113 million. That’s how many health records got spilled in breaches across the U.S. in 2023, according to HHS trackers — a number that keeps climbing as apps and trackers get greedier.
And here’s D.C. stepping up with the Personal Health Data Security Amendment Act of 2025, a bill that could actually crimp the data vampires circling abortion clinics, fertility centers, whatever. Introduced back in December, it’s got teeth: no more geofencing those spots for targeted ads or worse, mandatory privacy policies from anyone touching your health info, consent required before they snag or share it, even a right to delete your data on demand.
EPIC — you know, the Electronic Privacy Information Center, those watchdog types who’ve been yelling about surveillance since the dial-up days — sent senior counsel Sara Geoghegan to testify before the City Council’s Health Committee on March 23. She gave it a thumbs-up to sponsors, but — surprise — called out a glaring hole.
“Unfortunately, the notice-and-choice approach to privacy regulation simply does not work,” Geoghegan said. “The focus on notice has led to longer and more complicated privacy policies that users do not read and could not change even if they did.”
Spot on. We’ve seen this movie before: companies bury the lede in 10,000-word walls of legalese, users click ‘agree’ without a glance, and suddenly their period tracker data ends up in some broker’s ad machine. (Remember Flo? That app that swore up and down it wouldn’t share reproductive health data — until researchers proved otherwise.)
Why Ban Geofencing Around Health Clinics?
Geofencing. Sounds innocuous, right? Like drawing a virtual fence on a map. But in practice, it’s how apps pinpoint you’re at a Planned Parenthood and start serving up ’ alternatives’ ads — or, creepier, selling that location to insurers or worse.
This bill says nope. Entities handling personal health data can’t do it around ‘facilities that provide health services.’ Broad enough to cover clinics, hospitals, therapists — anyone spilling beans on your body. Good start. But who defines ‘health services’? Pharmacies? Gyms with wearables? We’ve got gray areas begging for loopholes.
Look, I’ve covered enough Valley privacy debacles to know: tech firms don’t volunteer restraint. They lobby, they litigate, they ‘innovate’ around rules. Remember location data brokers like PredPol feeding cops protest routes? Same playbook here — health edition.
Does Notice-and-Choice Actually Protect Health Data?
EPIC’s beef is with the bill’s reliance on those privacy policies for limits on collection and use. Tie rules to what companies say they’ll do? That’s like trusting a fox to guard the henhouse.
Instead, they want obligations locked to the data’s purpose. Collect it for appointments? Fine, use it for that. Anything else — sell it, profile you, feed it to AI trainers — off-limits. Data minimization, they call it. Collect less, protect more. Shifts the burden from us distracted users to the suits who profit.
Here’s my unique take, one you won’t find in EPIC’s testimony: this echoes the HIPAA wars of the early 2000s. Back then, ‘notice-and-choice’ was sold as patient empowerment. Result? A patchwork of breaches and black markets for medical records. D.C. could pioneer a real fix — or repeat history if they don’t gut that clause.
But cynicism check: who’s really making money here? Not patients. Data brokers like LiveRamp or Acxiom, quietly geofencing clinics to build ‘sensitive’ profiles worth dollars per head. Period-tracking apps? They’ve got investors salivating over ‘wellness’ upsells. This bill threatens that gravy train — expect pushback.
The hearing’s online if you want the full drama. Geoghegan’s calm takedown of notice-and-choice? Gold. Council members nodding along, but will they rewrite?
Could This Spread Beyond D.C.?
D.C. laws punch above their weight — think net neutrality or right-to-repair. If this passes, expect copycats in blue states, maybe even a federal nudge post-Roe chaos.
Prediction: by 2027, we’ll see national geofencing bans for reproductive health spots. But data minimization? Tougher sell. Tech PACs will flood Capitol Hill with ‘innovation killer’ spin.
EPIC’s written testimony doubles down: strong minimization or bust. Smart. Without it, you’re left with consents nobody reads and deletions data hoarders ignore.
Short version? Bill’s promising. EPIC’s tweaks make it potent. But in a world where Meta tracks your doctor’s visits for ‘personalized’ health ads — yeah, they do — half-measures won’t cut it.
And the real winners? Us, if it sticks. Or the lawyers cleaning up the inevitable lawsuits.
🧬 Related Insights
- Read more: Trump Eyes Iran’s Power Plants for Strikes: Legal Idiocy or Smart Strategy?
- Read more: Three States Want to Lock Down Your 3D Printer — Here’s Why That’s a Disaster
Frequently Asked Questions
What does the Personal Health Data Security Amendment Act do?
It bans geofencing around health facilities, requires clear privacy policies and consent for health data handling, and adds a deletion right for D.C. residents.
Will D.C.’s health data privacy bill affect national companies?
Potentially yes — firms operating in D.C. must comply, and it could inspire similar laws elsewhere, pressuring data brokers nationwide.
What is data minimization in privacy laws?
It’s a rule forcing companies to collect only data needed for a specific purpose, ditching the ‘ask permission in fine print’ scam.
