Oregon’s contact tracing bill: A conversation with HIPAA expert Christina Glabas about keeping Oregonians’ health info private and secure

Christina Glabas, Founder and Principal Consultant at Gazelle Consulting, was recently tapped by the Oregon Attorney General’s office to join a policy work group tasked with reviewing a proposed contact tracing privacy bill.

The Oregon Department of Justice (DOJ) Contact Tracing Privacy Workgroup is comprised of lobbyists from the healthcare and technology industries, consumer privacy advocates, and other members of the business community in Oregon. 

We asked Christina to discuss her role in the workgroup and why she thinks this legislation is needed.

Tell us about work you’re involved in with the DOJ. How did this come about?

I was invited to participate by the Legislative Director for the Oregon Department of Justice and the Office of the Attorney General, Kimberly McCullough. 

When the policy group needed some input from a HIPAA expert, Kimberly reached out to me to join. The policy work group meets to review proposed legislation aimed at keeping information related to COVID-19 private and secure.

I’ve assisted the policy director in reviewing proposed language for the bill, identifying possible conflicts with other laws like HIPAA and Oregon state law, suggesting legal language that would address concerns and protect consumers, and researching questions that came from the panel regarding HIPAA waivers of enforcement due to COVID-19.

Drafts of the bill were reviewed and commented on by the members of the workgroup.

As Kimberly puts it, you don’t need to be a lawyer to know what the law should be. 

What impact could this policy have for businesses and private citizens?

This is really good legislation that addresses some gaps in how we might conceive of “COVID data.” 

We typically think of organizations like hospitals, vaccination sites, and testing sites as organizations that deal with COVID-19 data. 

But, as our society starts to open up, we may see businesses tracking COVID-19 status of individuals with the intent of performing contact tracing. For example, a restaurant may decide to open for a special event with the agreement that all individuals provide their information for contract tracing if an outbreak does occur. 

This law would ensure that after that information is no longer needed it is disposed of securely, in order to prevent things like discrimination based on COVID-19 status, vaccination status, or an individual’s history of movement. 

In a recent example just north of the border, a Canadian couple’s phone number — collected by a restaurant for contact tracing purposes — was used for marketing purposes

The Office of the Information and Privacy Commissioner for British Columbia has indicated that they have received and are investigating numerous complaints of this nature. (It’s worth noting that the province has strict guidelines about collecting personal information from customers.) 

An Oregon law would offer similar protection and safeguards for Oregonians.


What’s next for this bill and how can Oregonians stay up-to-date on Oregon privacy law?

With the Oregon legislature in session, this bill, and many others, will be reviewed by lobbyists and lawmakers. If the bill passes in the House and the Senate it will go to Governor Kate Brown’s desk for approval. If the governor signs the bill it will become Oregon law.

You can stay up to date on Oregon privacy law by following Oregon’s Attorney General Ellen F. Rosenblum, who sponsored this bill.



To learn more about how Christina and the team at Gazelle Consulting can help you navigate HIPAA and privacy laws and keep your client’s data safe and secure, call or submit a request here for a consultation.
Nav close