levels of inaction” and called on countries to take immediate action to contain the virus: “[w]e should double down . . . .We should be more aggressive.”3 It has been reported that, with access to intensive care, the case fatality rate is approximately two percent, and the proportion of cases requiring intensive care is five percent.4 “No treatment is currently available, and vaccines are not expected to be sufficiently widely available to control the epidemic within the coming year.”5

Accordingly, public health organizations have had to rely on traditional epidemic control measures, like contact tracing, to slow the epidemic. Contact tracing is a core disease control measure that has been employed by public health agency personnel for decades.6  The Centers for Disease Control and Prevention (CDC) has described case investigation and contact tracing as “fundamental activities that involve working with a patient (symptomatic and asymptomatic) who has been diagnosed with an infectious disease to identify and provide support to people (contacts) who may have been infected through exposure to the patient.”7 The contact tracing process prevents the further transmission of an infectious disease by facilitating the separation of infected individuals from individuals who have not been infected.8

Generally speaking, challenges associated with contact tracing include “incomplete identification of contacts, inefficiencies in paper-based reporting systems, complex data management requirements, and delays in steps from identification of contacts to isolation of  suspected  cases  among  contacts.”9  Contact tracing for COVID-19 presents unique challenges in its implementation because COVID-19 spreads very easily and by people who are asymptomatic.10

Many countries have implemented digital contact tracing solutions to address challenges associated with implementing contact tracing for COVID-19. In South Korea, a smartphone application (app) known as the “Self-Quarantine Safety Protection” was released, which allowed for quarantined individuals to communicate with and report symptoms to public health officials and utilized GPS to keep track of quarantined patients’ locations to make sure they are not breaking their quarantine.11 In Israel, a voluntary smartphone app (“The Shield”) was released that can tell users immediately if they have crossed paths with another person known to have been infected with COVID-19 by taking the user’s location data history and comparing it with the location data history of infected individuals.12 In the United States, Apple and Google have partnered to develop application programming interfaces (APIs) and operating system-level technology to facilitate smartphone contact tracing applications that would keep users’ location data private.13 Instead of storing and analyzing users’ location data, the Apple/Google API is designed to utilize phones’ Bluetooth radios, which have a range of 30 feet, to keep track of whether a user’s phone has come within 30 feet of someone who later turns out to have been infected with COVID-19.14

Although digital contact tracing solutions address many of the challenges associated with contact tracing for COVID-19, they also present new privacy challenges.15 Perhaps the most obvious privacy challenge is the vast amount of location data collected. For apps that rely on users’ location data, especially for users who live in sparsely populated areas, it may be difficult to anonymize this location data. Further, the location data gathered provides extensive information about users’ daily activities and habits, which is especially problematic if it ended up in the possession of governmental agencies, hackers, or other unintended parties through a cyberattack or legal proceeding.

While Bluetooth solutions limit or eliminate the location data that is shared with contact tracing applications, the proximity-based approach presents different challenges.16 Proximity tracing could more easily lead to the discovery of a person’s infection status. For users with a limited number of physical contacts that receive a notification that they have been in contact with someone that has been infected with COVID-19, they could use their own device contact log to identify the personal contacts who have self-reported positive infection statuses through contact-tracing apps. Further, because proximity is but one factor in virus exposure and may be less significant than some other factors, such as whether individuals are wearing masks, proximity-based tracing can be over-inclusive in identifying potential COVID-19 exposure. This can both undermine the efficiencies gained through digital contact tracing and result in real-world negative consequences for users that may need to rely on a clean bill of proximity exposure to secure life insurance or receive clearance to return to work.

Lastly, there have been concerns that because all digital contact tracing solutions require a large amount of data to be collected from a large portion of a particular population to be effective, digital contact tracing efforts may create the infrastructure to pave the way for digital surveillance in the future.17

Existing and Proposed U.S. Legislation and Regulations Applicable to Digital Contact Tracing

The United States’ sectorial, rather than comprehensive, approach to data privacy law has potentially left digital contact tracing solutions unregulated. There is current U.S. law, however, that does apply to digital contact tracing, and it is important for businesses and healthcare entities to keep in mind that federal and state laws still apply during the pandemic. Specifically, the Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act (CCPA), state biometric privacy laws in Illinois, Texas, and Washington, and state data breach notification laws currently apply to digital contact tracing solutions utilized in the United States. Further, there have been three prominent pieces of proposed legislation that would regulate digital contact tracing solutions directly.

Health Insurance Portability and Accountability Act

HIPAA is often misdescribed as applying to all health data in the United States. Instead, HIPAA regulates the use and disclosure of protected health information (PHI) by “covered entities” and their “business associates.”18 Covered entities include health plans,19 healthcare clearinghouses,20 and “health care providers”21 that transmit electronic health information in connection with a HIPAA-covered transaction.22 A business associate is one who, among other actions, “creates, receives, maintains, or transmits protected health information” on behalf of a covered entity for an activity regulated under HIPAA generally, such as claims processing, data analysis, administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing.23 The HIPAA Privacy Rule recognizes that entities may engage in conduct that makes them covered entities (“covered functions”) while performing some functions and not a covered entity while performing other functions.24 In such situations, only the designated healthcare component of a hybrid entity is required to comply with the HIPAA Privacy Rule.25

The obligations of covered entities and business associates under HIPAA relate to their use and disclosure of PHI. PHI includes information that (1) “identifies,” or can reasonably “be used to identify,” an individual; (2) is “created or received by a health care provider, health plan, employer, or health care clearinghouse”; (3) relates to an individual’s past, present, or future physical or mental health, healthcare provision, or payment for the provision of healthcare; and (4) is transmitted by or maintained in electronic or any other form or medium.26

Under the Privacy Rule, HIPAA imposes robust restrictions on how PHI can be used and disclosed. At the heart of the Privacy Rule is the general rule that, absent an exception, covered entities (and business associates) may not use or disclose PHI to a third party without a valid authorization from a patient.27 One exception to this general rule relevant to contact tracing is the public health activities exception.28 This exception allows covered entities to use or disclose PHI without individual patient authorization or the opportunity for the patient to agree or object to “a public health authority” that is legally authorized to collect the information “for the purpose of preventing or controlling disease, injury, or disability,” including “the conduct of public health surveillance.”29 A “public health authority” includes any agency or authority of the “United States, a State, a territory, a political subdivision of a State or territory, or Indian tribe,” that is “responsible for public health matters as part of its official mandate,” as well as “a person or entity acting under a grant of authority from or contract with” such an agency.30 “Public health authority” encompasses a wide range of governmental agencies, including the CDC and state and local public health departments.

Under HIPAA’s Security Rule, HIPAA also requires covered entities and business associates to implement and maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting PHI.31

While HIPAA includes robust privacy and security requirements, its primary limitation in effectively regulating digital contact tracing solutions is its limited scope. If a digital contact tracing app does not constitute a covered entity or business associate of a covered entity, HIPAA’s requirements would not apply. Similarly, if PHI is disclosed pursuant to the public health activities exception to an entity that does not constitute a covered entity or business associate of a covered entity that PHI would no longer be protected by HIPAA.

California Consumer Privacy Act

The CCPA went into effect on January 1, 2020, and is a sweeping new law that introduces a host of privacy rights for California residents. The California Attorney General started enforcing the CCPA on July 1, 2020. Under the CCPA, businesses that develop or deploy mobile apps are required to provide a notice to California consumers at or before the point of the data collected. The notice should detail how the app collects and uses the personal information as well as whether the app will share personal information with third parties. The CCPA broadly defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”32 Under the CCPA, companies that engage in contact tracing will need to provide notice of the specific types and categories of personal information collected, sources of information and the third parties to which it discloses the personal information. For employers, there is currently an exemption from disclosing or deleting employee information upon request; however, that exemption is set to expire on January 1, 2021. Currently, employers must provide an employee notice which identifies only the categories of personal information and describes the business purposes for which each category of personal information will be used. Once the exemption expires, however, employers will be obligated to share or delete personal information if an employee makes such a request. It’s important for employers to remember there is a 12-month lookback period for employees who will be able to request access or the right to delete their information and employers will be required to comply with those requests.

State Biometric Privacy Laws 

Contact tracing and temperature screening can implicate state biometric privacy laws in effect in Illinois, Texas, and Washington.33 Biometric data generally encompasses unique, recognizable and verifiable human biological or behavioral characteristics that range from fingerprints and voiceprints to facial scans. The most stringent state biometric privacy law is the Illinois Biometric Privacy Act (BIPA) which restricts the collection and use of biometric information unless certain requirements are met. BIPA requires informing individuals that biometric information is being collected or stored; informing them regarding the purpose and retention period of biometric data collection; obtaining a consent by a written release; and establishing and posting a policy on these issues. BIPA is implicated if contact tracing utilizes facial scans or facial recognition thermal scanning.

State Data Breach Notification Laws

In addition, businesses need to be aware of state data breach notification laws in the event there is a data breach or security incident with the information collected through contact tracing and temperature screening. All 50 states have some form of a data breach notification law with certain requirements. Typically, states require notice to individuals and potentially state authorities if there is an unauthorized acquisition of personal information, which is generally defined as an individual’s first name or first initial and last name combined with certain data elements such as social security numbers or financial information. Some state laws do include medical and biometric information34 and businesses should be aware of those notification requirements.

Proposed Federal Legislation

Several pieces of federal legislation have been introduced to regulate digital contact tracing solutions directly – the COVID-19 Consumer Data Protection Act of 2020, the Public Health Emergency Privacy Act, and the Exposure Notification Privacy Act.

On May 7, 2020, Republican Senators35 introduced the COVID-19 Consumer Data Protection Act of 2020.36 The bill would apply the following requirements to entities subject to the jurisdiction of the Federal Trade Commission (FTC):37

  • Require entities to obtain affirmative express consent from individuals to collect, process, or transfer their personal health, device, geolocation, or proximity information for the purposes of tracking the spread of COVID-19, including employee screening data.
  • Direct entities to disclose at the point of collection:
    • how data will be handled,
    • to whom data will be transferred, and
    • how long data will be retained.
  • Establish clear definitions about what constitutes aggregate and de-identified data to ensure entities adopt technical and legal safeguards to protect data from being re-identified.
  • Require entities to allow individuals to opt out of the collection, processing, or transfer of their personal health, geolocation, or proximity information.
  • Direct entities to provide transparency reports to the public describing their data collection activities related to COVID-19.
  • Establish data minimization and data security requirements for any personally identifiable information collected by a covered entity.
  • Require entities to publish a privacy policy with a general description of the data retention practices for covered data and their data security practices.
  • Require entities to delete or de-identify all personally identifiable information when it is no longer being used for the COVID-19 public health emergency.
  • Authorize state attorneys general to enforce the Act.38

On May 14, 2020, House and Senate Democrats39 introduced the Public Health Emergency Privacy Act.40 Similar to the COVID-19 Consumer Data Protection Act of 2020, the Public Health Emergency Privacy Act would put temporary rules in place related to the collection, use, and disclosure of health data used to combat the spread of the coronavirus. The requirements imposed by the Public Health Emergency Privacy Act would only apply (1) during the course of the Public Health Emergency as declared by the Secretary of Health and Human Services (HHS); (2) to specific uses of certain personal data; and (3) to personal data related to the COVID-19 health emergency, including physical or behavioral health information and data such as geolocation data, proximity data and demographic data, collected for the purpose of tracking, screening, monitoring, contact tracing, or otherwise responding to COVID-19. It would require covered organizations to secure such data by:

  • Only collecting, using, or disclosing data that is necessary, proportionate, and limited for a good-faith health purpose;
  • Taking measures to ensure the accuracy of data and providing a mechanism for individuals to correct inaccuracies;
  • Adopting reasonable safeguards to prevent unlawful discrimination on the basis of emergency health data;
  • Only disclosing data to a government entity if it is to a public health authority and is solely for public health purposes;
  • Establishing and implementing reasonable data security policies, practices, and procedures;
  • Obtaining affirmative express consent before collecting, using or disclosing emergency health data unless one of several narrow exceptions are met, and providing individuals with the ability to revoke that consent;
  • Providing notice in a privacy policy prior to collection describing the purposes for which the data will be used, the categories of recipients to whom the data will be disclosed, the purpose of that disclosure, and the rights individuals may exercise;
  • Issuing a public report every 90 days stating the number of individuals whose data has been collected, used or disclosed, the categories of data collected, and the purpose for which it was used and disclosed if the covered organization has collected, used, or disclosed data of over at least 100,000 individuals; and
  • Not using or maintaining emergency health data 60 days after the public health emergency has been terminated, and destroying or rendering not linkable such data.

The FTC would be given authority to promulgate regulations regarding data that was collected, used, or disclosed prior to its enactment and would have enforcement power along with state attorney generals and individuals (through a private right of action). The Public Health Emergency Privacy Act also prevents governmental entities from using data to deny, restrict, or interfere with an individual’s right to vote and requires the Secretary of HHS to submit reports examining the civil rights impact of the collection, use and disclosure of data covered by this Act.

On June 1, 2020, a bipartisan bill to regulate digital contact tracing solutions titled the Exposure Notification Privacy Act (ENPA) was introduced by Senators Maria Cantwell (D-WA) and Bill Cassidy (R-LA).41 The ENPA applies to entities operating “automated exposure notification services,” which is defined as a website, online service, online application, mobile application, or mobile operating system that is offered in commerce in the United States and that is designed, in part or in full, specifically to be used for, or marketed for, the purpose of digitally notifying, in an automated manner, an individual who may have become exposed to an infectious disease (or the device of such individual, or a person or entity that reviews such disclosures). Entities that constitute “automated exposure notification services” must:

  • “Collaborate” with public health officials to operate the service.
  • Confirm diagnoses processed by an automated exposure notification with a public health official or a healthcare provider.
  • Obtain “affirmative express consent” from the user.
  • Provide users with a “clear and conspicuous” means to withdraw that consent.
  • Provide a privacy policy in a “conspicuous and readily accessible manner,” detailing how it collects, processes, and transfers data.
  • Not collect or process data: (1) beyond the minimum amount necessary to implement an automated exposure notification service for public health purposes; or (2) for any commercial purpose.
  • Establish, implement and maintain data security practices to protect the data collected including, at a minimum, a risk and vulnerability assessment, corrective action to mitigate risks and vulnerabilities, and data breach notification.
  • Regularly delete the data every 30 days or at such time consistent with a standard published by a public health authority within an applicable jurisdiction.
  • Provide a method to allow users to request that their data be deleted.

The FTC and state attorneys general would have enforcement authority under the ENPA.

Each of these bills42 would achieve significant strides in the regulation of digital contact tracing solutions. However, the E.U. regulators have already gone to great lengths to provide guidance on addressing privacy concerns related to digital contact tracing. This guidance could provide U.S. legislators and regulators with valuable insight as they finalize an approach to the same issues in the United States.

General Data Protection Regulation and European Guidance

While the United States does not have a comprehensive privacy law, other countries do have comprehensive privacy laws that govern the use of contact tracing, such as in the European Economic Area.43 The GDPR was designed to unify data protection laws across the European Economic Area, giving European residents more rights and control over how their personal information is collected and processed by companies. The GDPR regulates, among other things, how individuals and organizations may obtain, use, store, and delete personal information. While data collection with contact tracing has obvious implications under the GDPR, European data protection authorities have recognized the need for the development and deployment of contact-tracing mobile apps to mitigate the spread and contain COVID-19.

There has been a flurry of activity and guidance issued from European data protection authorities concerning GDPR compliance with the deployment of contact tracing. On April 8, 2020, the European Commission44 issued a Recommendation on a technology and mobile app toolbox designed to coordinate the approach and use of certain measures to combat COVID-19 (Toolbox Guidance). The Commission recognized that if contact tracing is deployed without appropriate safeguards, it could also negatively impact privacy and individuals’ rights and freedoms. The Toolbox Guidance emphasizes that measures should be taken to ensure:

  • Individuals remain in control of their personal information;
  • Users provide consent to the installation of the mobile app and the storage of their personal information;
  • A legal basis for processing of the data is defined;
  • Data minimization is prioritized;
  • There are technical requirements concerning appropriate technologies (e.g., Bluetooth Low Energy) to establish device proximity, encryption, data security, data storage on the mobile device and potential access by health authorities; and
  • Deletion of personal data obtained through these measures when the pandemic is declared to be under control.

On April 14, 2020, the European Data Protection Board (EDPB)45 issued a Letter in response to the European Commission’s Recommendation, citing that GDPR principles should not be disregarded during the pandemic. The EDPB emphasized that some limitations should be placed on the mobile apps and that location tracking of individual users is not mandatory as it would likely violate the GDPR’s principle of data minimization. The EDPB also cautioned against the use of algorithms in contact tracing apps and that processing should be overseen by qualified personnel. On April 16, 2020, the European eHealth Network46 published its own toolbox for the use of contact tracing and warning apps in response to the coronavirus pandemic.47

On April 21, 2020, the EDPB adopted guidelines on using location and contact tracing tools, noting that GDPR principles must guide any measure adopted by Member States or E.U. institutions that involve processing of personal data to fight COVID-19.48 The EDPB guidance focuses on two main areas: use of location data and deployment of contact tracing apps.

  • Location Data. Data should only be transmitted to authorities or other third parties where the data has been anonymized by the provider or, for data indicating the geographic position of a user, where it does not also constitute traffic data, with the prior consent of the user. The EDPB stresses that whenever possible, the processing of anonymized location data should be preferred over the processing of identifiable data. Anonymizing data under the GDPR is a high bar to clear and can be a complex endeavor but is possible to achieve.
  • Contact Tracing. Individual use of contact tracing apps should be on a voluntary basis and data processed through such apps should be reduced to the minimum necessary to process the information. The EDPB emphasizes using Bluetooth technology over GPS as apps should not monitor individual movements but rather rely on location proximity information instead. Data that is collected and shared should be pseudonymized.49 The EDPB emphasizes once again that effective implementation of contact tracing can exist without directly identifying the individuals and measures should be put in place to avoid identifying the individuals. Under the GDPR, pseudonymization can reduce the risks associated with data processing, while also maintaining the data’s utility and function.

European Union member state data protection authorities have also issued guidance and support on how businesses should manage contact tracing under the GDPR and E.U. member state law. The United Kingdom’s Information Commissioner (ICO), Elizabeth Denham, released an opinion on the partnership between Apple and Google to utilize Bluetooth technology in developing contact tracing tools. According to the ICO, the Apple-Google partnership appears aligned with the principles of data protection by design and by default. The ICO supports the development of apps that protect their users’ identities, both before any risk of infection has been identified and when a COVID-19 infection notification is made via the app.50

As contact tracing continues to evolve, it’s important for businesses to continue to monitor developments and any additional guidance from European data protection authorities to ensure compliance with the GDPR.

Best Practices

It’s clear that contact tracing will be deployed in some capacity to mitigate the spread of COVID-19. Before deploying contact tracing, businesses and employers need to be aware of the myriad of privacy and security requirements they will need to follow. For those operating in the E.U. or collecting E.U. resident information through contact tracing, businesses will need to consult European Commission and EDPB guidance in addition to specific European member state guidance as applicable. Businesses operating in the United States will need to review the various sectoral laws to ensure compliance. Businesses will need to cautiously vet the technology it adopts. Contact tracing should utilize Bluetooth technology over GPS, as recommended by European government authorities, in order to avoid monitoring individual movements which could be viewed as overly intrusive. Based on guidance from the United States and E.U., businesses should consider and adopt the following best practices:

  • Update privacy policies to match current data collection practices during COVID-19.
  • Obtain consent as necessary to comply with certain privacy laws.
  • Retain information for a limited time and only so long to achieve the purpose of data collection.
  • Obtain written certification from service providers that shared data will not be used for advertising or other purposes unrelated to contact tracing.
  • Only share information with governmental authorities as permitted under applicable laws.
  • Implement reasonable security measures, both physical and electronic, to protect against the disclosure or misuse of personal information.
  • Limit access to the employee’s health information to only those individuals who need to access it.


When it comes to implementing contact tracing, many employers and businesses may be subject to a number of laws in the E.U. and U.S federal and state laws. Employers and businesses will need to consider a range of issues: how consent will be obtained, purpose limitations and data deletion requirements, data minimization, and deletion of data when it’s no longer needed. Individual and end user privacy should be of paramount concern, and companies should prioritize transparency with the use of contact tracing. As companies deploy and utilize contact tracing, they should continue to actively review and monitor guidance emerging in the United States and E.U.

  1. Ferretti, L., et al, Quantifying SARS-CoV-2 Transmission Suggests Epidemic Control with Digital Contact Tracing, 368 Science 619 (2020); Cucinotta, D. & Vanelli, M., “WHO Declares COVID-19 a Pandemic,” 91:1 Acta Biomed 157, 157-60 (2020).
  2. Id.                                                                                                                                                                                       
  3. Id.
  4. Ferretti, supra n. 1, at 619 (citing World Health Organization, Coronavirus Disease 2019 (COVID-19): Situation Report–36 (Feb. 25, 2020),;  Guan, W-j et al., Clinical Characteristics of Coronavirus Disease 2019 in China, 382 N. Engl. J. Med. 1708-20 (2020)).
  5. Ferretti, supra n. 1, at 619.
  6. Id.
  7. Centers for Disease Control and Prevention, Interim Guidance on Developing a COVID-19 Case Investigation & Contact Tracing Plan: Overview,
  8. Id.
  9. World Health Organization, Digital Tools for COVID-19 Contact Tracing, Annex: Contact tracing in the context of COVID-19 (June 2, 2020),
  10. Id.
  11. Kim, M., South Korea Is Watching Quarantined Citizens With a Smartphone App, MIT Tech. Rev. (Mar. 6, 2020),
  12. Sommer, A.K., Israel Unveils Open Source App to Warn Users of Coronavirus Cases, Haaretz (Mar. 23, 2020),
  13. Greenberg, A., How Apple and Google Are Enabling COVID-19 Contact-Tracing, Wired (Apr. 18, 2020),
  14. Id.
  15. Davis, J., COVID-19 Contact Tracing Apps Spotlight Privacy, Security Rights, Health IT Security (May 20, 2020),
  16. Id.
  17. Id.
  18. 45 C.F.R. §§ 160.102 and 160.103.
  19. A health plan is an “individual or group plan that provides, or pays the cost of, medical care,” which includes health insurance companies, health maintenance organizations (HMOs), and government programs, such as Medicaid and Medicare, that pay for healthcare.
  20. Healthcare clearinghouses are defined as entities that process health information in a nonstandard format into a standard format, or vice versa.
  21. Healthcare providers include providers of services covered by Sections 1861(u) or 1861(s) of the Social Security Act (which includes, among other things, physicians’ services, hospital services, physical therapy services, and skilled nursing facility services) or any person who otherwise “furnishes, bills, or is paid for health care in the normal course of business.” 45 C.F.R. § 160.103. Healthcare is defined as “care, services, or supplies related to the health of an individual.” Id.
  22. Id.
  23. Id.
  24. See 45 C.F.R. § 164.105(a). Universities are a classic example of a hybrid entity. A university that provides treatment to non-students would likely be considered a covered entity. Accordingly, as a default, HIPAA’s protections would cover health information maintained by components of the institution other than the health clinic, such as the law enforcement unit or research department. Instead, the university can become a hybrid entity by designating the health clinic as its “health care component” and, thus, mostly limiting its obligations under HIPAA to the health clinic component. See HHS Office for Civil Rights, Can a postsecondary institution be a “hybrid entity” under the HIPAA Privacy Rule? (Nov. 25, 2008),
  25. See id.
  26. 45 C.F.R. § 160.103.
  27. 45 C.F.R. § 164.502(a).
  28. 45 C.F.R. § 164.512(b).
  29. Id.
  30. 45 C.F.R. § 164.501.
  31. See generally 45 C.F.R. §164.302, et seq.
  32. Cal. Civ. Code §1798.140(o).
  33. 740 ILCS 14 (2008), et seq.; Tex. Bus. & Com. Code Ann. § 503.001; Wash. Rev. Code Ann. § 19.375, et seq.
  34. One state to recently modify its breach notice statute is Vermont, which through an amendment expanded its definition of personal information to include biometric information, genetic information, and health or wellness program records. Biometric information is characterized as data generated from measurements or technical analysis of human body characteristics used by the owner or data licensee to identify or authenticate the consumer. 9 V.S.A. §§ 2430-2435.
  35. U.S. Sens. Roger Wicker (MS), John Thune (SD), Deb Fischer (NE), Jerry Moran (KS), and Marsha Blackburn (TN).
  36. U.S. Sen. Comm. on Commerce, Sci., & Transp., Committee Leaders Introduce Data Privacy Bill (May 7, 2020),
  37. The FTC is authorized “to gather and compile information concerning, and to investigate from time to time the organization, business, conduct, practices, and management of any person, partnership, or corporation engaged in or whose business affects commerce, excepting banks, savings and loan institutions . . . Federal credit unions . . . and common carriers . . .” 15 U.S.C. Sec. 46(a). “Commerce” is defined as “commerce among the several States or with foreign nations.” Id. at § 44.
  38. U.S. Sen., supra n. 36.
  39. Sponsored by Representatives Jan Schakowsky (IL), Anna Eshoo (CA), and Suzan DelBene (WA), and Senators Richard Blumenthal (CT) and Mark Warner (VA).
  40. Jerich, K., Congressional Democrats Introduce Bill to Safeguard Health Data, Health IT News (May 15, 2020),
  41. Su, N., Exposure Notification Privacy Act: Bipartisan Bill Introduced to Regulate COVID-19 Contact Tracing Apps, JD Supra (June 19, 2020),
  42. As of the publication of this article, the COVID-19 Consumer Data Protection Act of 2020, the Public Health Emergency Privacy Act, and the Exposure Notification Privacy Act are still in committee.
  43. The European Economic Area consists of the Member States of the European Union (E.U.) and three countries of the European Free Trade Association (EFTA) (Iceland, Liechtenstein and Norway; excluding Switzerland).
  44. The European Commission is the executive branch of the E.U., responsible for proposing legislation, implementing decisions, upholding the E.U. treaties and managing the day-to-day business of the E.U.
  45. The EDPB is an independent European body whose purpose is to ensure consistent application of the GDPR and to promote cooperation among the E.U.’s data protection authorities.
  46. A voluntary network connecting national authorities responsible for eHealth designated by EU Member States.
  47. Eur. eHealth Network, Mobile applications to support contact tracing in the EU’s fight against COVID-19 (Apr. 15, 2020),
  48. Eur. Data Prot. Bd., Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (Apr. 21, 2020),
  49. Pseudonymizations is the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.
  50. U.K. Info. Comm’r Off., Opinion: Apple and Google joint initiative on COVID-19 contact tracing technology, (Apr. 17, 2020),
The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

Ashley Thomas


Ashley Thomas, CIPP/US, CIPP/E, is an associate attorney in the Washington, DC office of Morris Manning & Martin LLP. Her practice focuses on the development and implementation of privacy compliance programs and data breach response. She regularly advises healthcare entities on regulatory compliance matters related to healthcare privacy and security, including online privacy policies and terms of service, and counsels on such issues in healthcare transactions. In 2019 and 2020, Ms. Thomas received the American Bar Association’s Emerging Young Lawyer in Healthcare Award. Ashley currently serves as the Chair of the ABA Health Law Section’s Web & Technology Committee and as the Vice Chair of Publications and Periodicals for the eHealth, Privacy and Security Interest Group. She graduated from Vanderbilt Law School in 2014 and received a Bachelor of Arts degree in Political Science from Northwestern University in 2009. She can be reached at [email protected].

Matthew Buchbinder


Matthew Buchbinder, CIPP/US, is an associate attorney at North, Pursell & Ramos in Nashville, Tennessee. His primary areas of concentration include data privacy, including incident investigation and breach response management, regulatory compliance, privacy and security policy review and drafting, risk management, and operational matters. He also represents healthcare providers in transactional and corporate matters and in litigation. Mr. Buchbinder graduated from Vanderbilt Law School in 2014. He previously earned a M.A. in ethnomusicology from Indiana University - Bloomington and B.Mus. from Belmont University. He currently serves as the Web/Social Media Representative for the ABA's Health Law Section's eHealth, Privacy & Security Interest Group.  He may be reached at [email protected].