[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 199 Introduced in Senate (IS)]

<DOC>






117th CONGRESS
  1st Session
                                 S. 199

   To authorize the Director of the Centers for Disease Control and 
 Prevention to award grants to eligible State, Tribal, and territorial 
public health agencies to develop and administer a program for digital 
         contact tracing for COVID-19, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                            February 3, 2021

Mr. Schatz (for himself and Ms. Baldwin) introduced the following bill; 
     which was read twice and referred to the Committee on Health, 
                     Education, Labor, and Pensions

_______________________________________________________________________

                                 A BILL


 
   To authorize the Director of the Centers for Disease Control and 
 Prevention to award grants to eligible State, Tribal, and territorial 
public health agencies to develop and administer a program for digital 
         contact tracing for COVID-19, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Secure Data and Privacy for Contact 
Tracing Act of 2021''.

SEC. 2. GRANT PROGRAM FOR DIGITAL CONTACT TRACING FOR COVID-19.

    (a) In General.--The Director of the Centers for Disease Control 
and Prevention shall award grants to eligible State, Tribal, and 
territorial public health agencies to--
            (1) establish a contact-tracing program that implements 
        traditional contact-tracing protocols with the assistance of 
        digital contact-tracing technology to track and prevent the 
        spread of COVID-19;
            (2) incorporate digital contact-tracing technology into a 
        contact-tracing program that implements traditional contact-
        tracing protocols to track and prevent the spread of COVID-19; 
        and
            (3) expand or maintain an existing program as described in 
        subparagraph (1).
    (b) Use of Funds.--
            (1) In general.--Funds received through a grant under this 
        section, may be used for--
                    (A) the development, maintenance, or staffing of 
                digital contact-tracing programs;
                    (B) associated outreach and marketing; or
                    (C) other activities identified by a State, Tribal, 
                or territorial public health agency as advancing the 
                effectiveness and reach of digital contact-tracing 
                technologies.
            (2) Education and outreach.--Of the funds received by a 
        State, Tribal, or territorial public health agency through a 
        grant under this section, the agency may use not more than 10 
        percent of such funds to integrate education and outreach 
        related to vaccines for COVID-19 into digital contact-tracing 
        programs.
    (c) Funding Disqualification.--If a State, Tribal, or territorial 
public health agency develops or procures any digital contact-tracing 
technology with respect to COVID-19 that does not meet each of the 
requirements listed in subsection (d), such State, Tribal, or 
territorial public health agency shall be ineligible to receive or 
continue to receive--
            (1) any funds through a grant under this section; and
            (2) any other Federal funds, including under the CARES Act 
        (Public Law 116-136), for any digital contact-tracing 
        technology with respect to COVID-19.
    (d) Digital Contact-Tracing Requirements.--A State, Tribal, or 
territorial public health agency may use a grant under this section for 
digital contact-tracing technology, as described in subsections (a) and 
(b), only if the technology meets each of the following requirements:
            (1) The technology shall be voluntary for the user and 
        provide to the user complete and clear information on the 
        intended use and processing of data collected by the 
        technology. To be voluntary for the user, the technology shall 
        meet requirements including each of the following:
                    (A) Use of the technology and of contact-tracing 
                data collected using the technology shall be predicated 
                on the user's affirmative consent.
                    (B) Use of the technology shall not be a condition 
                for the reception of government benefits.
                    (C) Use of the technology shall not be made a 
                condition of employment or employment status.
            (2) The technology shall limit the collection of data by 
        the technology to only the data that is necessary to meet 
        contact-tracing objectives, including--
                    (A) the status of any person as an infected or 
                potentially infected person; and
                    (B) the proximity of a person to someone who is 
                symptomatic or has tested positive.
            (3) The technology--
                    (A) shall delete or de-identify any contact-tracing 
                data that is individually identifiable information not 
                later than the date that is 30 days after the end of 
                the COVID-19 emergency declaration; and
                    (B) shall include notifications to prompt users to 
                disable or completely remove any digital contact-
                tracing technology where practical.
            (4) The technology shall have robust contact detection 
        specifications, including for distance and time, that allow for 
        detection consistent with guidance of the Centers for Disease 
        Control and Prevention on COVID-19.
            (5) The technology shall ensure that the storing of 
        proximity and any contact-tracing data is encrypted to the 
        maximum extent possible.
    (e) Plan for Interoperability.--As a condition on receipt of a 
grant under this section, a State, Tribal, or territorial public health 
agency shall--
            (1) develop and make publicly available a plan for how the 
        digital contact-tracing technology of the agency with respect 
        to COVID-19 augments--
                    (A) traditional contact-tracing efforts, if 
                applicable; and
                    (B) statewide efforts to prevent, prepare for, and 
                respond to COVID-19; and
            (2) include in such plan a description of the agency's 
        efforts to ensure that the digital contact-tracing technologies 
        of the agency with respect to COVID-19 are interoperable with 
        the digital contact-tracing technology and public health agency 
        databases of other jurisdictions with respect to COVID-19; and
            (3) ensure that data collected by the digital contact-
        tracing technology of the agency--
                    (A) is accessed and processed only by public health 
                authorities (or their designees); and
                    (B) is not shared with any person, or accessed or 
                used by any person, for any purpose other than 
                diagnosis, containment, treatment, or reduction of, or 
                research into, COVID-19.
    (f) Independent Security Assessments.--
            (1) In general.--As a condition on receipt of a grant under 
        this section, a State, Tribal, or territorial public health 
        agency shall--
                    (A) establish procedures for completing or 
                obtaining independent security assessments of digital 
                contact-tracing infrastructure to ensure that physical 
                and network security is resilient and secure; and
                    (B) develop a process to address the mitigation or 
                remediation of the security vulnerabilities discovered 
                during such independent security assessments.
            (2) Source code.--A State, Tribal, or territorial public 
        health agency should consider making public the source code of 
        the digital contact-tracing technology used by the agency.
    (g) Application.--To seek a grant under this section, an eligible 
State, Tribal, or territorial public health agency shall submit an 
application in such form, in such manner, and containing such 
information and assurances as the Director may require.
    (h) Securing Digital Contact-Tracing Data.--
            (1) In general.--The provisions of the HIPAA privacy and 
        security law (as defined in section 3009(a)(2) of the Public 
        Health Service Act (42 U.S.C. 300jj-19(a)(2))) shall apply to a 
        State, Tribal, or territorial public health agency receiving a 
        grant under subsection (a) with respect to individually 
        identifiable health information (as defined in section 
        1171(a)(6) of the Social Security Act (42 U.S.C. 1320d(a)(6))) 
        received by, maintained on, or transmitted through a contact-
        tracing program described in such subsection (a) in the same 
        manner as such provisions apply with respect to such 
        information and a covered entity (as defined in section 
        13400(3) of the HITECH Act (42 U.S.C. 17921(3))).
            (2) Business associates.--
                    (A) In general.--Any entity with a contract in 
                effect with an agency described in paragraph (1) for 
                the development, maintenance, or operation of a program 
                described in such paragraph shall be deemed to be a 
                business associate of such agency for purposes of 
                subtitle D of the HITECH Act (42 U.S.C. 17921 et seq.).
                    (B) Revision of sample agreement.--Not later than 
                180 days after the date of the enactment of this Act, 
                the Secretary shall revise the sample business 
                associate agreement provisions published on January 25, 
                2013, to take account of the provisions of this 
                subsection.
                    (C) Effective date.--The provisions of subparagraph 
                (A) shall apply beginning on the day after the 
                Secretary revises the provisions described in 
                subparagraph (B).
    (i) Limitation on Use of Data.--Data generated in connection with 
the operation of digital contact-tracing technology funded pursuant to 
this section may not be used for any punitive purpose, including law 
enforcement, immigration enforcement, or criminal prosecution. Such 
data and any information derived from it, whether in whole or in part, 
may not be received as evidence in any trial, hearing, or other 
proceeding in or before any court, grand jury, department, officer, 
agency, regulatory body, legislative committee, or other authority of 
the United States, a State, or a political subdivision thereof.
    (j) Report to Congress.--Not later than 24 months after the date of 
enactment of this Act, the Comptroller General of the United States 
shall--
            (1) evaluate the outcome of the grants awarded under this 
        section, including an assessment of the impact of the 
        implementation of digital contact-tracing programs funded 
        through such grants on the spread of COVID-19; and
            (2) submit to the Congress a report on the results of such 
        evaluation.
    (k) Definitions.--In this section:
            (1) Affirmative express consent.--The term ``affirmative 
        express consent'' means an affirmative act by an individual 
        that clearly and conspicuously communicates the individual's 
        authorization for an act or practice, in response to a specific 
        request that--
                    (A) is provided to the individual in a clear and 
                conspicuous disclosure that is separate from other 
                options or acceptance of general terms;
                    (B) includes a description of each act or practice 
                for which the individual's consent is sought and--
                            (i) is written clearly and unmistakably 
                        stated; and
                            (ii) includes a prominent heading that 
                        would enable a reasonable individual to 
                        identify and understand the act or practice; 
                        and
                    (C) cannot be inferred from inaction.
            (2) Contact-tracing data.--The term ``contact-tracing 
        data'' means information linked or reasonably linkable to a 
        user or device, that--
                    (A) concerns the COVID-19 pandemic; and
                    (B) is gathered, processed, or transferred by 
                digital contact-tracing technology.
            (3) COVID-19 emergency declaration.--The term ``COVID-19 
        emergency declaration'' has the meaning given to such term in 
        section 1135(g)(1)(B) of the Social Security Act (42 U.S.C. 
        1320b-5).
            (4) De-identify.--The term ``de-identify'' means to ensure 
        that information cannot reasonably identify, relate to, 
        describe, be capable of being associated with, or be linked, 
        directly or indirectly, to a particular individual.
            (5) Designee.--The term ``designee''--
                    (A) subject to subparagraph (B), means any person 
                or entity, other than a public health agency, that 
                collects, processes, or transfers contact-tracing data 
                in the course of performing a service or function on 
                behalf of, for the benefit of, under instruction of, 
                and under contractual agreement with a public health 
                authority; and
                    (B) excludes any Federal, State, Tribal, 
                territorial, or local law (including immigration law) 
                enforcement personnel or entity.
            (6) Digital contact-tracing technology.--
                    (A) In general.--The term ``digital contact-tracing 
                technology'' means a website, online application, 
                mobile application, mobile operating system feature, or 
                smart device application that is designed, in part or 
                in full, for the purpose of--
                            (i) determining that a contact incident has 
                        occurred relating to the COVID-19 pandemic; and
                            (ii) taking consequent steps such as 
                        reporting the incident to a public health 
                        authority or user, or providing guidance or 
                        instructions to the user of the mobile device 
                        or the user's household.
                    (B) Limitations.--Such term does not include any 
                technology to assist individuals to evaluate whether 
                they are experiencing COVID-19 symptoms to the extent 
                the technology is not used as described in subparagraph 
                (A).
            (7) Director.--The term ``Director'' means the Director of 
        the Centers for Disease Control and Prevention.
            (8) Mobile application.--The term ``mobile application'' 
        means a software program that runs on the operating system of a 
        mobile device.
            (9) Mobile device.--The term ``mobile device'' means a 
        smartphone, tablet computer, or similar portable computing 
        device that transmits data over a wireless connection.
            (10) Source code.--The term ``source code'' is the 
        programming instruction for a computer program in its original 
        form and saved in a file.
            (11) Traditional contact tracing.--The term ``traditional 
        contact tracing'' means contact tracing by traditional means 
        prior to contemporary digital contact tracing.
            (12) User.--The term ``user'' means a member of the public 
        who utilizes the software or hardware product.
    (l) Authorization of Appropriations.--To carry out this section, 
there are authorized to be appropriated $75,000,000, to remain 
available until expended.
                                 <all>