The Coronavirus Pandemic Challenges a Balance Between Public Health and Personal Privacy

A coronavirus pandemic is challenging privacy norms around the world and driving the conversation about the ethical use of data.  The legal and ethical questions over collection and disclosure of private medical information are being raised amid the governments’ unprecedented efforts to contain the spread of the virus.

In the United States, the Health Insurance Portability and Accountability Act (HIPAA) generally protects patient’s information from disclosure by the medical professionals without the patient’s consent.   However, HIPAA recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information that is necessary to carry out their public health mission.

Therefore, the HIPAA regulations permit entities covered by the law to disclose needed protected health information without individual authorization to a public health authority, such as the Centers for Disease Control and Prevention (CDC) or a state or local health department, that is authorized by law to collect or receive such information for the purpose of preventing or controlling the disease. This could include, among other things, conducting public health surveillance, investigations, or interventions.  Thus, a covered entity may disclose to the CDC protected health information on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have the virus.

HIPAA also allows unconsented disclosure of patient’s information at the direction of a public health authority, to a foreign government agency that is acting in collaboration with the authority.  The covered entities might also be permitted to disclose such information to persons at risk of contracting or spreading a disease provided that state law authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations.

As the U.S. healthcare providers and public health officials are walking a fine line between protecting health privacy and making sure they and the public have the information they need, the examples of other countries battling the pandemic are instructive.

According a recent article published by the International Association of Privacy Professionals, reports from China reveal that some regions of the country now require real-name registration and facial recognition for over-the-counter medicine purchases and the use of public transport.   For example, in the province of Guangdong, residents are required to register with their real names when purchasing fever and cough medications so that officials can follow up with them, whereas commuters at the city of Shenzhen are asked to provide their full names before boarding a subway. Other citizens are required to provide their personal information via QR codes before boarding public transport or be denied a right to travel.

China telecommunications platforms are also tracking citizens’ geolocation, whereas one of the country’s leading cybersecurity companies has rolled out an app that allows users to check if they have traveled with someone who has contracted the virus.

In South Korea, one the epicenters of the epidemic, the government has implemented an alert system telling people if they have been in the vicinity of an infected patient.  Although this data is supposed to be anonymized, the reports suggest that it is still possible to identify the affected individuals.  Singapore and Hong Kong are also closely following infections in their respective countries and have released platforms sharing information about the infected individuals.

Russia, for its part, has also utilized facial recognition technology in response to the outbreak.   Moscow has been reported to use the technology to track Chinese natives to ensure that they do not leave their quarters during a coronavirus quarantine.

Under the European Union’s General Data Protection Regulation, data concerning individual’s health is considered to be a “special category personal data” requiring heightened protection.   One of the few permissible basis for processing health data is where “necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health . . . on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject . . . ”

Outside of Asia, Italy has been one of the hardest-hit by the coronavirus.  On February 3, 2020, the Italian Civil Protection Department adopted Civil Protection Ordinance No. 630 which gives civil protection personnel extensive powers to process personal data related to the coronavirus crisis.   At the same time, the Italian Data Protection Authority published the guidelines on coronavirus data collection, advising employers to refrain from collecting information on the presence of influenza signs in the employees or their close contacts.   Whereas the supervisory authority outlined certain obligations required of public and private employers, including an obligation to inform the authorities of any change in the health risk arising from the coronavirus, employers are instructed to refrain from independently collecting health data where such initiatives are not regulated by law or authorized by the government authorities.

As the coronavirus spreads to more countries and communities, the public and private sector response to the pandemic will continue to challenge a legal and ethical balance between personal privacy and public health interest.  The use of new technologies such as big data and artificial intelligence have a potential to bring public good in the face of a global health challenge.  At the same time, the widespread disclosure of private health information and the use of surveillance technologies predictably raise a concern of privacy advocates.  However, some governments prefer not to dwell on these issues at the time of crisis.  According to a representative from the South Korean Centers for Disease Control Prevention, the time to access whether it was effective and appropriate for the government to share so much information about each affected individual would be “after the spread of virus ends.”

Ask Clarip today how we can solve your biggest compliance pain points, Call Clarip at 1-888-252-5653