info@ehidc.org

 202-624-3270

Pondering Privacy - A Blog by Alice Leiter

COVID-19

Pondering Privacy - A Blog by Alice Leiter

April 24, 2020

Privacy in the Time of Coronavirus

 

In the presence of COVID-19, the balance inherent in health information access has taken on an additional dimension: individual privacy v. public health needs. This ultimately begs the question: does patient privacy retain its importance in the time of a national health emergency?

Many in the general public are unaware that HIPAA already allows for certain disclosures of protected health information for public health purposes, even when the circumstances don’t constitute a pandemic or crisis. But in the wake of COVID-19, a number of additional adjustments to HIPAA and its enforcement have been enacted by the Office for Civil Rights (OCR) over the last couple of months, including:

  • Waiving a number of sanctions and penalties applicable to hospitals, including requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
  • A suspension in the imposition of penalties against covered health care providers for non-compliance with the HIPAA Rules in connection with the good faith provision of telehealth services, including telehealth services unrelated to COVID-19.
  • Allowances for new types of testing sites that ordinarily would violate HIPAA. OCR has issued a notice of enforcement discretion for covered entities and their business associates who participate in community-based testing sites, which include mobile, drive-through, or walk-up sites that provide only COVID-19 specimen collection or testing services to the public.

 

Should We Worry About Relaxation of Rules?

These measures have generally been well-received, but the urgency to collect and analyze data generated by patients outside of a hospital or physician’s office (such as cell phone location data) on a massive scale to track the spread of the virus – known as “contact tracing” – has increased the amount of individual and health data being held by entities not covered by HIPAA.

This vast trove of individual data, combined with reduced legal protections, has also led to worry about how that data may be used, and by whom – both now, during the immediate crisis, and down the line, once the crisis has passed. Given the lack of federal and state legal protections for some of the COVID-19-related surveillance information being collected by, for example, Facebook, Apple and Google (not to mention a host of other apps), privacy practices and data use policies are mostly left up to corporate and institutional best practices and terms of use.

Even before COVID-19 effectively shut down the U.S. economy and became the focus of the majority of legislative efforts on Capitol Hill, momentum had been building for a new comprehensive federal privacy law governing personal data, including health data. As the aforementioned tech giants have announced their COVID-19-tracking efforts to great fanfare, privacy advocates have reignited their calls for such efforts to exist within clear and perhaps increased protections.

Many have been vocal that privacy protections and worries should take a back seat in times of national crises – that the suspension of some civil liberties is justified by the need to respond to a crisis in which scores are dying, and millions have lost their jobs. Supporters of this perspective believe that whatever policy adjustments are necessary to stem the spread of the virus, get people back to work, children back to school, and the economy reopened are worth it.  On the other side of the debate are those who make the analogy to the time after 9/11, when increased domestic surveillance efforts proved to be both widely unpopular and hard to roll back once the immediate aftermath had passed. Reducing civil liberties may be a short-term fix, but it can prove to be a dangerously slippery slope.

Given the severity and urgency of this particular public health emergency, it does seem prudent that the always-dynamic privacy balance should shift toward the “whatever it takes to address the crisis” end of the spectrum. But how aggressively should we tilt, under what conditions, and for how long?  

Some basic considerations have been put forward by a number of experts and scholars, including by a couple of members of the Privacy and Civil Liberties Oversight Board, established by the 9/11 Commission, the body that conducted the definitive investigation of the 9/11 terrorist attacks. In an op-ed in Politico, the authors considered how we can “defeat the epidemic while preserving our privacy, liberty, and way of life.” Their recommendations include balancing risk vs. benefits; establishing clear rules for how data can be collected and used, retained and shared; establishing how long any measures enacted in this time of crisis should remain in place; and prioritizing transparency in all efforts. 

We agree with these guidelines and principles, but we also realize that our national response to this debate will be, as with so many others, some mix of reactionary and proactive. The fact remains that there are no national privacy laws preventing technology-enabled contact tracing, and with state and federal governments desperately looking for quick solutions to reopen their economies, it is an unlikely environment for federal consensus privacy legislation. Even the European Union, which has stringent and far-reaching data protections, is seeing its laws tested by coronavirus response efforts.

However, the more that privacy is publicly discussed, the more accountable the government and commercial companies with which it is collaborating will be. Continued evaluation, both of the virus-response measures and their evolving value, is crucial, and eHI looks forward to engaging its members in these efforts.

  

Alice Leiter​​
Vice President and Senior Counsel, eHI

 

 

 

 

Share