Increased access to personal data might compromise privacy during coronavirus, but it may be necessary: Experts
As efforts to scale up surveillance and contact tracing capacity look to novel solutions, some experts are raising questions about the collection of personal medical and other potentially sensitive data to support these programs.
Why is such data needed during the COVID-19 pandemic? A core strategy for checking disease spread is contact tracing — taking an infected person, finding anyone they came into contact with, and isolating them. The ability to conduct contact tracing quickly and at a large scale can be effective not only in flattening the curve of the outbreak, but also for enabling people to safely enter public life once a community is on the downward side of the curve, say experts.
The US Department of Health and Human Services recently announced that it would relax enforcement of legislation prohibiting healthcare institutions from sharing patients’ protected medical information as long as it is used for “public health and health oversight activities” related to COVID-19. Additionally, private sector companies have increasing access to medical data through COVID-19 screening apps. Multiple countries such as China and South Korea have used smartphone apps and location information to track infected individuals and notify those who may be at risk of exposure. While this concept could automate and accelerate the normally challenging process of contact tracing, it raises concerns about the collection and use of potentially sensitive information, particularly medical and location information.
Some are also asking what happens to personal privacy after the pandemic slows down and is brought under control. “Nobody knows the answer which will depend, in part, on the nation’s regulations. That is, it may have one effect in China and another in, say, England. If regulations are relaxed in a directed way, and narrowly focused, the answer is it will probably not be generally invasive. That said, the trend is certainly to the broad use of personal data by corporate institutions (Facebook and Google, for example). Whether it will become institutionalized is another question,” Dr Tom Koch, professor of medical geography at The University of British Columbia, and author of 'Disease Maps: Epidemics on the Ground' told MEA WorldWide (MEAWW).
According to Dr John Swartzberg, clinical professor, emeritus, UC Berkeley-UCSF Joint Medical Program (Infectious Diseases & Vaccinology Division), it is a “slippery slope.” “Still, in times of pandemics, just like in times of war (where he says that the definition of war is psychosis on a societal scale), temporary abrogation of individual rights may be necessary,” he told MEAWW.
What is the US doing?
The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) is responsible for enforcing certain regulations issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Health Information Technology for Economic and Clinical Health (HITECH) Act. This is to protect the privacy and security of protected health information, namely, the HIPAA Privacy, Security, and Breach Notification Rules (the HIPAA Rules).
Current regulations allow a HIPAA business associate to use and disclose protected health information for public health and health oversight purposes only “if expressly permitted by its business associate agreement with a HIPAA covered entity.”
“As a matter of enforcement discretion, effective immediately, the HHS Office for Civil Rights (OCR) will exercise its enforcement discretion and will not impose potential penalties for violations of certain provisions of the HIPAA Privacy Rule against covered healthcare providers or their business associates for uses and disclosures of protected health information by business associates for public health and health oversight activities during the COVID-19 nationwide public health emergency,” said a statement.
Meanwhile, Google and Apple have also announced a joint effort to enable the use of Bluetooth technology to help governments and health agencies reduce the spread of the virus. “A number of leading public health authorities, universities, and NGOs around the world have been doing important work to develop opt-in contact tracing technology. To further this cause, Apple and Google will be launching a comprehensive solution that includes application programming interfaces (APIs) and operating system-level technology to assist in enabling contact tracing,” said an April 10 statement.
Apple also released a screening tool in March that can help people understand what to do next about COVID-19. Some universities have also launched studies where they are collecting information from wearables to tackle COVID-19 and better understand the disease.
What is the fear?
Privacy refers to individuals’ universal rights to control their data, and security is how that data is protected, describes an article in The Conversation.
As businesses increasingly mine data about consumers, Americans are concerned about preserving their privacy when it comes to their personal information and behaviors. While relaxing privacy rules may be justified during a pandemic, some experts question what will happen in the long run and whether it will compromise personal freedom.
“Will we go back to normal, or will the erosion of privacy become part of the fabric of American healthcare, accepted as the price of continued vigilance against new viruses, in the same way Americans tolerated the loss of privacy and personal freedoms after the 9/11 terrorist attacks?” questions a STAT article.
According to a blog, knowing where to draw the line requires a “fine reading of the Constitution and a nuanced understanding” of the balance between societal good and personal freedom. “It’s unclear who might be willing to do that kind of fine reading during a serious pandemic...The erosion of data privacy could also persist beyond the pandemic itself. The war on terror was originally launched as a response to the September 11 crisis, but it has persisted for decades, with legal authorities extending well beyond their original goals,” said the blog.
Meanwhile, US Senators Bob Menendez, Kamala Harris, Cory Booker, and Richard Blumenthal wrote a letter to Apple stating that while the use of technological innovations and collaboration with the private sector is a necessary component to combating COVID-19, Americans should not have to trade their privacy at the expense of public health needs.
While we acknowledge Apple’s statements regarding user privacy and that the questionnaire tools do not require a sign-in or association with a user’s Apple ID and users’ individual responses will not be sent to Apple or any government organization, we are nonetheless concerned for the safety and security of Americans’ private health data. Additionally, Apple maintained that although it will not collect personal information, it will collect “some information” to help improve the site without identifying what that information will be,” the senators wrote to Apple’s CEO, Tim Cook.
The letter said, “In the interest of Americans during these unprecedented times, all data collected via Apple’s screening tools should remain confidential and must not be used for any commercial purposes in the future. Moreover, Apple should clearly state if the collected information is in compliance with the Health Insurance Portability and Accountability Act (HIPAA). Additionally, we would like to better understand your efforts to keep any collected information safe from potential hackers, foreign state and non-state actors with nefarious intent, and other criminal enterprises.”
While announcing the launch of the screening tool, Apple had said that consistent with its “strong dedication to user privacy,” the COVID-19 app and website were built to keep all user data private and secure. “Apple is not collecting your answers from the screening tool. To help improve the site, Apple collects some information about how you use it. The information collected will not personally identify you,” said the company while addressing the tool’s privacy on its website.
The latest announcement on Apple and Google partnering on COVID-19 contact tracing technology again emphasizes that user privacy and security are central to the design. “Apple and Google will be launching a comprehensive solution that includes application programming interfaces (APIs) and operating system-level technology to assist in enabling contact tracing. Given the urgent need, the plan is to implement this solution in two steps while maintaining strong protections around user privacy,” reads the statement.
According to Dr Lee W Riley, chair of the Division of Infectious Disease and Vaccinology, School of Public Health, University of California, Berkeley, privacy is important, but when the issue is a matter of life and death, “we need to set the priority straight.” “Afterall, most Americans share all kinds of private information with social media companies and they don't seem to mind. Public health officials are well aware of what types of medical information need to be collected or not collected to control the epidemic, and there are many ways to keep hidden the identity of involved persons. The same issue came up in Korea and they did their best to address this,” Dr Riley told MEAWW.
He says the problem is that regardless of their effort to protect privacy, people who use social media can figure out who the protected person is and disseminate that information. “So, the more important question about privacy is how do you protect individuals from social media users?” questions Dr Riley.