Today’s Health Crisis, Tomorrow’s Privacy Lessons
Privacy Plus+
Privacy, Technology and Perspective
Today’s Health Crisis, Tomorrow’s Privacy Lessons. This week, we consider the benefits of preventing or controlling the spread of the COVID-19 virus against the cost to personal privacy, and ultimate threat to individual freedom.
Where should the United States draw the line?
Consider the facts, as we write this. It has been reported that China, Israel, and South Korea are all implementing privacy-intrusive surveillance for the purpose of tracking the location of COVID-19 carriers. A link to an article on this subject follows:
Without extensive testing and contact tracing, the United States cannot know the extent of the outbreak. Without the disclosure of otherwise protected health information (“PHI”), we may not be able to stem the spread of this virus and save lives.
Yet, privacy concerns have already impeded testing at least in one instance where federal government suppressed COVID-19 testing because the patients had not expressly consented to being tested. You can read more about that by following this link:
In times of national health emergency, like these, however, there is a compelling argument that our liberty interest in personal privacy should be subject to our society’s interest in public health and saving lives.
In fact, HIPAA allows disclosures for “public health activities” without patient consent, under 45 CFR 164.512(b)(1)(i). Public health authorities are allowed un-consented access to PHI for “preventing or controlling disease, … including but not limited to public health surveillance, investigations, or interventions.”
A link to HHS guidance from on this subject follows:
HHS’ Office of Civil Rights (OCR) and the Center for Disease Control (CDC) have guidance as well. A link to OCR’s guidance follows:
https://www.cdc.gov/mmwr/preview/mmwrhtml/m2e411a1.htm
A link to CDC guidance on this subject follows:
https://www.cdc.gov/mmwr/preview/mmwrhtml/m2e411a1.htm
More recently, OCR’s Office of the National Coordinator for Health Information Technology has elaborated somewhat. A link to its guidance follows:
https://www.healthit.gov/sites/default/files/12072016_hipaa_and_public_health_fact_sheet.pdf
HIPAA, the regulations, and the associated OCR guidance all authorize public health authorities to collect and use PHI in order to “control disease.”
This authority is broad; while public health authorities are expected to seek only the minimum amount of PHI necessary, covered entities may rely on a public health authority’s own interpretation of what that is.
Look carefully, though, and you’ll see that two of these three pieces of guidance are dated April 2003, and thus presumably relate to HIV, which is distinct and less pervasive than COVID-19. The most recent guidance is from December 2016, which would have benefited from then-recent experience with Ebola, which again is distinguished from the threat we now face. Hence, the closest analog to COVID-19 seems to be the 1918 flu, which is all-but-forgotten, at least in medical literature.
In any event, the guidance is broad and general:
“Public Health Authorities, do what it takes.”
We hope they will “do what it takes,” and do it fast. Along the way, the CDC notes that public health authorities have a history of being mindful of personal confidentiality – but we doubt that confidentiality will be practical or even a first- or second-order objective, in the urgency of “spreading the word” today.
Anecdotally, we are already seeing this. Our office building has notified us that someone who offices there has been exposed; even though s/he hasn’t come into the building since being exposed, s/he won’t be allowed back in without an “all clear” from some authority. Nobody wants to be Typhoid Mary.
People are going to die because the nation wasn’t prepared for this. More people will die every day that we delay. This is not a time for a privacy impact assessment. Let’s remember, though, that every massive, public response in living memory to a sudden, terrifying crisis has stampeded civil rights like a cavalry charge in a rush to protect public safety.
We can let the public health authorities do what they need to do. Let’s just help them focus on why they’re doing it, learn our inevitable lessons in real time, and remember that history is watching.
---
Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.