As Congress fumbles its way toward a new coronavirus stimulus package, a group of senators has called on lawmakers to protect patient privacy during data collection about the disease.
The 13 senators, including 12 Democrats and one independent, are pushing for Congress to pass the Public Health Emergency Privacy Act as part of any new stimulus package.
The bill, introduced in May, would require that data collected for public health be limited to that use. It would prohibit the use of health data for advertising and e-commerce. It would not allow healthcare to be used to screen out people for employment, financial, insurance, housing, and education opportunities.
Health screening and contact tracing are necessary to fight the COVID-19 pandemic, but people need to know that their health data won’t be used for purposes that they didn’t agree to, the 13 senators wrote in a letter to Senate leaders in late July.
“Health data is among the most sensitive data imaginable. Even before this public health emergency, there has been increasing bipartisan concern with gaps in our nation’s health privacy laws,” said the letter, originating from Virginia Sen. Mark Warner. “While a comprehensive update of health privacy protections is unrealistic at this time, targeted reforms to protect health data — particularly with clear evidence that a lack of privacy protections has inhibited public participation in screening activities — is both appropriate and necessary.”
With negotiations over a new stimulus package already contentious, it doesn’t appear likely that the health privacy bill will be included.
Some privacy and cybersecurity advocates applauded the push for health privacy. Data collected for COVID-19 tracking and diagnosis need to be limited to only those uses, said David Kennedy, CEO of cybersecurity firm TrustedSec. “Health data could easily be abused by companies, marketing firms, insurance providers, and others, so it is critical to have legal limits built into any data collection and retention effort.”
Lawmakers also need to make sure there are no loopholes in the privacy rules for “murky areas” such as insurance calculations, employment considerations, and the higher education admissions process.
Kennedy also called on lawmakers to require that collected data be deleted after it’s no longer needed for the original use.
The proposed bill mandates the deletion of the collected data after the public health emergency has ended, but “that determination is essentially left to the government to decide, and it’s not hard to imagine that this deletion event could be continually postponed if there are any remaining active cases of the infection, even if the epidemic itself has largely been eradicated,” he said.
Kennedy is also worried about “mission creep” with the collected health data.
“While there is definitely a strong public need to carry out effective contract tracing for this epidemic, once the government begins to collect this information, it may find it is useful for other efforts, too,” he added. “One could see how this level of access could easily evolve to include other communicable diseases, and then other public safety issues.”
For example, law enforcement agencies may be interested in COVID-19 tracking information when investigating murders, child abductions, or hit-and-run accidents, he said.
Limits on the collection of health data are needed, added David Reischer, an attorney and CEO of LegalAdvice.com. The Constitution’s Fourth Amendment limits the collection of biometric information, he said.
“The government collects more data than is currently needed to protect its citizens,” he said. “The right to privacy prevents any unlawful scanning of a person’s temperature to be collected and saved in a central repository owned by the government. There are legitimate concerns of a mass surveillance state developing, whereby an individual’s biometric data is ever obtained and stored.”
The government should be permitted to have only the necessary and relevant data on its citizens that serve the public interest, Reischer added.
“I do not believe it is ever wise to trust the government with our personal biometric data,” he said. “Government could only earn my trust if they set up a bipartisan committee to set up procedures and a review process for the regular deletion of collected private data.”