By Melanie Padgett Powers, writer
Public health laboratories have been collecting and distributing data for decades, focused on the best practice of accessing the minimum patient data necessary to do the job required. As technology has become more and more sophisticated, federal and state governments and the public health system have worked to improve cybersecurity and data privacy protocols. But there are gaps between what the Health Insurance Portability and Accountability Act (HIPAA) protects versus state privacy laws and even how state health departments interpret various privacy laws.
When the COVID-19 pandemic arrived in the US in 2020, it both underscored the gaps and exacerbated the challenges as public health laboratories began amassing data in unprecedented quantities. And, for the first time, the federal government required public health data be sent to it. In addition, more people began to question where people’s health information was being stored and who could see it, particularly COVID-19 test results and vaccination records.
“COVID-19 has shone a spotlight on the importance of information flow and maintaining privacy,” says Adam Greene, JD, partner at Davis Wright Tremaine LLP and outside counsel for APHL. “It has highlighted, for some, the limits of HIPAA and the fact that it doesn’t reach throughout the health care system. It’s brought new attention to a longstanding issue.”
When it comes to medical privacy, public health laboratories may be bound by HIPAA’s privacy protections, depending on whether they electronically conduct any administrative transactions with health plans, Greene explains. However, a HIPAA public health exception allows HIPAA-covered entities, including HIPAA-covered laboratories, to disclose patient health information to public health authorities without patient authorization in the interest of public health, such as preventing and controlling disease like in the case of COVID-19. Public health laboratories generally are covered under state privacy laws, which vary widely across the country.
“Each of the public health labs have to also worry about whatever their state data privacy laws require,” says APHL General Counsel Troy Willitt, JD, MPA. “HIPAA sets the floor, and states can certainly build on top of that, and a number of states have done just that. How those data need to be handled once they’re at the public health lab will depend on a variety of things, not the least of which is what the law requires.”
This patchwork of laws can be confusing, but public health laboratories cannot always rely solely on the HIPAA public health exemption. “It’s more nuanced than that,” Willitt says. For instance, in some public health departments different divisions are responsible for HIPAA versus non-HIPAA compliant components. In those cases, “it depends on the division that gets the data in order to figure out how they have to treat it.”
Public health laboratories should consider data privacy as a part of layers of data security that work together, says Michelle Meigs, MBA, APHL director of informatics. “You need the systems in place to help safeguard patient data,” she explains, “and then you need the processes in the laboratory, you need the policies at the state, but you also have to make sure you’re complying with regulations, whether they be state or federal.”
Federalization of Public Health Data
All of this became even more complicated when COVID-19 hit US shores. The Coronavirus Aid, Relief, and Economic Security (CARES) Act in March 2020 required, for the first time, federalization of public health data. The law requires “every laboratory that performs or analyzes a test that is intended to detect SARS-CoV-2 or to diagnose a possible case of COVID-19” to report those results to the US Department of Health and Human Services (HHS), specifically the US Centers for Disease Control and Prevention (CDC).
APHL responded quickly to the requirement, modifying its existing APHL Informatics Messaging Services (AIMS) platform—which allows public health agencies to securely share data electronically—so agencies could send required COVID-19 test results to CDC.
However, CDC wants not only data on positive COVID-19 tests but also negative and indeterminant test results. “There is a lot of information being collected, and all data has to be reported,” Meigs says. “So in the end, it is just sheer volume and it’s crazy.”
Public health laboratories must first report each COVID-19 test result, along with certain patient information, to their state public health department. Then the laboratories must de-identify the data before sending it to CDC.
To add to the workload, public health laboratories may receive too little or too much patient information from health care providers. Too little information requires public health laboratory professionals to track down the information required to be reported. Too much information—which may also be sent via unsecure email or fax—brings up data privacy issues. These challenges became more pronounced as COVID-19 testing ramped up and the pandemic worsened last fall and winter.
Expansion of Concerns
In 2021, data privacy and security concerns will likely reach beyond public health laboratory testing, as states develop vaccination rollout plans and as at-home testing expands. Already, the public has been worried about sharing personal data through COVID-19 contact tracing apps. Addressing one such concern, the American Civil Liberties Union has called upon states to ensure police and immigration enforcement do not have access to contact tracing or any personal health information.
A June 2020 Amnesty International report cited Norway, Bahrain and Kuwait as having some of the most invasive contact tracing apps. Norway halted its app’s use after Amnesty pointed out the app violated privacy by using GPS to share real-time user location information with a government database.
During the pandemic, Google and Apple teamed up to create the Exposure Notifications System for mobile devices, which uses less-invasive proximity tracking via Bluetooth. This allows people to opt in to receive notifications when they have been near another mobile user who has since tested positive for COVID-19. While each state has a unique app, notifications can occur across states due to the use of a national server hosted by APHL. Personal information and identities are not shared.
Americans are also expressing concern about who will have access to the vaccination records CDC is requesting from state and local public health departments. CDC is requesting names, birthdates, addresses and ethnicities of people who have been vaccinated against COVID-19, according to a December 7, 2020, Healthline article. New York Gov. Andrew Cuomo has said his state will not provide the data because he is not comfortable with the possibility that the US Immigration and Customs Enforcement will use it to find undocumented immigrants.
CDC does track other vaccination rates, such as how many people got an annual flu shot or how many incoming kindergartners have had the measles, mumps and rubella vaccine. However, that information is typically de-identified before sending it to CDC.
Personal information is shared with CDC for reportable illnesses such as tuberculosis, syphilis, and hepatitis A and B. However, the public may not even know about this process because of those diseases’ relatively smaller numbers. In the case of COVID-19, by the end of February 2021, more than 28 million people in the US had contracted the disease and over 500,000 had died.
Because of the widespread threat of COVID-19, debates have begun on whether individuals will soon need to show proof of vaccination to board a plane or train. Will employers require proof of vaccination for work?
“There are people who are ready and willing to provide to the Transportation Security Administration evidence of vaccination or a negative test result, but there are other people that feel very strongly that this is not the business of the federal government and may want to get on a plane without providing that evidence,” Greene says. “There are strong differences of opinion on what information should be disclosed to the government entities and public health authorities and under what circumstances.”
At-home Testing Data Challenges
Related to data privacy are the data collection challenges of at-home COVID-19 testing. President Joe Biden has endorsed making COVID-19 testing free for all Americans and creating a national strategy using rapid and at-home tests. If the number of tests increases substantially, Meigs says CDC may stop requiring negative and indeterminate test results because of the sheer volume of data. “CDC and others, I think, will probably say, ‘Enough is enough; we don’t need millions upon millions of negatives flooding our system.’” However, the federal government will likely still want national-level testing data of some sort to show test coverage.
Individuals are not mandated to report at-home test findings, so reporting will depend on where the test was done and if it needed to be sent to a laboratory. Prescription-based tests or those marketed and run by private laboratories will likely get reported, as opposed to a test that is completely over-the-counter.
At-home testing could also reduce the testing burden on public health laboratories, Meigs says. This may allow laboratories to get back to some of their regular functions and not focus primarily on COVID-19 testing.
Federal health data collection has been swung wide open, with the government now requiring large amounts of personal health information. And Meigs doesn’t see the door closing anytime soon. “They’re going to want as much data as possible, so that they feel like they’re prepared for the next pandemic. But I don’t know how they’re going to use it all, and I think that’s the point.”
Greene adds, “With CDC and the federal government involved in the response, there’s definitely been a push for more direct reporting to the federal government rather than the more traditional reporting to the states and the states potentially reporting information to the federal government.”
That raises a lot of questions, he says, such as whether some states will be more adamant about maintaining their public health role over the federal government and whether the federal government needs all the data it is requesting. “Some individuals are, rightly or wrongly, very concerned about the idea of big government databases that contain their sensitive information, including their health information,” Greene says.
Public health has been underfunded for years, but if state and federal governments want all this data, they must ensure the infrastructure is built to support it, Willitt says. “It’s not just making sure that the hardware is there, but you need staff who understand what data elements are needed, what data elements would be useful. [Laboratory staff] can make very nuanced decisions about what should be collected and how it should be collected—rather than relying on a centralized IT department that is several layers removed and has an abstract understanding of what’s needed, but not really understanding the public health necessity behind it.”