Through the Looking Glass: Considerations for health data privacy amid COVID-19 and beyond
The impact of COVID-19 has been devastating, yet we have witnessed global unity against a common enemy. Day after day, healthcare and other essential workers continue to put their lives on the line to save others, while individuals sacrifice interaction with family and friends for the greater good.
Along with this vast willingness to combat the effects of the virus is a call to rapidly collect and use individual health data to help combat the spread of COVID-19. However, there is a misconception that this requires widespread acceptance of large-scale patient surveillance efforts. This worries me — and our DiMe community — greatly.
Smartphone data are — without explicit consent — being used to determine where folks are or aren’t social distancing. This kind of information is labeled “anonymous” and used in aggregate, yet privacy experts repeatedly have shown that supposedly anonymous data can still be used to identify individuals, based on, for example, known movements like daily commutes.
Moreover, it is clear that not all data collection efforts achieve their stated public health benefits. For example, collecting certain data like phone location hasn’t been proven to be effective in tracing the spread of the virus. Further, privacy experts state there is no reason to believe that government agencies — even those that are eager to expand their power in response to COVID-19 — will be willing to let their new overreach lapse once the virus is eradicated.
So, while Americans are conflicted on the use of health tech surveillance in the context of COVID-19 (see reports here and here), DiMe took a deeper look at what this means for health data. In this post, I share my conversation with Marisa Cruz, physician and Chief Medical Officer at Limbix, and Dena Mendelsohn, director of Health Policy and Data Governance at Elektra Labs. Here, we explore the future implications of the current conversations about using digital technologies for population health surveillance.
There have been a variety of calls to harness connected sensor technologies — from the GPS in our smartphones to biometric data from activity trackers — to help limit the spread of COVID-19. What are the privacy implications of this kind of surveillance?
Marisa Cruz (MC): Sensor-enabled technologies have significant potential to positively impact health outcomes during the COVID-19 pandemic, by enabling earlier detection of infectious symptoms, allowing vulnerable populations to be monitored safely at home, or limiting the spread of infection through contact tracing. Promoting widespread adoption of such technologies without ensuring appropriate protections for patient autonomy, patient privacy, and data governance, however, may ultimately erode or negate those potential public health benefits. While the benefit-risk calculus of these decisions may reasonably fall toward broad surveillance in the short term, it will be critical to ensure that systems set up during the pandemic do not lead to indefinite data sharing agreements, and that law enforcement and insurers, among others, are prohibited from using data collected during the acute crisis of COVID-19 against patients.
Dena Mendelsohn (DM): As late as we are to rolling out a comprehensive strategy to combat the spread of COVID-19, it is critically important that basic data rights be ensured before individuals are pressed to participate in any digital surveillance scheme. With mindful implementation, we can have a scenario where a larger cohort of individuals participate, making surveillance more productive, without subjecting themselves to the risks inherent in data collection and use.
How are current practices that protect individuals’ health data effective — or not — during this public health crisis?
MC: For medical devices that are prescribed to patients by healthcare providers, existing laws designed to protect individual patient data are still largely in effect. While these laws limit how hospitals and doctors can share personal health data, they have always included certain exceptions, including the ability of public health authorities to directly access private health information without consent if necessary to prevent the spread of disease. In responding to the COVID-19 outbreak, moreover, FDA has moved to allow immediate use of a number of products that have not yet been reviewed for adherence to appropriate privacy and cybersecurity protections. Finally, many products that could be repurposed to support public health efforts, like activity trackers, are consumer products that are not held to the same standards for data privacy and security.
Rachel Chasse (RC): Lots of groups are harnessing health data in response to COVID-19, including medical device manufacturers as Marisa mentions, Apple and Google building trackers into their smartphones, governments at the city and federal levels, and academic research groups such as at Duke University. There are honest people at each of these places doing good work to learn more about the spread of the virus, but differences do exist in terms of patient rights and protections. For example, when patients sign up for a research trial, they receive an informed consent document which details how, when, and for how long their data will be collected, used, and stored. Companies like Apple and Google don’t tell you how this kind data will be used outside of a nearly-useless Terms of Service agreement, and don’t have the best record when it comes to privacy, anyway.
DM: There is a huge regulatory gap around the exact type of health information that could be leveraged for COVID-19 monitoring: health information collected or stored on direct-to-consumer health apps and digital products. Until a comprehensive law is passed, individual company’s privacy policies and terms and conditions are the de facto law. It’s confusing enough when laws vary by state — when it comes to non-HIPAA health data, individuals’ rights vary by product.
What are the long-term ramifications of this?
MC: It is difficult to predict the arc of COVID-19, let alone the unintended consequences of our efforts to manage the outbreak. A key concern, however, is that one consequence will be a stifling of the national conversation that needs to be had about our willingness to accept deployment of increasingly intrusive technologies, like facial recognition, and analytic techniques that enable re-identification of individuals from aggregate sensor-based data. Broad deployment of mass surveillance tools in the interest of containing an acute crisis may prove to be legally and logistically difficult to roll back.
RC: What remains to be seen is what happens to this data once this threat has ended. Will location data used for social distance tracking end when we’ve moved out of pandemic status? Likely not as companies have been abusing locations services long before the pandemic. What happens when someone is identified as having the virus per technology tracking and it is learned they passed it onto others — or you’re identified as having attended an event which spread the virus? The stigma of being a carrier and a “spreader” is likely to linger with unintended consequences. Further, as COVID-19 testing still is not widely available and thus prevalence rates are not accurately reported, we are tracking people without knowing their true disease status. This means people are simply being traced under the thinly-veiled moniker of public health.
So where do we go from here? Data are powerful when it comes to combating a health crisis and there is no argument that data are greatly needed in a global crisis. However, it is also very important to know how your data are being collected, for how long your data are being collected, if your data will be for sale, and who will have access to your data. Unless those collecting data are clear and straightforward with this important information, one cannot be sure their health data is being protected and treated with care. Without this transparency, the pandemic is sure to spur another crisis — one that cannot be cured with a vaccine.
Dr. Marisa Cruz is the Chief Medical Officer for Limbix. She previously served as the Senior Medical Advisor for the Digital Health Unit in the Center for Devices and Radiological Health at the U.S. Food and Drug Administration.
Rachel Chasse, MS, is the Director of Innovation for the Digital Medicine Society (DiMe).