GPS tracking doesn’t need to stay away from COVID-19 due to privacy laws


Photo: Antonio Guillem/iStock/Getty Images Plus/Getty Images

Commentary by Jeremy Meisinger

Head: Jeremy Meisinger

Jeremy Meisinger

The scale and speed of the COVID-19 crisis has forced policymakers to seek new tools to address an unprecedented challenge. Everything from faster testing to new treatments to more supplies for frontline providers is needed, and deploying these resources intelligently requires an ability to track infections that is not yet available for a health issue. the magnitude of COVID-19.

The recent economic stimulus package passed by Congress – the Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”) – seeks to fund this kind of follow-up. Among its many priorities, the CARES Act allocates half a billion dollars to the Centers for Disease Control and Prevention (CDC) to modernize its public health data surveillance capabilities, and specifically directs the CDC to report to Congress on the development of a “public health monitoring and data collection system for the coronavirus within 30 days.

The legislation doesn’t give much additional guidance to the CDC, which means the CDC is likely to think hard and look for proven models in other highly developed public health systems.

Disease surveillance efforts around the world have taken a variety of approaches, in many cases informed by experience gained from fighting past pandemics. Public health systems in places like South Korea, Singapore and China have been built on lessons from the outbreak of severe acute respiratory syndrome (SARS) and similar conditions in recent years.

Location-based tracking using GPS provides better understanding and accuracy than, say, asking an infected patient to remember and retrace their steps.

Among many other elements, these systems frequently use GPS-enabled smartphone apps both to gather information and to target alerts to local populations. Location-based tracking using GPS provides better understanding and accuracy than, say, asking an infected patient to remember and retrace their steps.

While discussions of similar solutions have begun in the United States, privacy advocates have rightly pointed to the risks inherent in systems that necessarily collect and report health information and associate that information with location information provided. by GPS. But both legally and practically, it is not necessary to have an exclusive choice between the confidentiality of health information and the use of GPS and other technologies to collect and provide information about COVID-19.

Legally, HIPAA largely exempts disclosures of protected health information for public health activities, allowing disclosures to public health authorities without first obtaining patient consent. Similarly, HIPAA allows data to be anonymized – subject to recognized standards set forth in regulations and guidelines – and then shared and used for research purposes, including public health research and similar purposes.

Legal avenues certainly exist to enable extensive sharing of information about COVID-19 to help protect public health.

Additionally, federal HIPAA enforcement authorities have already indicated in their guidance that they will take a flexible approach to enforcement in order to meet the demands of the crisis. So, while it is true that HIPAA has not been applied directly to a public health emergency on the scale of COVID-19, legal avenues certainly exist to enable extensive sharing of information about COVID-19. 19 to help protect public health.

On a practical level, HIPAA also points the way to sensible decision-making that balances privacy interests with crisis needs. First, anonymization provides an important opportunity to share data in a way that protects privacy. Second, we should not assume that broad participation—both in information gathering and dissemination—must be unintentional to be widely adopted.

Smartphone users can – and should – be given a choice before enabling tracking features on their devices, just as they can and should be transparently told what data would and would not be shared. HIPAA sets a “minimum necessary” standard which should provide the guiding principle here: no information should be shared more than is necessary to achieve the intended purpose.

As we quickly search for tools that enable the kind of tracking that we have never undertaken before, we must be careful not to build a false dilemma between privacy and efficiency – the two go hand in hand. Strong and transparent privacy protections are both possible and necessary to ensure the public buy-in necessary for public health surveillance to work.

Jeremy Meisinger is a Boston-based attorney at Foley Hoag LLP.


Comments are closed.