Healthcare data is some of the most sensitive information belonging to an individual. As a result, it falls into a uniquely protected class in the U.S. The new coronavirus pandemic has put health data front and center—timely, accurate reporting of new cases is critical in our fight against COVID-19, and we know it. While only 29% of surveyed Americans would be comfortable sharing their location data to help fight the new coronavirus, 55% are willing to share health information for that same purpose.
In an attempt to mitigate the spread of the virus, the government and private sector are taking actions to make the sharing of health information easier. Apple and Google jointly announced a contact tracing or “exposure notification” framework to alert Americans who were potentially exposed to COVID-19, while the Trump administration relaxed HIPAA oversight to streamline the use of telehealth services.
However, it is also important we examine these efforts with a critical lens, particularly in light of recent moves in China to make the use of COVID-19 monitoring apps permanent and to expand the data collected. As our digital footprint grows and our federal government moves toward creating a national “surveillance and data collection system,” in partnership with the private sector, the government should enact strong safeguards to fortify the privacy and security of our medical data. Otherwise, we run the risk of these well-intentioned efforts creating harm in the long run.
Improving healthcare access
On March 16, the Department of Health and Human Services modified HIPAA guidelines to allow the use of videoconferencing platforms for doctor’s appointments to improve the accessibility of healthcare during quarantine. Yet, if history has taught us anything, the emergency provisions adopted during emergency circumstances often linger long after. The Patriot Act, a temporary measure introduced following the 9/11 attacks, established a new standard when it came to surveillance. That regime remains in use nearly 20 years later.
Telehealth’s newfound popularity raises the question of whether the personal privacy protections HIPAA affords will face a similar fate. Platforms such as Zoom have seen extraordinary growth but were also woefully unprepared to host confidential conversations. Convenience is appealing but also dangerous. If we fail to limit the scope of these emergency measures, our medical information would forever be at the mercy of companies such as Zoom, which is already under active investigation for its glaring privacy and security flaws.
Data doesn’t just disappear
The proliferation of pandemic-fighting consumer apps presents similar concerns for health data. While built with a public service in mind, the private entities underwriting these initiatives warrant a closer look.
Take Google, cocreator of the upcoming contact tracing initiative. Users would be asked to volunteer their infection status so the apps running on their platform can alert people if they’ve been near an infected individual. Though small, that one piece of sensitive medical information could conceivably support Alphabet’s corporate interests in healthcare or enable authoritarian-style surveillance. And if this data is made public or shared for a purpose beyond contact tracing, it could be used to deny health benefits, facilitate employment discrimination, or encourage social ostracization.
This may feel like a stretch—especially in light of Apple and Google’s assurances—but Big Tech’s history is littered with ulterior motives and going back on its promises. Not to mention this is already happening overseas. Some Chinese officials are taking steps to expand the color-coded infection-risk rating system, designed to enforce quarantine, and also expand the types of health data it collects to include sleep, exercise, smoking, and drinking. It could also be linked to medical records. One Communist Party secretary envisioned his city’s app as an “intimate health guardian.” Meanwhile, Singapore—which adopted its own contact tracing initiative—has published information on infected citizens, including their age, gender, and where they work, leading to incidents of online and real-world harassment. And with the discussion of “immunity passports” percolating, experts are now concerned about a rise of “strategic self-infection” while those not deemed immune are excluded from reentering society.
A balancing act
As the crisis continues, we need to outline clear boundaries around health data to protect it from misuse, exposure, and theft. Privacy versus public health does not have to be a binary choice. To ensure this, we must clearly define and establish transparent guardrails around:
- Who has access to this data: It seems that everyone is looking to gain additional insight into the spread and prevention of COVID-19. It is critical that we define, control, and limit who has access to our health data at every point in the process.
- How health data can be used during the crisis: There are ways to track the spread of COVID-19 without completely steamrolling privacy. To their credit, Apple and Google’s new partnership takes some concrete steps, such as only using Bluetooth signal transmissions and decentralized storage mechanisms. While there are still open questions about how this will work in reality, we must seize similar privacy-preserving opportunities with our health data, where possible.
- How health data will be used after the crisis: In short, it shouldn’t be. The U.K.’s National Health Service (NHS) already released its own guidance declaring that health data collected during the pandemic must be destroyed. It is critical that we adopt zero-tolerance policies for all government and private-sector efforts.
- How long emergency measures will remain in place: Apple and Google’s contact tracing program, the Trump administration’s national surveillance system, HIPAA’s modified enforcement guidelines, and any additional measures should not become permanent fixtures of American life. We must set firm timelines on how long “temporary” provisions are allowed to stay in place.
It’s clear we need to pull out all stops to fight the spread of the coronavirus in order to minimize the loss of life, but it is also imperative that we handle this moment responsibly. Several U.S. senators recently proposed the COVID-19 Consumer Data Protection Act, which takes steps in the right direction, but also contains some disconcerting loopholes. And while privacy might take more of a backseat during a global crisis, it would be to the detriment of society as a whole if we let it fall by the wayside.
Heather Federman is the vice president of privacy and policy at BigID.