Amid the COVID-19 coronavirus pandemic, more patients and healthcare providers are switching to telehealth to reduce the spread of the virus.
In just the last month, the Department of Veterans Affairs (VA) reported a “dramatic jump” to virtual mental healthcare, the Federal Communications Commission (FCC) adopted a $200 million emergency telehealth program, and private sector organizations like Facebook, Apple, and Google have stepped up to aid the Federal efforts.
These quick adjustments, however, have jolted the health data privacy discourse.
The health IT community has a reputation for its data security, as Federal CIO Suzette Kent mentioned earlier this year. Just days before the first confirmed case of the coronavirus in the United States, she said in a keynote speech that Federal health agencies set an example on data privacy for the rest of the Federal government.
“In this community, the recognition of the value of individual data and the rules around protecting it are the highest … Protection of healthcare information has had some of the longest standing protocols, and also the most complex,” she said.
The rapid switch to telehealth, however, has led to temporary policy changes and renewed scrutiny over the security of health data as both the public and private sector try to maintain continuity of services during crisis.
The Department of Health and Human Services (HHS), for instance, softened its enforcement of Health Insurance Portability and Accountability Act (HIPAA) violations, perhaps the most famous health data privacy protections, to allow greater access to telehealth and reduce the spread of coronavirus. The HHS Office of Civil Rights (OCR) said it would use “enforcement discretion” when imposing penalties for HIPAA noncompliance to healthcare providers acting in good faith.
The agency encouraged providers to use services such as Apple Facetime and Skype to consult with patients virtually, but recommended that providers disclose potential third-party privacy risks to patients and turn on all available privacy features.
Apple, however, is simultaneously being scrutinized by senators as HHS recommends it to patients.
Earlier this month, four Democratic senators questioned Apple on the privacy of data collected by the company’s COVID-19 screening app. The app was supported by several Federal agencies – the Centers for Disease Control and Prevention, the White House Coronavirus Task Force, and HHS – but senators were wary of the tech company’s HIPAA compliance and data collection policies.
It’s not just Apple, either. Google, which faced scrutiny in November for its collaboration with Ascension to put personal health information on its cloud, is collaborating with Apple to release a Bluetooth-enabled system to track coronavirus contacts. The companies emphasized that “privacy, transparency, and consent are of utmost importance” in coronavirus tech efforts, but members of Congress are still working to codify data privacy protections as health tech innovation seemingly outpaces the speed of legislation.
The Protecting Personal Health Data Act, introduced in the Senate last June, aimed to protect consumer data collected by new personal tech. At-home DNA fits and fitness trackers, for example, provide personal health insights to private sector companies. The legislation aimed to curb that access, partially through a National Task Force on Health Data. The task force would help address cyber risks, create security standards for consumer health products, and study long-term de-identification methods.
But the bill hasn’t advanced since it was referred to committee. Further, a more wide-reaching piece of data privacy legislation introduced late last year, the Consumer Online Privacy Rights Act, also sits in limbo. Therefore, some members of Congress are taking this moment of health IT innovation to renew attention to national privacy legislation.
At a paper Senate Commerce, Science, and Transportation Committee hearing in early April, senators and witnesses discussed what pandemic response would have looked like if extensive data privacy legislation had passed. The responses were mixed.
“Big data can be an incredible tool to better understand the spread of the virus, and the impact on communities across the country,” Ryan Calo, law professor at the University of Washington offered. “However, the U.S. commercial entities that would collect this data have very few guardrails on the collection and distribution of this data,” he cautioned.
Inder Singh, founder and CEO of Kinsa, suggested that Congress could find a balance between personal information protection and information sharing for societal benefit, “I hope that after this pandemic has ended, more people have the realization that we can have both, and that we can create innovations that allow for both.”
Committee Chairman Roger Wicker, R-Miss., and Sen. Marsha Blackburn, R-Tenn., however, both called for legislative action. “We need to pass Federal privacy legislation to set a national standard that will allow companies to innovate while protecting consumers,” Sen. Blackburn urged.
The coronavirus pandemic may have spurred a critical decision point in the relationship between health data privacy and access to critical services but, as HHS CIO Jose Arrieta has repeatedly reiterated, access to health data and information sharing services can ultimately save lives. And saving lives can’t be put on pause to wait for data privacy decisions.