{"subscriber":false,"subscribedOffers":{}}

Cookies Notification

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more.
×
Advertisement
Advertisement: Icahn School of Medicine

Protecting Privacy In Digital Contact Tracing For COVID-19: Avoiding A Regulatory Patchwork

Contact tracing for COVID-19 is a necessary tool to allow communities to reopen. Unfortunately, because of the speed and numbers of COVID-19 cases, manual contact tracing is unlikely to be sufficient. Digital contact tracing can provide enough capacity but comes with serious privacy concerns.

Digital contact tracing substitutes mobile apps for individuals who track down instances of COVID-19 exposure through interviews with coronavirus carriers. Individuals install these applications on their phones. The app uses either GPS or Bluetooth data to record when two users have been in close proximity of each other for a sufficiently long period of time for the virus to be transmitted. When a user reports that he or she is COVID-19 positive, the application can immediately alert other users who were near the infected user, encouraging them to get tested. 

In the United States, digital contact tracing falls into a strange category in which at times it is governed by the Health Insurance Portability and Accountability Act (HIPAA), but at times not. There are efforts, led by the Senate, to implement data privacy regulations to more broadly cover digital contact tracing. Unfortunately, these efforts would create an unworkable regulatory patchwork in conjunction with HIPAA. We should rethink our approach to the governance of digital contact tracing data to create one regulatory regimen to oversee these programs and maximize consumer protections, regardless of who is implementing the apps.

The Need For Contact Tracing And Contact Tracing Privacy Regulations

Contact tracing apps are an increasingly popular tool to combat COVID-19. Most are structured similarly. For example, Jane Smith downloads an app that records when she is in proximity to any other phone with the tracing app. If she tests positive for COVID-19, Jane uploads this information to the contact tracing app, which in turn sends that information to all the other phones that were close enough during the key incubation period. The users of these phones receive a notification that they were exposed to COVID-19 and are urged to get tested. However, they are not told that Jane tested positive or even when they were exposed. Public health departments may be notified by the app, but not always. The app could be structured to require a health care worker to upload testing outcomes, but that is not a necessary feature.

In this sense, digital contact tracing differs from manual contact tracing. Manual contact tracing takes advantage of the “human touch” because professional contact tracers can connect sick individuals to social and medical supports. The human element is also a drawback of manual contact tracing because it relies on an infected individual to remember who they were near and provide contact information for them. Digital contact tracing does not suffer from this memory problem. It is also extremely scalable and fast to implement because local authorities do not have to spend time and resources training people as contact tracers.

Singapore, with its TraceTogether app, was an early pioneer of digital contact tracing. Many other countries including Australia, Germany, and the United Kingdom are working to rapidly implement these apps. In virtually all countries, including the United States, the use of these apps is voluntary. For contact tracing apps to be effective, however, approximately half of the country’s total population must become users. We are talking about a treasure trove of data, including personal health information and location.

In the United States, Google and Apple recently announced the details of a contact tracing app they are jointly developing. To minimize privacy concerns, the two technology companies have focused on Bluetooth-based proximity detection and designed the app to hold most information on users’ phones rather than servers. Because neither Google nor Apple meet the definition of a covered entity under HIPAA, the law’s privacy enforcing requirements do not apply to the companies’ contact tracing efforts. In some states, such as California, state laws may provide some protections, but not every state has applicable laws or regulations. The lack of privacy regulations mean that users will have to depend on the good will of technology companies to avoid misusing data or violating their privacy. On April 10, 2020, in a letter to Jared Kushner, Senators Mark Warner (D-VA) and Richard Blumenthal (D-CT), along with Representative Anna Eshoo (D-CA), recognized this problem, asking “[w]hat measures will the Administration put into place to ensure that the public health surveillance initiative protects against misuse of sensitive information?”

New Proposal To Cover Some Contact Tracing Efforts

The answer seemed to appear on April 30, 2020. Several Republican Senators, including Senate Commerce Committee Chairman Roger Wick (R-MS), Majority Whip John Thune (R-SD), and Senators Jerry Moran (R-KS) and Marsha Blackburn (R-TN) announced plans to introduce the COVID-19 Consumer Data Protection Act. This act would govern contact-tracing apps operated by organizations not subject to HIPAA. Companies would have to be transparent about their data collection and usage and obtain individuals’ express consent before collecting, processing, or transferring data collected by these apps. Individuals would also have the right to opt-out of data collection. Additionally, companies would need to de-identify all personally identifiable information when it is no longer being used for the health emergency. Enforcement of this act would rest with the Federal Trade Commission (FTC) and state attorney generals.

The proposed bill addresses a clear need for the regulation of contact-tracing apps. Unfortunately, it does not harmonize well with our existing data governance and privacy regimens. In many ways the act is similar to newer generation privacy regimens such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) when it comes to consent, transparency, data deletion, data minimization, and security. For example, the act, GDPR, and CCPA all allow individuals to compel their data to be deleted upon an opt-out request. 

The act’s approach to data privacy and governance puts it at odds with HIPAA, in that the act provides more protections for users in some respects and fewer protections in other key regards. For example, unlike the act, HIPAA does not provide individuals a “right to be forgotten;” that is, to be deleted upon request from a data set or require affirmative consent before the medical provider can enter an individual’s data into a database. On the other hand, the act would allow covered entities to use consumer geolocation or personal health information for purposes beyond COVID-19 contact tracing, including selling data or using it for marketing purposes. This is in stark contrast to HIPAA, which allows covered entities to sell protected health information only if they have obtained authorization from all individuals whose identifiable health information is included in a patient data set compiled by the covered entity. This is especially worrisome because users may assume that HIPAA protections apply to contact tracing apps and provide information they would not want sold or used for marketing.

The Need For An Overarching Regulatory Regimen For Contact Tracing

While HIPPA was written before the mobile app and smartphone revolution, it is important to consider how any legislation governing the use of information to combat COVID-19 would interact with it. It seems strange that Google or Apple would have different data requirements than a hospital operating a contact-tracing app, when the privacy impact on users would be the same no matter the creator. This also raises questions of which privacy regimen to follow in the case of a collaboration between a HIPAA covered entity and an entity that would be covered under this act. If a hospital contributed COVID-19 diagnoses or test results to a contact-tracing app that also used geolocation data and was operated by a non-HIPAA covered entity, we may see a database that had a patchwork of requirements relating to consent, right to be forgotten, and allowable uses. Furthermore, giving enforcement power to the FTC rather than to the Department of Health and Human Services (which customarily pursues HIPAA violations) may make it more difficult to address health data privacy violations.

The act is a good acknowledgment that we need governance of contact-tracing apps, both because they are likely to be widely used until there is a vaccine and because they pose serious privacy concerns. But it does not correctly harmonize with existing privacy regulations. Contact-tracing apps are public health and quasi-medical by nature. A successful regulatory regimen would not merely try to address what is not currently protected by HIPAA. A more regulatorily consistent approach would be to extend at least the most relevant HIPAA obligations to these apps, which would prevent companies from selling or using data for marketing purposes. An even better approach might be to impose the same regulatory regimen on all digital surveillance and contact-tracing efforts, including those operated by HIPAA covered entities. In that way, we can think of HIPAA as the “floor” and the newer regulations as privacy maximizing requirements. Either way, we would avoid creating silos of data based on the creator and implementor of the contact tracing app.

 

Sponsored Content: Global Action To End Smoking

Advertisement
Advertisement: Icahn School of Medicine