Privacy and Security

Privacy in a Pandemic

One of the most effective public health tools officials use to combat COVID-19 has been hampered in recent weeks by an explosive growth of cases in re-opened states and cities, antiquated technology, and a skeptical public.

Contact tracing—the time-tested practice of reaching out to individuals who test positive for reportable diseases and identifying people they’ve been in contact with (called “index cases”) while infectious—is most effective in localities where the healthcare systems have not yet become overwhelmed.

At this point in the pandemic—when some states have reversed re-openings due to a resurgence in cases and others are in the perilous ascent to their peaks—it’s reasonable to question the efficacy of “trace” portion of the “test-trace-isolate” strategy.

Best Laid Plans

In the spring, Congress allocated $10 billion for states to use for test-trace-isolate measures. However, as of late June, Anthony Fauci, MD, director of the National Institute of Allergy and Infectious Diseases, told Congress and members of the press that contact tracing was “not going well.” Health departments across the country, in places like New York City, Oregon, and Illinois have struggled to hire enough contact tracers to keep up with caseloads.

In addition to the logistical barriers to building the contact tracing army, local public health officials are encountering ideological barriers as well, due to fears about privacy and government overreach.

According to NPR, a contact tracer named Lauri Jones, who works for a rural county health department in eastern Washington, was the subject of threatening chatter on social media, which prompted action from law enforcement and led her to file a police report. Public health officials in Georgia and California have been forced to hire extra security, while others have opted to resign.

Aniruddha Hazra, MD, a medical director at Howard Brown Health, a Chicago-based federally qualified health center specializing in LGBTQ health, has encountered resistance to contact tracing for COVID-19. His clinic has been doing contact tracing on sexually transmitted infections such as syphilis and HIV for years, so taking on tracing for COVID-19 was a natural step as the health center was already conducting screenings.

In Hazra’s experience it’s understandable for someone to be concerned when someone calls to ask them questions about their health—especially if it’s someone who’s not their doctor.

“There is a level of mistrust when reaching out to some folks about, you know, ‘Where's this information going?’ ‘What are you using this information for?’ ‘Will this information be traced back to me through the federal government or whatnot?’ Our contact tracers are able make these patients feel more comfortable and understand that their information is secure,” Hazra says. “For a lot of our patients on the west side [of Chicago], they are more concerned about whether this will impact their immigration status or potential implication for deportation. These are all very real concerns with today's administration.”

The Truth About Contact Tracing

Like so much during this pandemic, the truth about contact tracing—how it works, who does it, how the data is used—has been politicized. Adding to the confusion is the decision by some states to adopt mobile apps to help automate their contact tracing efforts. States interested in automated exposure notification systems need to use an application programming interface (API) developed by Apple or Google.

To be successful, these technology-assisted contact tracing (TACT) apps require widespread consumer adoption and a high degree of trust in the technology and in the governmental entities deploying them.

That kind of trust may prove difficult to achieve, however, in an era where large-scale protests have been subject to allegations of surveillance by the authorities.

Indeed, some states have had to backtrack on their proposed contact tracing methods. For example, when Washington Gov. Jay Inslee announced his state’s contact tracing initiative, it originally required local businesses and restaurants to capture contact information for every customer to aid in tracing activities. After public outcry, Inslee shifted course and made those business requirements voluntary.

The Privacy Conundrum

There is also a fair amount of confusion around which privacy laws do and don’t apply to contact tracing. While HIPAA is perceived as the “gold standard” of health privacy laws, activities like contact tracing expose gaps in its reach.

Not every entity that does contact tracing is covered by HIPAA, including public health departments, according to Iliana Peters, JD, LLM, CISSP, a shareholder at the law firm Polsinelli LLP, and former deputy director of health information privacy at the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

“HIPAA will cover public health departments if they are a covered entity under HIPAA. Many of them are, but some of them are not, and some of them are what we call ‘hybrid entities,’” Peters says, noting that state and county health departments can be considered hybrid entities. “It depends on where the contact tracing piece of the public health department fits in the state department, whether it's in the HIPAA-covered healthcare component or outside the HIPAA-covered component. It would vary state to state.”

Though just because contact tracing may or may not be covered by HIPAA, that doesn’t mean patient privacy rights are ignored, and it certainly doesn’t mean that HIM professionals don’t have a role to play in advising tracers on privacy best practices.

To tackle the role of privacy and contact tracing, the Journal reached out to contact tracers, privacy attorneys, and public health experts to get a better sense of the privacy issues at stake during the pandemic and discuss strategies for better protecting data collected through this work.

Mitigating Risk with Manual Contact Tracing

In late June, Centers for Disease Control and Prevention Director Robert Redfield, MD, testified to Congress that the US had roughly 27,000 or 28,000 people working in traditional contact tracing roles even though his agency estimates 100,000 tracers are needed. Other health experts, such as Redfield’s predecessor, Thomas Frieden, MD, say 300,000 tracers are needed nationally to track the virus, according to CNBC.

To hire the volume contact tracers experts believe is needed, health departments, and clinics that already conduct tracing on communicable diseases such as tuberculosis, salmonella, HIV, measles, and many others, have been training existing staff on COVID-19 transmission and have been working with contractors to staff up. In many cases where the need is great contract tracers without a healthcare background are being hired.

Howard Brown Health’s Hazra does not see lack of previous healthcare training as a dealbreaker for tracers working with his clinic in Chicago.

“They do all need to complete certain types of training online, particularly involving HIPAA information. And once they complete that training, then there's additional training about contract tracing as well. That's done through the Hopkins site,” Hazra says, referring to the popular Johns Hopkins Bloomberg School of Public Health online contact tracing course, which is widely used to train tracers.

When states started hiring contact tracers on a broad scale, HIM professionals immediately recognized that this is a task they are suited for, given their understanding of disease processes, data collection, and their extensive background in HIPAA and other privacy and security practices.

Aurae Beidler, MHA, RHIA, CHC, CHPS, compliance and privacy officer at the Linn County Department of Health Services in Albany, OR, provides annual HIPAA and privacy training to health department employees as part of her normal duties. When her county started seeing COVID-19 infections it wasn’t difficult for her organization to begin tracing activities since they were already accustomed to doing it for local norovirus outbreaks. To prepare, everyone took the Johns Hopkins course—which does not cover HIPAA, but does cover confidentiality and ethics—and Beidler was asked to provide additional education about minimum necessary requirements, clean-desk policies, and breach notification policies.

When she was asked to provide additional training, Beidler say she thought, “What am I going to say, because this isn’t quite [ protected health information ] PHI we’re handling, but we’re [as a health department] a component of a HIPAA-covered entity so the staff treat all that information as if it falls under HIPAA. I think the main thing, with contact tracing, is the importance of confidentiality—that we’re not telling the people we’re contacting who the positive patient was,” Beidler says.

The concept of minimum necessary is still critical even when, strictly speaking, contact tracers handle health information that isn’t necessarily covered by HIPAA. Often, when contact tracers speak to possibly exposed people, an individual will share information about their comorbid conditions or other sensitive information about housing stability or immigration status that aren’t directly related to their COVID-19 exposure.

“That can get tricky though because we also provide resources, such as food or shelter if someone isn’t able to quarantine,” Beidler says.

To help improve public compliance with contact tracing efforts and reduce consumer concerns about their privacy, some municipalities proactively launched public information campaigns to create awareness.

For example, in Evanston, IL, a northern suburb of Chicago, the city created YouTube videos about contact tracing, created FAQ pages on the city’s website, issued warnings about contact tracing scams, and created social media posts and announcements in April.

Ike Ogbo, MPH, Evanston’s director of health and human services, says this campaign was a vital part of managing the pandemic.

“We felt that that was needed so that the community can have this information available so that they know essentially what contact tracing means, because I understand that people not truly understand what it means, and we try everything we can to relay that information to the public when we were making these calls,” Ogbo says. “Education is good and how it's delivered matters, and that's what we do in our contact tracing, just providing the facts, providing the education, letting them know why this business is done. So that's how we've been able to navigate and it's how we've been able to be as successful as we've been for our contact tracing.”

To ensure patient privacy, the contact tracers working for Ogbo have prior healthcare experience that includes training on privacy and confidentiality. They also undergo background checks and are asked to sign confidentiality agreements. The contact tracers also use high-security database to store the information they’ve gathered from patients to keep the data protected.

“Not everyone has access to that database. It is highly protected. And this is a database that we not only use for COVID, but we've used for other communicable diseases where if there's a cure, that's where our data is stored,” Ogbo adds.

Digital Contact Tracing Risks and Benefits

There are many reasons that members of the nervous public might feel more comfortable with digital contact tracing than manual methods. For one, many people are accessing telehealth and secure portal messaging with their doctors via their mobile phones already, and they trust the security features that allow them to make payments and do banking through mobile apps.

Sharing the results of a COVID-19 screening on an app created by Google and Apple might feel more private than discussing potential contacts with a person calling from the local health department.

In Europe, where many countries have sophisticated contact tracing infrastructures already in place, mobile apps have been a powerful and effective tool in curbing their COVID-19 cases. These apps have been successful in Germany—a country that has strict privacy laws and is very wary of any sort of state surveillance—where over 15 million people downloaded the country’s contact tracing app within the first three weeks that it was available. The German app uses the Google/Apple API.

As Health Affairs notes, “Digital contact tracing substitutes mobile apps for individuals who track down instances of COVID-19 exposure through interviews with coronavirus carriers. Individuals install these applications on their phones. The app uses either GPS or Bluetooth data to record when two users have been in close proximity of each other for a sufficiently long period of time for the virus to be transmitted. When a user reports that he or she is COVID-19 positive, the application can immediately alert other users who were near the infected user, encouraging them to get tested.”

Apple and Google’s app uses Bluetooth data only and utilizes a safer decentralized approach to data storage, which pleases data privacy advocates, and means that data that’s collected is stored on users’ phones rather than a server or database that’s harder to protect.

Hale Melnick, JD, who specializes in health privacy at Polsinelli, says apps that use a centralized server poses more risk.

“In a centralized approach, for example, if you're calling people and logging that information into a central server or the data that's being collected from the contract tracing app is being uploaded into a central server, then you'd have a higher risk of that information being breached or there being an unauthorized use. However, albeit that risk, you have public health departments that are able to do more with it that way, and do more outreach, Melnick notes.

Peters sees a lot to like about this approach.

“If we have good data security built in, whether or not it's a mobile device application or an internet-based application, or an application that's proprietary and used by a public health department, if there's good data security, arguably there can be fairly few risks to an individual from a privacy perspective. Particularly if we have good guidance on who gets to access that data once it's in electronic form, good access controls, only the people that should get access from a privacy and security standpoint get access,” Peters says.

She also notes that there are cases where HIPAA applies to these apps if their use is governed by a business associate agreement with a public health entity.

A Health Affairs op-ed points out that there’s still a “need for an overarching regulatory regimen for contact tracing” to help account for the gaps left by HIPAA. And to Peters’ point, it notes, “If a hospital contributed COVID-19 diagnoses or test results to a contact-tracing app that also used geolocation data and was operated by a non-HIPAA covered entity, we may see a database that had a patchwork of requirements relating to consent, right to be forgotten, and allowable uses. Furthermore, giving enforcement power to the FTC rather than to the Department of Health and Human Services (which customarily pursues HIPAA violations) may make it more difficult to address health data privacy violations.”

Attorney Kirk Nahra, JD, co-chair of cybersecurity and privacy practice for the law firm WilmerHale, says that since HIPAA so frequently does not apply when it comes to mobile health collection, he often finds himself giving clients advice on how to deal with gaps in the law.

“The data that matters about you is your connections to all the other people in the world, and that's the hard part. And so I think a lot of the contact tracing challenge is that you're collecting a lot of data, and it's not really clear how much it's going to work. And so, you know, that's very much part of a privacy debate is sort of balance and proportion,” Nahra says.

 

Mary Butler (mary.butler@ahima.org) is senior editor at the Journal of AHIMA.